I have a situation where we have a parent/child domain. We have a universal group called Enterprise Admins with the PARENT\Domain Admin in this group. Under the Child domain account BUILD-IN\Administrators group we placed PARENT\Enterprise Admins, this gave us full Administrative Rights to the child domain remotely.
The issue we are running into is that we want the PARENT\Domain Admins to be added to the local administrators to the computers without having to create a domain local account on the Child domain. We implemented Restricted Group Policy to add PARENT\Domain Admins and CHILD\Domain Admins groups to the local administrators group, this worked.
However, with the restrictive group policy any custom local administrators we add to the box is removed and replaced by the policy, this is what we do not want.
How can we add the PARENT\Domain Admin group to clients on the Child domain without removing the existing ones.
Best Answer
You can use Group Policy Preferences to update the Built-in\Administrators groups on the local computers with whatever domain accounts\groups that you'd like. This will not replace existing groups\users unless you explicitly check the option to remove all other group members.
Restricted Groups is the old-school way to do it. GPP is the new, more flexible way.