Add an Active Directory user to the Local Administrators Group using Group Policy (GPO)

Microsoft Active Directory Group Policy

In this post, I will show you how to add a user to the Local Administrators Group on the machines using GPO. Point to note that this procedure is not limited to adding a user to local Administrators group. You can use the process to rename, create or delete a Local Group (by selecting different Action in the GPO setting). We will choose Update Action as we are updating Local Administrators Group. We will be using Group Policy Preferences (GPP) to complete this task.

You can use Restricted Groups GPO setting as well, but using Restricted Groups you cannot add users to the Local Groups. For adding a user to the local groups, you have to use Local Users and Groups in Group Policy Preferences (GPP). Existing Group Membership will not be affected.

Also Read: How to deploy desktop wallpaper and lock screen image to domain joined windows 10 laptops using GPO – For PCs connected via VPN and also for PCs in office LAN

GPO Setting location:

Computer Configuration – Preferences – Control Panel Settings – Local Users and Groups

Lets begin!

This is how the Local Administrators group looks like on one of the Windows 10 machine before we create and apply our new GPO.

Add an Active Directory user to the Local Administrators Group

On your Active Directory Domain Controller or the machine where you have Group Policy Management Console Installed. Go to Start -> Run -> Type gpmc.msc and Press Enter to open the GPMC console.

Add an Active Directory user to the Local Administrators Group using GPO

Right Click Group Policy Objects and Select New

Add an Active Directory user to the Local Administrators Group using GPO

Enter the Name of the new Group Policy e.g. “Local Administrator Policy

Add an Active Directory user to the Local Administrators Group using GPO

Once GPO is created, Right click on the GPO and Click on Edit

Add an Active Directory user to the Local Administrators Group using GPO

On Group Policy Management Editor of this Policy. Go to Computer Configuration- > Preferences -> Control Panel Settings -> Local Users and Groups -> Select New -> Local Group

Add an Active Directory user to the Local Administrators Group using GPO

Select Action: Update and Group Name to Administrators (built-in). Choose a different Group if you would like to add an AD user to any other group. In our case as we are adding AD User INSTAIT\InstaITadmin to Local Administrator Group, we will choose Administrators (built-in)

Add an Active Directory user to the Local Administrators Group using GPO

Once Administrator (built-in) has been selected. Go to Members: section and click Add to add the AD user (whom you want to add into the local administrator group via this GPO on your workstations)

Add an Active Directory user to the Local Administrators Group using GPO

As you can see, The AD group is added to the members section. click OK to Save the Policy Setting.

Add an Active Directory user to the Local Administrators Group using GPO

As you can see here, the Setting has been configured.

Add an Active Directory user to the Local Administrators Group using GPO

Now, Time to Link the GPO to Workstation OU (where you have all your Windows 10 or 8.1 or Win 7 machines). Now, if you want to test the policy first then you can create a separate OU and move test machines to this OU, Block Inheritance and Apply this policy to test on couple of machines first before rolling out to all the machines.

Add an Active Directory user to the Local Administrators Group using GPO

Next Screen, Select GPO -> Select the GPO to Link to Workstations OU

Add an Active Directory user to the Local Administrators Group using GPO

Our Policy “Local Administrator Policy” has been successfully linked to Workstations OU

Add an Active Directory user to the Local Administrators Group using GPO

On Windows Client PC -> Open Command Prompt and type gpupdate /force and Press Enter to apply the Local Administrator Policy

Add an Active Directory user to the Local Administrators Group using GPO

Voila! ???? INSTAIT\InstaITadmin account has been added to the local Administrators Group on my Windows 10 machine using “Local Administrator Policy

Add an Active Directory user to the Local Administrators Group using GPO

To Confirm if our policy is getting applied on the Workstation. Open Command Prompt as Administrator and then run the highlighted Command. GPRESULT

Add an Active Directory user to the Local Administrators Group using GPO

As you can see that “Local Administrator Policy” is applied on our workstation.

4 thoughts on “Add an Active Directory user to the Local Administrators Group using Group Policy (GPO)”

  1. To be honest, this isn’t the best method to implement this.

    Reason being, is that when you do things via preferences versus policy, they are “tattooed” so-to-speak. Policy is dynamic, meaning when you update that policy, it gets updated during the next gpupdate. If the GPO with the policy linked to a particular OU goes away, the systems in that OU will no longer have those policy settings.

    On the other hand, when you use preferences, those permanently affect a system, even if you unlink or otherwise remove the GPO.

    A better way to go about this would be go through Policy -> Windows Settings -> Security Settings -> Restricted Groups, then just add BUILTIN\Administrators.

    Reply
    • Yes, Correct. Thanks for the insight CatsAndIT. While using GPP and deleting a member from Administrator Group (which we added using Local Administrator Policy), another GPO will be required to remove members and just changing the Action from ADD to REMOVE. However,using Restricted Group can simplify management and make it a bit easier. You can add a security group e.g Techpress\WKSAdmins and add it to the BUILTIN\Administrators Group.

      Here is a screenshot of a GPO setting for removing a user added to Local Admin Group:

      Reply
  2. I want to implement this Local Admin Gpo for one user per PC.

    Like if a test user logs in test PC1 then he is Admin only on that PC.
    If test user 2 logs in the same PC1 then he should not be having Admin. Please suggest if I can implement such a policy.

    Reply

Leave a Comment