In this post, I will show you how to add a user to the Local Administrators Group on Windows 10/11 devices using Group Policy Objects (GPO). It’s important to note that this procedure is not limited to adding a user to the local Administrators group; you can also use the process to rename, create, or delete a Local Group by selecting a different action in the GPO setting.
For this demonstration, we will choose the Update Action, as we are updating the Local Administrators Group. To accomplish this task, we will be utilizing Group Policy Preferences (GPP).
While the Restricted Groups GPO setting is another option, it’s worth noting that it does not allow for the addition of users to Local Groups. To achieve the task of adding a user to local groups, the recommended approach involves using the Local Users and Groups feature within Group Policy Preferences (GPP). It’s important to highlight that utilizing this method will not impact existing group memberships.
Location of Group Policy Setting
We will configure a group policy setting which can be located at the following path.
Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
Steps to Add An AD User to Local Admin Group
The current Local Administrator group appears as follows. We will now add a user named “InstaITadmin” to this administrator’s group. Let’s check the steps:
- Login on a Domain controller using domain admin rights.
- Press Windows + R to open the Run dialog box.
- Type gpmc.msc and press Enter to open the Group Policy Management Console.
- Type the Name of the GPO and press the OK button.
- Right-click on the Local Administrator Policy and click on Edit.
- Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right-click on it and select New > Local Group.
- Select Action: Update
- Group Name: Administrators (built-in)
Select a different group if you’re adding an Active Directory user to any other group. In our case, as we’re adding the AD user INSTAIT\InstaITadmin to the Local Administrator Group, choose Administrators (built-in).
Note
- Once Administrators (built-in) has been selected, navigate to the Members section, and click Add to include the AD user (the user account you intend to add to the local administrator group).
- As illustrated, the AD group has been added to the members section. Click OK to save the policy setting.
- As depicted here, the setting has been configured.
- Now, it’s time to link the GPO to the Workstation Organizational Unit (OU) where you have all your Windows 10, 8.1, or Windows 7 machines.
- If you wish to test the policy first, you can create a separate OU, move test machines to this OU, block inheritance, and apply this policy to test on a couple of machines before rolling it out to all the machines.
- On the next screen, choose GPO, then select the specific GPO to link it to the Workstation OU.
- Our policy, “Local Administrator Policy” has been successfully linked to the “Workstations OU“.
- On the Windows client PC, open Command Prompt and type gpupdate /force, then press Enter to apply the Local Administrator Policy.
- The account INSTAIT\InstaITadmin has been successfully added to the local Administrators group on my Windows 10 using the “Local Administrator Policy”.
- To confirm whether our policy is being applied to the workstation, open Command Prompt as an Administrator and run the highlighted command: GPRESULT.
To be honest, this isn’t the best method to implement this.
Reason being, is that when you do things via preferences versus policy, they are “tattooed” so-to-speak. Policy is dynamic, meaning when you update that policy, it gets updated during the next gpupdate. If the GPO with the policy linked to a particular OU goes away, the systems in that OU will no longer have those policy settings.
On the other hand, when you use preferences, those permanently affect a system, even if you unlink or otherwise remove the GPO.
A better way to go about this would be go through Policy -> Windows Settings -> Security Settings -> Restricted Groups, then just add BUILTIN\Administrators.
Yes, Correct. Thanks for the insight CatsAndIT. While using GPP and deleting a member from Administrator Group (which we added using Local Administrator Policy), another GPO will be required to remove members and just changing the Action from ADD to REMOVE. However,using Restricted Group can simplify management and make it a bit easier. You can add a security group e.g Techpress\WKSAdmins and add it to the BUILTIN\Administrators Group.
Here is a screenshot of a GPO setting for removing a user added to Local Admin Group:
I want to implement this Local Admin Gpo for one user per PC.
Like if a test user logs in test PC1 then he is Admin only on that PC.
If test user 2 logs in the same PC1 then he should not be having Admin. Please suggest if I can implement such a policy.
Its a bit tricky but still possible to do that. You can create a group for each PC and it to a security group called Workstations Admins. Use the Restricted Groups to add Workstations Admins security group to local administrator group of each PC. Once above is done. Just add the user to their respective PC by checking the name of the PC. But its difficult to manage if there are 100s of PCs and then 100s of security groups.
Second option is to use a script something like as shown in the links i shared below. I haven’t tested it yet but let me know if it works or the other solutions. This lets you set an attribute in AD and a startup script to assign local admin. This feels like much better solution than the previous solution. I hope this will help you.
Script1:
So to make someone a local admin on just one machine, I just have to add this computer’s name to the user’s Description in AD and ask user to reboot, and removing the computer’s name removes the local admin rights.
Script2:
Local admin rights to specific machines
or Implement LAPS
LAPS Download and Information Location