In this post, I will show you how to add a user to the Local Administrators Group on the machines using GPO. Point to note that this procedure is not limited to adding a user to local Administrators group. You can use the process to rename, create or delete a Local Group (by selecting different Action in the GPO setting). We will choose Update Action as we are updating Local Administrators Group. We will be using Group Policy Preferences (GPP) to complete this task.
You can use Restricted Groups GPO setting as well, but using Restricted Groups you cannot add users to the Local Groups. For adding a user to the local groups, you have to use Local Users and Groups in Group Policy Preferences (GPP). Existing Group Membership will not be affected.
GPO Setting location:
Computer Configuration – Preferences – Control Panel Settings – Local Users and Groups
Lets begin!
This is how the Local Administrators group looks like on one of the Windows 10 machine before we create and apply our new GPO.
On your Active Directory Domain Controller or the machine where you have Group Policy Management Console Installed. Go to Start -> Run -> Type gpmc.msc and Press Enter to open the GPMC console.
Right Click Group Policy Objects and Select New
Enter the Name of the new Group Policy e.g. “Local Administrator Policy“
Once GPO is created, Right click on the GPO and Click on Edit
On Group Policy Management Editor of this Policy. Go to Computer Configuration- > Preferences -> Control Panel Settings -> Local Users and Groups -> Select New -> Local Group
Select Action: Update and Group Name to Administrators (built-in). Choose a different Group if you would like to add an AD user to any other group. In our case as we are adding AD User INSTAIT\InstaITadmin to Local Administrator Group, we will choose Administrators (built-in)
Once Administrator (built-in) has been selected. Go to Members: section and click Add to add the AD user (whom you want to add into the local administrator group via this GPO on your workstations)
As you can see, The AD group is added to the members section. click OK to Save the Policy Setting.
As you can see here, the Setting has been configured.
Now, Time to Link the GPO to Workstation OU (where you have all your Windows 10 or 8.1 or Win 7 machines). Now, if you want to test the policy first then you can create a separate OU and move test machines to this OU, Block Inheritance and Apply this policy to test on couple of machines first before rolling out to all the machines.
Next Screen, Select GPO -> Select the GPO to Link to Workstations OU
Our Policy “Local Administrator Policy” has been successfully linked to Workstations OU
On Windows Client PC -> Open Command Prompt and type gpupdate /force and Press Enter to apply the Local Administrator Policy
Voila! ???? INSTAIT\InstaITadmin account has been added to the local Administrators Group on my Windows 10 machine using “Local Administrator Policy“
To Confirm if our policy is getting applied on the Workstation. Open Command Prompt as Administrator and then run the highlighted Command. GPRESULT
As you can see that “Local Administrator Policy” is applied on our workstation.
To be honest, this isn’t the best method to implement this.
Reason being, is that when you do things via preferences versus policy, they are “tattooed” so-to-speak. Policy is dynamic, meaning when you update that policy, it gets updated during the next gpupdate. If the GPO with the policy linked to a particular OU goes away, the systems in that OU will no longer have those policy settings.
On the other hand, when you use preferences, those permanently affect a system, even if you unlink or otherwise remove the GPO.
A better way to go about this would be go through Policy -> Windows Settings -> Security Settings -> Restricted Groups, then just add BUILTIN\Administrators.
Yes, Correct. Thanks for the insight CatsAndIT. While using GPP and deleting a member from Administrator Group (which we added using Local Administrator Policy), another GPO will be required to remove members and just changing the Action from ADD to REMOVE. However,using Restricted Group can simplify management and make it a bit easier. You can add a security group e.g Techpress\WKSAdmins and add it to the BUILTIN\Administrators Group.
Here is a screenshot of a GPO setting for removing a user added to Local Admin Group:
I want to implement this Local Admin Gpo for one user per PC.
Like if a test user logs in test PC1 then he is Admin only on that PC.
If test user 2 logs in the same PC1 then he should not be having Admin. Please suggest if I can implement such a policy.
Its a bit tricky but still possible to do that. You can create a group for each PC and it to a security group called Workstations Admins. Use the Restricted Groups to add Workstations Admins security group to local administrator group of each PC. Once above is done. Just add the user to their respective PC by checking the name of the PC. But its difficult to manage if there are 100s of PCs and then 100s of security groups.
Second option is to use a script something like as shown in the links i shared below. I haven’t tested it yet but let me know if it works or the other solutions. This lets you set an attribute in AD and a startup script to assign local admin. This feels like much better solution than the previous solution. I hope this will help you.
Script1:
So to make someone a local admin on just one machine, I just have to add this computer’s name to the user’s Description in AD and ask user to reboot, and removing the computer’s name removes the local admin rights.
Script2:
Local admin rights to specific machines
or Implement LAPS
LAPS Download and Information Location