using GPO to add members of a trusted domain to a local group


  • I have a one-way trust between domains. Is it possible to use group policy to add a group from the trusted domain to the local administrators group of servers in the trusting domain? Then I don't have to manually do this on each server. The easiest thing would be to add objects from the trusted domain to groups in the trusting domain but that doesn't appear to be possible.
    Thursday, July 9, 2015 2:19 PM


All replies

    • Marked as answer by WAAWM Thursday, July 9, 2015 6:18 PM
    Thursday, July 9, 2015 4:34 PM
  • Slava is correct. However, make sure that the group in the trusted domain has the correct scope as well. A domain local group in that domain couldn't be used for that purpose.

    Thursday, July 9, 2015 4:37 PM
  • Thursday, July 9, 2015 4:41 PM
  • It looks like this should work. What I was looking to do was add a group in the trusted domain to the administrators group on the trusting servers. However, this process looks like it does a replacement of members rather than an addition members. This seems like a potentially dangerous thing to do to the administrators group. I would prefer not having to touch each server but I'm thinking the safer approach would be to make a domain group containing objects from the trusted domain and manually adding that group to each local administrators group.
    Thursday, July 9, 2015 5:05 PM
  • Take a more closer look. With memberof property you can add (not replace). You just specify that some you group is member of administrators group. That's it.
    Thursday, July 9, 2015 5:18 PM
  • I understand now. Thanks.

    Thursday, July 9, 2015 6:18 PM