Updating old group policy templates
One problem I see all the time is IT administrator never being able to control who is a local administrator of any particular computer.
The “Members Of” option was a lot easier to maintain as you could layer multiple group policies on top of each other but this normally resulted in just adding another layer of group to the pile of groups that were already in the local administrators group.(alternatively you could type %Domain Name% in the name field and just press OK.) Note: The image below is also wrong…The bottom image should be “BUILTIN\Administrator” Image 4. Basic local administration group setting So what you as?The other problem was the “Members” option would override the “Members Of” option so there was really no way of mixing the two modes. Group Policy Preferences can use Variables which enabled you to be very extremely granular in controlling you local admin group while still having “Iron Fist” control. How do I setup a restricted local administrator group?The following steps will need to be applied to a GPO that is applied to the computer objects you want to control the local administrator groups.