In this post, I will show you how to add a user to the Local Administrators Group on Windows 10/11 devices using Group Policy Objects (GPO). It’s important to note that this procedure is not limited to adding a user to the local Administrators group; you can also use the process to rename, create, or delete a Local Group by selecting a different action in the GPO setting.
For this demonstration, we will choose the Update Action, as we are updating the Local Administrators Group. To accomplish this task, we will be utilizing Group Policy Preferences (GPP).
While the Restricted Groups GPO setting is another option, it’s worth noting that it does not allow for the addition of users to Local Groups. To achieve the task of adding a user to local groups, the recommended approach involves using the Local Users and Groups feature within Group Policy Preferences (GPP). It’s important to highlight that utilizing this method will not impact existing group memberships.
Location of Group Policy Setting
We will configure a group policy setting which can be located at the following path.
Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
Steps to Add An AD User to Local Admin Group
The current Local Administrator group appears as follows. We will now add a user named “InstaITadmin” to this administrator’s group. Let’s check the steps:
- Login on a Domain controller using domain admin rights.
- Press Windows + R to open the Run dialog box.
- Type gpmc.msc and press Enter to open the Group Policy Management Console.
- Type the Name of the GPO and press the OK button.
- Right-click on the Local Administrator Policy and click on Edit.
- Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right-click on it and select New > Local Group.
- Select Action: Update
- Group Name: Administrators (built-in)
Select a different group if you’re adding an Active Directory user to any other group. In our case, as we’re adding the AD user INSTAIT\InstaITadmin to the Local Administrator Group, choose Administrators (built-in).Note
- Once Administrators (built-in) has been selected, navigate to the Members section, and click Add to include the AD user (the user account you intend to add to the local administrator group).
- As illustrated, the AD group has been added to the members section. Click OK to save the policy setting.
- As depicted here, the setting has been configured.
- Now, it’s time to link the GPO to the Workstation Organizational Unit (OU) where you have all your Windows 10, 8.1, or Windows 7 machines.
- If you wish to test the policy first, you can create a separate OU, move test machines to this OU, block inheritance, and apply this policy to test on a couple of machines before rolling it out to all the machines.
- On the next screen, choose GPO, then select the specific GPO to link it to the Workstation OU.
- Our policy, “Local Administrator Policy” has been successfully linked to the “Workstations OU“.
- On the Windows client PC, open Command Prompt and type gpupdate /force, then press Enter to apply the Local Administrator Policy.
- The account INSTAIT\InstaITadmin has been successfully added to the local Administrators group on my Windows 10 using the “Local Administrator Policy”.
- To confirm whether our policy is being applied to the workstation, open Command Prompt as an Administrator and run the highlighted command: GPRESULT.