This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hello All,
We have 4 Domains, out of 4 we have one root domain. The Member servers are managed by a dedicated team, they required admin access on all member servers across all the child domain.
I am looking for some input if there is any better way than we are currently configured. We have created a universal group in root domain
The universal group is being configured in GPO to be pushed in Local Administrator of member servers.
All our DC are on 2016 and Member servers are 2012R2 and 2016..
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello anonymous user ,
Thank you for posting here.
Basedon the description above, we want to a dedicated team group have local Administrator right on all the member server of all the domains (including root domain and child domains), if I understand it right, I think the way you are configuring is very good. Because it can meet your need and we can set it in batches.
We can use one of the group policy settings:
Computer Configuration\Policies\Windows settings\Security Settings\Restricted Group
Or
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
Hope the information above is helpful.
Best Regards,
Daisy Zhou
Thank you for your reply. But still we need to create a Universal group in root domain to configure in one of the GPO?