The Restricted Group setting allows you to configure membership in groups within Active Directory or in the local security accounts manager (SAM) of domain-joined computers.
In this example, we will add all domain users to the local computers' Power Users group for all computers in the domain.
Note: Be aware that this method will replace the membership of the group you are configuring, it does not merge this membership with any members who currently exist in the local group.
- Open the Group Policy Management Console
- Edit the Default Domain Policy
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
- Right-click Restricted Groups and select Add Group...
- The trick to adding a local group is to just type in the group name. Do not browse to find the Power Users group, because this will resolve to the domain's Power Users group. Type Power Users, as shown below, and click OK.
- Another window will pop-up to let you configure the properties of the Power Users Restricted Group. For Members of this group, click Add.
- Click the Browse button and browse for the group in Active Directory that you want to add to the local Power Users group. In this example, use Domain Users and click OK, as shown below.
- Close the GPO Editor and the Group Policy Management Console
When the policy is processed, the computer will attempt to resolve the Power Users name that you typed to a local group first, then a domain group if no local match is found.
You can do the same process above for any other OU to scope the GPO to a specific set of computers. If you want to add users to the local Administrators group, simply type that name instead of Power Users.