I need to implement a few restricted groups in my org. My question is where should I add the restricted groups within Active Directroy. For example I want to create a restricted group for Domain Admins. Should I just assign the group to the Domain Controllers OU or should I go ahead and place it at the domain level. I am wondering how this would effect workstations since there is not a local domain admin group on workstations. Has anyone had any experience with this?


Thanks!