Is there a smart way of adding domain global groups to windows client machine local administrators groups ? I know Net localgroup can be used at the command prompt but is there a way of doing this using the AD integrated tools Does Group Policy offer options for this ?

You can accomplish this within a group policy. As long as all the client machines are members of AD, you can leverage the "Restricted Group" component with a GPO. This is typical for what you are trying to do. Reference the link for additional help: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html HTH, Chris Calderon

Restricted groups in Group Policy is great, however I'm not quite ready for it yet because all current groups would be cleared out and replaced with those specified in the GPO - I would first need to audit current Local Administrator membership, else I might wipe out some critical security group which is necessary for something. What I want to do right now is append a new DL Group to all Local Administrators without affecting the any existing groups, what alternatives are there ? Thanks

A Distribution List cannot be granted this type of access because its not a Security Principal. Youd have to convert the group to a Security Group to be able to assign it to a local group. A common method to do this without using Group Policies is through a WMI script that connects to the remote targeted computers and then modifies the local group membership. For example: strDomainControler = "DOMAIN_CONTROLLER_NAME" strComputer = "REMOTE_COMPUTER" Set objUser = GetObject("WinNT://" & strDomainControler & "/ADGROUPNAME,group") Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group") objGroup.Add(objUser.ADsPath) This script will add which ever group you define (ADGROUPNAME) to the local Administrators group (or which ever local group) of a remote computer. Id probably modify it to read a text file to control AD Groups and target computers. HTH,