When it comes to assigning a group to the local Administrators, Power Users, or Remote Desktop Users group of computer accounts, Group Policy is the way to do it. But, be careful how you do this throughout the Active Directory forest. You can quickly find yourself with overlapping or conflicting entries and then accidentally may be forced to over-permission.

The good news is that if you get your head around the Restricted Groups object in Group Policy, this can be done quite easily. First of all, make sure you apply the Restricted Groups permissions for each of the Organizational Units that contain computer accounts; and, don’t plan on much inheritance of these configurations.

The Restricted Groups setting is located in Group Policy Computer Configuration at Policies | Windows Settings | Security Settings | Restricted Groups. This area of Group Policy and a sample configuration is shown in Figure A below:

Figure A

Click to enlarge.

In this example, the RWVDEV\GRPO-UserAccounts group is automatically made a member of the Power Users account of computer accounts in the Organizational Unit to which this GPO is assigned and below.

The best practice here is to assign Administrators to the Domain Admins group as well as possibly an application-level administrator for computer accounts that would be contained in this Organizational Unit (only for that application). The same goes for Power Users and Remote Desktop Users, so if someone isn’t a member of a group that is an administrator in this space, maybe they would be a “Power User” and then remote desktop access would accompany that role.

This configuration, by default, will apply to other computer account Organizational Units below the current one, so be mindful of inheritance of this GPO in Active Directory.

How do you use the Restricted Groups GPO object to assign permissions in Active Directory? Share your comments below.