In this post, I will show you how to add a user to the Local Administrators Group on the machines using GPO. Point to note that this procedure is not limited to adding a user to local Administrators group. You can use the process to rename, create or delete a Local Group (by selecting different Action in the GPO setting). We will choose Update Action as we are updating Local Administrators Group. We will be using Group Policy Preferences (GPP) to complete this task.
You can use Restricted Groups GPO setting as well, but using Restricted Groups you cannot add users to the Local Groups. For adding a user to the local groups, you have to use Local Users and Groups in Group Policy Preferences (GPP). Existing Group Membership will not be affected.
GPO Setting location:
Computer Configuration – Preferences – Control Panel Settings – Local Users and Groups
This is how the Local Administrators group looks like on one of the Windows 10 machine before we create and apply our new GPO.
On your Active Directory Domain Controller or the machine where you have Group Policy Management Console Installed. Go to Start -> Run -> Type gpmc.msc and Press Enter to open the GPMC console.
Right Click Group Policy Objects and Select New
Enter the Name of the new Group Policy e.g. “Local Administrator Policy“
Once GPO is created, Right click on the GPO and Click on Edit
On Group Policy Management Editor of this Policy. Go to Computer Configuration- > Preferences -> Control Panel Settings -> Local Users and Groups -> Select New -> Local Group
Select Action: Update and Group Name to Administrators (built-in). Choose a different Group if you would like to add an AD user to any other group. In our case as we are adding AD User INSTAIT\InstaITadmin to Local Administrator Group, we will choose Administrators (built-in)
Once Administrator (built-in) has been selected. Go to Members: section and click Add to add the AD user (whom you want to add into the local administrator group via this GPO on your workstations)
As you can see, The AD group is added to the members section. click OK to Save the Policy Setting.
As you can see here, the Setting has been configured.
Now, Time to Link the GPO to Workstation OU (where you have all your Windows 10 or 8.1 or Win 7 machines). Now, if you want to test the policy first then you can create a separate OU and move test machines to this OU, Block Inheritance and Apply this policy to test on couple of machines first before rolling out to all the machines.
Next Screen, Select GPO -> Select the GPO to Link to Workstations OU
Our Policy “Local Administrator Policy” has been successfully linked to Workstations OU
On Windows Client PC -> Open Command Prompt and type gpupdate /force and Press Enter to apply the Local Administrator Policy
Voila! ???? INSTAIT\InstaITadmin account has been added to the local Administrators Group on my Windows 10 machine using “Local Administrator Policy“
To Confirm if our policy is getting applied on the Workstation. Open Command Prompt as Administrator and then run the highlighted Command. GPRESULT
As you can see that “Local Administrator Policy” is applied on our workstation.