Introduction
This tutorial will illustrate how to add an Active Directory group to the local administrator group of a workstation(s) using Restricted Groups via Group Policy. This can be useful for temporarily allowing a user or groups of users local administrative access to the workstation if software updates or software installation requires those rights. By adding a AD group to the local workstation administrative group, this allows you to remove users at your own will from that group in Active Directory.
Keep in mind that this Group Policy will apply to every workstation within the OU that you assign the group policy. Be extremely careful what workstations you are applying the group policy to. Also, this method should be used with caution and users added to the security group in Active Directory should be monitored.
Steps (8 total)
Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
DO NOT add this GPO or restricted group setting to your default domain policy. Make sure that the OU you apply this GPO to covers only the workstations that you wish to provide the affected users local admin rights on.
Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation, run "gpupdate /force" in a command window on that workstation.
When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management Console.
When the user or group of users no longer need the local admin rights simply remove the user(s) from the Active Directory group and have the user log off or reboot the workstation.
Conclusion
This process can specifically be used as a method for automated software upgrade rollouts. Some software vendors have mechanisms for deploying software updates automatically when a user logs in to the software. However, many times these automatic installations also assume that all users have local admin right (Which is crazy right?).
Also, here was the tutorial I followed when I was first learning about Restricted Groups:
http://www.frickelsoft.net/blog/?p=13
However, it is important to mention that my steps do not follow that blog post 100%. I used an Active Directory group instead of simply adding users to the restricted group. Using groups adds more flexibility for managing the Restricted Group itself. Also, if you add a user to a restricted group you would have to manually go around to each workstation and remove that user from the local admin group. By using a Group you can simply remove the user from the group in Active Directory.
