Gpo and updating the
Selecting the Domain Name Variable You should now see the following which will restrict the local administrator group to only have the Domain Admins and the local administrator. I can do this already with the “Restricted Groups” Group Policy setting.Well only having the local Administrator and Domain Admin’s in the local admin group isnot not much use unless you are willing to give everyone the local admin password or give them all Domain Admin’s privileges (Like that ever happens) when ever they needed admin access.
However the “CONTOSO\DESKTOP01 Administrators” group will only be added to the local administrators group on the computer DESKTOP01 if that group is already exists.
In the steps below the computer name is DESKTOP01 and the domain name is CONTOSO, we want to add the group “CONTOSO\DESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.
Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups. Now go back and repeat steps 3 to 6 until you get to the Local Group Member dialogue box again (see Image 6.). Type “%Domain Name%\%Computer Name% Administrators” in the Name text field and click “OK” (Image 7.) Image 7.
Therefore you do not need to create the group until the need arises to add an individual user or group to just a single computer.
Update: This policy will not create the group in your Active Directory called “ Administrators” and you don’t have to create it unless you want to use it to grant permission to the computer.