Hey All,

I want Domain Admins group to be member of local admin group on all user computer. 

I thought of doing this through Restricted Group section in GPO, I modified the Default Domain Policy, Under Computer Configuration -> Security Settings -> Restricted Group -> Added Domain Admins member of Administrators group.

After few mins, automatically all the members in "Domain Admins" group got removed and i totally lost control of my AD Infra.

Luckily i have another account which has modify permission of the Domain Admin group through which i manually added the members again and got the control back.

Any idea why this happened?

Regards,

Prasanna

• Edited by Parsapd 2 hours 33 minutes ago Picture Uploaded

Hi

 When you edit the restrcited gpo,you could select "This group is a member of" and add the group,otherwise if you selected "Members of this group" this remove other groups..

Please check this example settings;

https://wiki.samba.org/index.php/Modifying_local_groups_using_GPO_restricted_groups

Note: i add this link cause,it shows the steps with pictures.

You've misconfigured the Restricted Group where you add as "Members of this group". This will remove the domain admins group.

I also suggest you may use "local user & group" at control panel which also exist in GPO.

This is the setting i made, Will it remove all the members from Domain Admin?