Q: How can we easily add a global administrator group named Research_Admins that's defined in Active Directory (AD) to the local Administrators group of a set of domain member machines? These member machines are already contained in a separate AD organizational unit (OU) named Research.
A: The easiest way to achieve this is by using Group Policy preferences. To set this up, follow these steps:
- Open the Group Policy Management Console (GPMC) and edit the Group Policy Object (GPO) that's linked to the Research OU.
- Navigate to Computer Configuration\Preferences\Control Panel Settings\Local User and Groups. In the GPMC menu, click Action, choose New, and select Local Group. This will bring up the New Local Group Properties dialog box.
- Select the Administrators (built-in) group from the Group name drop-down list in the New Local Group Properties dialog box.
- Click the Add button to bring up the Local Group Member dialog box. Click somewhere in the Name field and press F3. In the Select a Variable dialog box that appears, find and select the LogonDomain variable, click the Select button, then click OK. (Alternatively, instead of pressing F3 to bring up the Select a Variable dialog box, you can type %LogonDomain% in the Name field and click OK.) You should now see %LogonDomain%\Research_Admins listed in the Members section of the New Local Group Properties dialog box.
- Click Apply, then OK to apply your change.
For a good introduction to Group Policy preferences, take a look at the white paper "Group Policy Preferences Overview."