This article was previously published under Q320065
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how to create a global group so that it is a member of the local administrators group on all workstations and member servers by using group policy restricted groups.
It may be useful to allow certain users to automatically become local administrators on your Windows 2000-based workstations or member servers. To allow that type of access to a controlled set of users and computers by using a group policy:
Start Active Directory Users and Computers from any domain controller.
Create an organizational unit, and then move all of the appropriate workstations and member servers to that organizational unit.
Create a global group in that organizational unit, and then add the appropriate users to that group.
IMPORTANT: Complete the remaining steps from a Windows 2000-based member server or a Windows 2000 Professional-based workstation with the Adminpak installed.
Start Active Directory Users and Computers, right-click the organizational unit, and then click Properties.
Click the Group Policy tab, click NEW, and then name the policy.
Click the policy, and then click Edit.
Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
Click Browse. Focused on the local computer, click the group to which you want your global group to be a member (in this case, the "Administrators" group), click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window.
Right-click the group, and then click Security.
To the right side of the Members of this Group box, click ADD, and then click Browse.
Locate the group in the organizational unit that you want to place in the administrators group, and then add it the group. After you do so, close the group policy.
At a command prompt, type secedit /refreshpolicy machine_policy /enforce, and then press ENTER.
NOTE: From any of the workstations or member servers in that organizational unit, you can view the local groups and see that the global group is a member of the administrators local group.