for a long time, it's been thought that restricted groups in a group policy would only perform a wipe and replace of members of a local group. let's dispel this myth. what seems to be fairly unknown is that restricted groups is capable of adding members to a group without removing the existing members. for instance, let's assume we have a group called MyGroupA that needs to be in the administrators group of a set of workstations. there are two methods we can do this. the first, you're probably familiar with, which is to replace anything in the administrators group with a new set of groups or users. where is this useful? if you want to make sure that any accounts that are mysteriously added to the local admins group are removed and replaced with your set of users/groups, use this method. i won't elaborate on this since this is fairly common and understood. the other method is adding users/groups to local admins without removing the users/groups that exist. back to
notes, ramblings, contemplations, transmutations, and otherwise ... on management and directory miscellanea.