This tutorial will illustrate how to add an Active Directory group to the local administrator group of a workstation(s) using Restricted Groups via Group Policy. This can be useful for temporarily allowing a user or groups of users local administrative access to the workstation if software updates or software installation requires those rights. By adding a AD group to the local workstation administrative group, this allows you to remove users at your own will from that group in Active Directory.
1. Create a new group in Active Driectory
Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
2. Create a new GPO
Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
3. Edit the newly created GPO
Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings –> Restricted Groups
4. Add your new Active Directory group to the Restricted Group
Right-click the Restricted Groups folder and select “Add Group” to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click “OK”
5. Add the Restricted Group to the local administrator group
In the Restricted Group Properties windows click “Add” under the section titled “This group is a member of:” Type “Administrators” (without the quotes and yes it is plural), in the Group Membership window and click “OK”
6. Wait for GPO updates to apply to the workstations
Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation, run “gpupdate /force” in a command window on that workstation.
7. Add a user or group of users to the Active Directory Restricted Group
When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management Console.
8. Remove the user or group of users from the AD restriced group
When the user or group of users no longer need the local admin rights simply remove the
user(s) from the Active Directory group and have the user log off or reboot the workstation.