This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
When working with Active Directory, does anyone know why Restricted Groups within Group Policy cannot be used to add a group to the Builtin\Administrators group on a domain controller?
I am able to use Restricted Groups to replace all the groups and add the ones I want but I cannot use it to add a group to Builtin\Administrators on the domain controller.
No other policies are overwriting this.
Both are working well
Hm, do you know any thing that would stop this from working or conflict\overwrite this policy in anyway? I tried to do exactly what you just did and couldn't get it to work.
I see my mistake, thank you.
Hello,
When a restricted group policy is enforced, any current member of a restricted group that isn't on the Members list is removed, except for the administrator in the Administrators group. Any user on the Members list that isn't currently a member of the restricted group is added.
Only inclusion is enforced in this portion of a restricted group policy. The restricted group isn't removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.
While Builtin\Administrators denotes the Administrators of Local Group, on machine server.
Do follow the below link to get to know further
Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )
I think it should work. It's working in my lab environment.
Here's my GPO and where it's linked
You are doing a replace. Try specifying the groups individually and making those groups a member of Administrators e.g. :GRP_01 This groups is a member: of Administrators". Doing it this way is what is not working for me.
Hello @Anonymous
Additionally,
This is because once you promote a computer to Domain Controller, all the local security groups are "migrated" to domain groups, and the local Administrators group is removed. This is due to the local SAM database usage, but there is a very good explanation in this post:
Best regards,