Centralizing service-account local admin rights: You must ensure certain domain service accounts are members of the Local Administrators group on many Windows 2000 Professional computers. What is the best centralized approach?

Introduction / Context:
Service accounts used by applications often need local administrative privileges on only a subset of machines. Manually adding them on each workstation is error-prone. Windows 2000 Group Policy provides a scalable way to enforce local group membership using the Restricted Groups setting.

Given Data / Assumptions:

• Windows 2000 domain with many Windows 2000 Professional clients.
• Specific domain accounts must be Local Administrators on designated machines only.
• Computers can be organized into Organizational Units (OUs).

Concept / Approach:
Restricted Groups (Computer Configuration > Windows Settings > Security Settings > Restricted Groups) lets you define the exact membership of a local group on all computers within the scope of a GPO. Linking this GPO to the OU that contains only the target computers ensures scoped, centralized control without over-privileging.

Step-by-Step Solution:

Verification / Alternative check:
On a client, run ‘‘net localgroup administrators’’ to confirm the accounts were added, or use Resultant Set of Policy (RSoP) to validate application.

Why Other Options Are Wrong:

• Adding to Domain Admins grants excessive rights everywhere.
• Local GPO per computer does not centralize management.
• A domain-level GPO would affect all domain computers, not just the intended subset.

Common Pitfalls:
Using the ‘‘Members of this group’’ list replaces existing members; include necessary defaults (e.g., Domain Admins) to avoid locking out support staff.

Final Answer:
Use an OU-linked Group Policy and configure Restricted Groups so the Local Administrators group on targeted computers contains the required service accounts