Open Active Directory Users and Computers, choose Users and create a new Group Name the Group Local Admins so that it is easy to recognize what this group does. Choose Add to add users. I have added John to this group. He is going to help users with ‘local’ issues on the workstations or laptops. Open Group Policy Manager, right click the hive ‘Group Policy Objects’ and choose New. Give the new policy a name and click OK Right click the policy you just made and choose Edit. Browse to ‘Restricted Groups’, right click and choose ‘Add Group’. Add the Local Admins security group you just created and click OK Now you need to add the groups to which this security group is a member of and that would be ‘Administrators’ and ‘Remote Desktop Users’. After this click OK and link the GPO to whatever OU you want. I would link it to a the computers OU in where your client computers live. If you have also Servers in that OU and you want to prevent the Local Admins group to have permissions on those servers I suggest you create a WMI filter for this to limit the scope of your policy.