for a long time, it's been thought that restricted groups in a group policy would only perform a wipe and replace of members of a local group. let's dispel this myth. what seems to be fairly unknown is that restricted groups is capable of adding members to a group without removing the existing members. for instance, let's assume we have a group called MyGroupA that needs to be in the administrators group of a set of workstations. there are two methods we can do this. the first, you're probably familiar with, which is to replace anything in the administrators group with a new set of groups or users. where is this useful? if you want to make sure that any accounts that are mysteriously added to the local admins group are removed and replaced with your set of users/groups, use this method. i won't elaborate on this since this is fairly common and understood. the other method is adding users/groups to local admins without removing the users/groups that exist. back to MyGroupA. here's how to set it up.
- open up the group policy you want to effect
- under computer configuration, navigate to windows settings\security settings
- locate the restricted groups folder. right-click on the folder and choose add group...
- add in the group - domain\MyGroupA, for instance
- in the configure membership for
dialog, there are two panes. in the bottom pane labeled this group is a member of, click add
- type in administrators. click ok
- click ok to close the dialog