Can't you use the "Restricted Groups" policy setting to set your local Admin membership on your workstations ?
We do this routinely for about 2500 workstations and 300+ servers with no problems. MS Article on it (not a huge amount of help though) http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279301 (Step by step on how to implement it) http://www.windowsecurity.com/articles/Using-Restricted-Groups.html HTH G. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Thursday, 2 December 2004 3:31 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Cross Domain Groups Group, Have you ever added a domain admins group from another forest into the built in administrators groups on your local workstation. We have our forest of nt40 and the parent company has a forest named abc. They both have a two way trust. I started this project by creating a universal group in the nt40 forest and placing the domain admins group from the abc forest into it. I then opened the local permissions on my box and placed the universal group that I created into the local group. It actually worked. Therefore, I know that you can cross global groups as long as you hide them in either a local or universal group (duh). However, I am trying to find a way to automate this process because all workstations in the network need the domain admins group from abc. I have been researching gpo's and haven't found a solution. Have you ran into this problem before? Ideas? Suggestions? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/