I know there are a lot of Restricted Groups threads out there, but I didn't see this specific question asked.
In our domain, we use a couple GPO's to add groups to the local admins group on all computers.
Example:
Group - Members - MemberOf (those familiar with restricted groups should recognize these options)
Domain Admins - (blank) - Administrators
Computer Admins - (blank) - Administrators
So, with these settings (they're actually in separate GPOs linked at the same OU level), "Domain Admins" and "Computer Admins" automatically get added to the local admins group on all computers in our domain.
However, now we have an added requirement. We want to futher lock-down the local admins list on all workstation computers. So, I established another GPO, linked at a further-down OU (and scoped properly) that was setup as follows.
Group - Members - MemberOf
Administrators - LocalSiteAdmins - (blank)
Some may already see where I'm going with this, but stay tuned, it gets odd. After applying this GPO, my test Windows 7 machine hadall three groups (Domain Admins, Computer Admins, and LocalSiteAdmins) in its built-in\administrators group. However an RSOP showed that only the LocalSiteAdmins GPO had actually applied successfully. The other two showed errors.
So, here's the rub... I actually LIKE this result. I think it would be useful to be able to lockdown the local admins group on a per-OU basis, while still being able to append entries across everything. I'm just nervous that the result I'm seeing is the product of an error and may not actually apply reliably to all systems.
Ideas? Is this how it's supposed to work? I couldn't find anything regarding using these two approaches to restricted groupsimultaneously.