Yes, that is how restricted groups work, it over writes whatever is existing on the current machine. The best way to do it, then your GPO is the definitive authority on who is a local admin. So yes, servers should be in separate OU's so they can have their own GPO's on this issue and all the others that you decide to do.
From: John Bowles [mailto:john.bow...@wlkmmas.org] Sent: Wednesday, January 20, 2010 10:00 AM To: NT System Admin Issues Subject: GPO Best Practices I have a customer who is looking to implement a GPO to add Domain Admins to all the workstations and servers. I was looking into using Restricted Groups to tackle this task, but it seems if you use Restricted Groups you will lose anything outside of the groups you have listed in the restricted groups, that reside in local admin group of workstations or servers. My question is, if I recall a finely tuned AD the concept was to have your workstations and servers in seperate OU's right? This way you can have seperate sets of GPO's for each class, either workstations or servers? Or, is there just a flat out easier way to push certain accounts to the servers and workstations? Thanks, John Bowles ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~