I understand they are separate. We want to give a domain user who is part of a domain group access to the power users group. So, under power users, we'd add: COMPANY\TECHS. We'd of course have to authenticate. (because we're logged in as a local admin, not a domain user). like this: net localgroup "Power Users" "DOMAIN1\GROUP1" /add but somehow, authenticate against the AD