Thorbjorn is correct here. The challenge comes when you want to add a specific user on each machine?s local administrator group. That?s when Restricted Groups policy breaks down. In that case, the scripts that Jamie pointed to are your best bet. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Thorbjörn Sjövold Sent: Tuesday, June 12, 2007 8:44 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Add user to local administrators group Actually it is both possible to both mirror and add, the latter is done using the ?This group is a member of:? part of the Restricted Groups settings, but you have to select the groups in ?reverse? order, i.e. first the group you want to add and then where you want it, while in the normal case you select the group to manage and then who should be in it. So if you for example want to have Domains Admins added to the local Administrators group, you select Add Group? in the Restricted Groups node, then select Domain Admins from your domain and in the ?This group is a member of:? you select the Administrators group. Remember to select the local computer in the Object Picker when you browse for the local group. HTH, Thorbjörn Sjövold Special Operations Software <http://www.specopssoft.com> www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Download our free tool for remote Gpupdate with graphical reporting, <http://www.specopssoft.com/products/specopsgpupdate/> http://www.specopssoft.com/products/specopsgpupdate/ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: den 12 juni 2007 16:22 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Add user to local administrators group Well, restricted groups policy can?t just ?add? someone to a group. Your local groups will mirror what is specified in the GPO. In some cases this is really handy because you may only want specific users/groups in there and Restricted Groups policy will remove any user/group that is not explicitly allowed. However, in your case, you only want to add someone, so you will probably need to make that change using a computer startup script. The following link has some VBScript samples that should give you a good start: http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/user sgroups/localgroups/ Regards, //signed// Jamie R Nelson Systems Engineer Ingenium Corporation _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Johnson, Matthew Sent: Tuesday, June 12, 2007 9:04 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Add user to local administrators group Can I use a GPO to add a user to the local administrators group on all our pc?s in our domain? I looked at the Restricted groups setting but I don?t know if this will work. We have a windows 2000 domain. Thanks for any help, Matthew Johnson CONFIDENTIALITY STATEMENT: This electronic message contains information from Fisher-Titus Medical Center and may be protected health information or other confidential and privileged information under law. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately by reply e-mail or telephone at 419/668-8101.