CAUTION: This process OVERWRITES ANY local administrators on these machines ONLY with the ones listed in the GPO.
I pushed this GPO out recently and wiped out a local list of administrators on several production machines. Not good.
The decent solution for this problem is to use Windows Logo certified software, and reinstall workstations where Admin rights are currently being used by users. Bad, bad, bad practice. It takes the extra few hours to configure a system properly, giving them ONLY the necessary permissions. Why do so many people do it the dirty way?
SUMMARYThis article describes how to create a global group so that it is a member of the local administrators group on all workstations and member servers by using group policy restricted groups.
MORE INFORMATIONIt may be useful to allow certain users to automatically become local administrators on your Windows 2000-based workstations or member servers. To allow that type of access to a controlled set of users and computers by using a group policy:
...Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group. Click Browse. Focused on the local computer, click the group to which you want your global group to be a member (in this case, the "Administrators" group), click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window. Right-click the group, and then click Security. To the right side of the Members of this Group box, click ADD, and then click Browse. Locate the group in the organizational unit that you want to place in the administrators group, and then add it the group. After you do so, close the group policy.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q320065