Hi, I am using group policy Restricted Groups to add a 'domain\helpdesk' account to the local administrators group of all desktops, as this becomes the default behaviour for the desktop administrator group i have also added 'domain\domain admins' and local administrator to the policy. I have just found that when the machine is taken off the domain it strips all the groups out of the local administrator group that were added, leaving me with a bunch of machines with no administrator privileges. You are still able to logon as the administrator account, but it is only a member of guest users group. Is there anything that can be done to add the local administrator back in automatically after it has been taken off the domain? JC

Try using group policy preferences instead of security settings in your GPO. The restricted groups feature overwrites any group membership info. Preferences can be additive and are always "permanent".

Is there anything that can be done to add the local administrator back in automatically after it has been taken off the domain? The local administrator account is, by default, member of the local administrators group. It is for that I don't see why you added it to the policy. Here is how to proceed: 1- Delete the administrator account from the policy 2- Log on to the client computer using the domain admin account 3- Add the local administrator account to the local administrators group 4- Log on to the client computer using the local admin account and check if all is okay or not. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.