You can use Group Policy to add Active Directory users and groups to the local administrator group on domain-based servers and workstations. This allows you to assign local administrator rights for domain computers to help desk staff, help desk teams, specific users, or other privileged accounts. In this article, we show you how to manage local administrator group members on domain computers using group policy.

Group of local administrators in an active directory domain

When a computer joins an AD domain, the Domain Admins group is automatically added to the Local Admins group and the Domain Users group is automatically added to the Local Users group.

The easiest way to grant local administrator privileges on a computer is to add a user or group to the local administrator security group through the Local Users and Groups snap-in (lusrmgr.msc). However, this method is inconvenient if you have many computers, and it can let unwanted people join the privileged group after a while. If you use this method to grant local privileges, it is impractical to control local administrator group members on every computer in the domain.

Microsoft recommends that you use the following groups to separate administrative permissions in an AD :

  1. Domain management is used only on domain controllers; from the security point of view of privileged administrator accounts, it is not recommended to perform daily management tasks on workstations and servers under a domain administrator account. These accounts should only be used for AD management (adding new domain controllers, replication management, changing the Active Directory schema, etc.). Most user, computer, or GPO management tasks should be delegated to regular administrator accounts (not domain administrators). Do not use domain administrator accounts to log on to workstations or servers that are not domain controllers.
  2. Server administrators are a group you can use to manage domain members’ servers. You do not need to be a member of the domain administrator group or local administrator group on your ;
  3. Workstation Admins is a group responsible only for administrative tasks on workstations. Cannot be a member of the “Domain Admins” and “Server Admins” groups;
  4. Domain users are ordinary user accounts for typical office use. They do not need to have administrator privileges on servers or workstations.

You can also specify that users or domain groups will not have administrator privileges. In this case, the integrated account of the local administrator with a password stored in AD (based on LAPS) is used to perform administrative tasks on the workstations.

Suppose you want to give the technical support group and HelpDesk staff local administrator rights on the computers of a particular OU. Using PowerShell, create a new security group in your domain and add HelpDesk accounts to it:

New-ADGroup WorkStationAdmins – Path ‘OU=Groups,DC=contros,DC=com’ -GroupScope Global -PassThruAdd-AdGroupMember -Identity WorkStationAdmins -Members john.smith,jane.doe

Open the Group Policy Management Console for the domain (GPMC.msc), create a new AddLocaAdmins GPO and associate it with the OU that contains the computers (in my example it is ‘OU=Computers,DC=contoso,DC=com’).

The AD group policy provides two ways to manage local groups on the domain computers. Let’s look at them one by one:

  • Managing local groups with group policy preferences ;
  • Limited groups.

How can I create domain users with GPO rights from local administrators?

Group Policy Preferences (GPOs) are the most flexible and convenient way to assign local administrator rights to domain computers using GPOs.

  1. Open the previously created AddLocaAdmins-OOP in edit mode ;
  2. Go to the following section of the GPO: Computer Configuration -> Settings -> Control Panel Settings -> Local Users and Groups ;
  3. Add a new rule (New -> Local Group) ;
  4. In the Action field, select Update ;
  5. From the Group Name drop-down list, select Administrators (Embedded). Even if this group is renamed on the computer, the settings are applied to the local administrator group via its SID – S-1-5-32-544 ;
  6. Click Add and select the groups you want to add to the local administrator group. To remove users and groups that you have manually added to the current local administrator group, enable the Delete All Users and Delete All Groups options. In most cases, this is useful because it ensures that only assigned domain groups have administrator privileges on your domain computers. If you then manually add a user to the administrator group using the Local Users and Groups snapshot, the user is automatically removed the next time you apply the policy.
  7. Save the policy and wait for it to be applied to the workstation. If you want to enforce the policy immediately, run the gpupdate /force command on the user’s computer;
  8. Open the snap-in lusrmgr.msc on any computer and check the members of the local administrator group. Only the WorkStationAdmins group is added to this group, while other users and groups are removed. You can view the list of local administrators with the following command: net localgroup Administrators

If the policy has not been applied to the domain computer, use the gpresult command to determine the problem. Also, make sure the computer is in the OU to which the GPO is attached and check the recommendations in the “Group Policy Objects Do Not Apply to Computers” message.

You can configure additional (granular) conditions to target policies to specific computers using GPO’s WMI filters or item-level targeting.

In the second case, click on the “General” tab and check “Targeting” on the item level. Click on “Targeting.” Here you can specify the application terms of the policy. For example, I want the policy in the Add Administrators group to apply only to Windows 10 computers whose NetBIOS/DNS names do not have adm. You can use your own custom filtering options.

Adding individual user accounts to this policy is not recommended. It is preferable to use domain security groups. In this case, you only need to add them to a domain group to grant administrator rights to another support staff member (you do not need to change the GPO).

Manage local administrator groups with restricted groups

Restricted group policy also allows you to add domain/user groups to the local security group on computers. This is an older method of assigning local administrator rights that is less used today (it is less flexible than the method of setting group policies).

  1. Open the GPO in edit mode ;
  2. Expand Computer Configuration -> Policies -> Security Settings -> Restricted Groups ;
  3. Select Add Group from the context menu ;
  4. In the next window, enter Administration and click OK ;
  5. In the Members of this group section, click the Add button and specify the group you want to add to the local administrators ;
  6. Save the changes, apply the policy to the users’ computers, and check the local administrator group. It should contain only the group you specified in the policy.

This policy always removes all other members of the local administrator group (whether added manually or by other policies or scripts). If multiple policies with restricted group settings are active for a computer, only the last one applies. You can get around this restriction by first adding the WorkStationAdmins group to the Restricted Groups group and then adding this group to the Administrators group.

Using a GPO to add a single user to the local administrator group on a specific computer

Sometimes it is necessary to grant administrative privileges to only one user on a particular computer. For example, you have several developers who sometimes need high privileges to test, debug, or install drivers on their computers. It is not recommended that you add them to the Workstation Admin group on all computers.

You can use the following scheme to assign local administrator rights on a specific computer:

Directly in the GPO Settings section (Computer Configuration -> Settings -> Control Panel Settings -> Local Users and Groups) of the AddLocalAdmins policy created earlier, create a new entry for the Administrators group with the following settings :

  • Action: Update.
  • Group name: Drivers (integrated)
  • Description: “Add John.smith to the local administrators on the dev-wks-01 computer.
  • Members: Add -> John. Smith
  • In the General -> Addressing tab, specify the following line: “The name of the NETBIOS computer is dev-wks-01”. This means that this policy applies only to the computer specified here.

Also note the order in which the groups are applied to the computer (the SPM Order column). The settings for the local groups are applied from top to bottom (starting with political order 1).

The first GPP policy (with the “Delete All Users” and “Delete All User Groups” settings as described above) removes all users/groups from the local administrator groups and adds the specified domain group. Additional IT policies are then applied, adding the specified user to the local administrators. If you want to change the order of administrator group membership, use the buttons at the top of the GPO Editor console.

Frequently asked questions

How do I add a domain user to the local administrator group using group policy?

Open the GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. Right click and select Add Group. If you want to add users to the local administrator group, go to Administration.

How do I add a user to the local administrator group?

Go to Start Runtime and type “compmgmt. msc” (without the quotes) and click OK. The Computer Management window opens, where you expand Local Users and Groups, click Groups, and then double-click Administrators on the right side of the screen. In the Administrator Properties window, click Add.

Does the group policy apply to the local user?

2 Answers. The GPO has a computer part and a user part that correspond to the security filtering boundaries of the GPO and is associated with the corresponding OR. So, if the computer is actually connected to the domain, all relevant GPOs will be applied regardless of the user logged in, even for local users.

laps create local admin account,create local user gpo,add domain user to local admin cmd,builtin\administrators,restrict local administrators group policy,add domain user to local admin powershell,workstation administrators group,add user to local administrators group,how to add domain user as local admin gpo,add local user to administrator group via gpo,windows 10 add local admin gpo,gpo computer administrator,gpo add user to remote desktop group,gpo create local group,active directory user local administrator,create local user from group policy,group policy add domain users,domain admin local administrators group,gpo add current user to local admin group,local machine administrator group,create local admin account in ad,active directory admin rights,add users to local administrators group,group policy local users and groups,how to create a group in group policy,add user to group by gpo,gpo add computer to domain group,domain users in local users group,“group policy” add user to security group,what is the function of secpol msc,how to add user to local admin group cmd,add user to local administrators group gpo preferences,remove users from local administrators group gpo,group policy restricted groups local administrators,create local administrator account through group policy server 2016,add domain users to local administrators group gpo,how to grant local admin rights to domain users via group policy,gpo add user to local group