You can use Restricted Groups by either replacing current membership of the
local administrators group with a list of groups/users that you want to
enforce or use the "member of" option if using SP4 on Windows 2000. For that
create a global group and add domain members to the group. The member of
option will not replace current group membership. You can find restricted
groups in Group Policy/computer configuration/Windows settings/security
settings. For what you want to do this must be done at the OU level with the
computers you want to add the user/group into the OU, otherwise you run the
risk of adding that user/group to the administrators group for the domain.
Another option is a Group Policy "startup" script using the " net
localgroup" command to add a user/group to the local administrators group to
domain computers that are assigned the script. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496 ---
restricted groups.
