I need to add an user to local administrators of all machines in domain. I read about Restricted Groups, however I don't want to replace all members, but just append a new one. Is it possibile?
There are two different "modes" when using the Restricted Groups feature. The first one, Members of this group, is the one you mentioned where it replaces all members of the selected group with the list you specify. The second one, This group is a member of, will do exactly what you want. Most people forget the second mode exists and it is also able to stack nicely with other group policies using the same Restricted Groups mode.
I always prefer to use it instead of the Group Policy Preferences equivalent because it's a more rigidly enforced policy rather than a...well...preference. It also doesn't require GPP extension support which can be an issue in legacy environments.
So basically when you "Add Group" in the Restricted Groups section, pick the group you want to be a member of the local Administrators group from your domain. Then click the Add button in the lower section for This group is a member of and type simply, Administrators.
When you right click and click add group, you basically defined the group name that exists in AD and you need to add it to a local group on servers or workstations.
the next thing to be done is to define the local group that you need it added to, which is the lower part of the dialog that opens after you click ok.
leave the upper part blank, and you're good to go.
There are two different "modes" when using the Restricted Groups feature. The first one, Members of this group, is the one you mentioned where it replaces all members of the selected group with the list you specify. The second one, This group is a member of, will do exactly what you want. Most people forget the second mode exists and it is also able to stack nicely with other group policies using the same Restricted Groups mode.
I always prefer to use it instead of the Group Policy Preferences equivalent because it's a more rigidly enforced policy rather than a...well...preference. It also doesn't require GPP extension support which can be an issue in legacy environments.
So basically when you "Add Group" in the Restricted Groups section, pick the group you want to be a member of the local Administrators group from your domain. Then click the Add button in the lower section for This group is a member of and type simply, Administrators.
Yes, but not with restricted groups. You'll need to use Group Policy Preferences for this.
This works as advertised.
When you right click and click add group, you basically defined the group name that exists in AD and you need to add it to a local group on servers or workstations. the next thing to be done is to define the local group that you need it added to, which is the lower part of the dialog that opens after you click ok. leave the upper part blank, and you're good to go.
Just tested it.