Is it possible to limit the ability to add local accounts, domain accounts and domain global groups to the local Administrator's group? We have a situation where we have a domain global group that is a member of the local administrators group on a Windows 2003 and we want to prevent members of this group from being able to add anyone else to the administrator's group. So far we have not been able to figure out a way to limit this ability because by being in the administrator's group that capability is inherent. If anyone knows how to do this can they please provide me with the "how to" details? Thanks!

Actually, this is pretty simple using Group Policies.The Restricted Groups functionality in a Group Policy Object (GPO) can be used to override the membership of a local group on Active Directory joined Windows machines. In your case you would make a Group Policy Object (GPO), add the local Administrator account, your Domain Admins group (DOMAIN\Domain Admins) and the Domain group (DOMAIN\YourGroup) to the Administrators group and apply toGroup Policy Object (GPO) to an Organizational Unit (OU) where the Windows Server 2003 resides. (place it in a separate OU when needed)In a case where one of the members of the Domain group would add a member to (or delete a member from) the local Administrators group these changes would become undone when the Group Policy would get refreshed in the background (by default 90 minutes, but can be changed)More information: Description of Group Policy Restricted Groups Using Restricted Groups How to modify the default Group Policy refresh interval

Thanks for the reply.We are aware that you can use resticted groups to control the membership of the local admins group but what we were really looking for was way to actually restrict the ability of a group fromadding anyone tothe local admins group in the first place. Granted that you can change the default timeframe for invoking the group policy to shorten the timeframe down so that any bogus accounts are removed more quickly however the fact remains that the account can still be created and used by an unauthorized party between the timeframe that each group policy refresh takes place. Any idea on how to do this?