Add a User to the Local Admin using Group Policy

Microsoft Active Directory Group Policy

In this post, I will show you how to add a user to the Local Administrators Group on Windows 10/11 devices using Group Policy Objects (GPO). It’s important to note that this procedure is not limited to adding a user to the local Administrators group; you can also use the process to rename, create, or delete a Local Group by selecting a different action in the GPO setting.

For this demonstration, we will choose the Update Action, as we are updating the Local Administrators Group. To accomplish this task, we will be utilizing Group Policy Preferences (GPP).

While the Restricted Groups GPO setting is another option, it’s worth noting that it does not allow for the addition of users to Local Groups. To achieve the task of adding a user to local groups, the recommended approach involves using the Local Users and Groups feature within Group Policy Preferences (GPP). It’s important to highlight that utilizing this method will not impact existing group memberships.

Location of Group Policy Setting

We will configure a group policy setting which can be located at the following path.

Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups

Steps to Add An AD User to Local Admin Group

The current Local Administrator group appears as follows. We will now add a user named “InstaITadmin” to this administrator’s group. Let’s check the steps:

Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Login on a Domain controller using domain admin rights.
  • Press Windows + R to open the Run dialog box.
  • Type gpmc.msc and press Enter to open the Group Policy Management Console.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Type the Name of the GPO and press the OK button.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Right-click on the Local Administrator Policy and click on Edit.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right-click on it and select New > Local Group.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Select Action: Update
  • Group Name: Administrators (built-in)

Select a different group if you’re adding an Active Directory user to any other group. In our case, as we’re adding the AD user INSTAIT\InstaITadmin to the Local Administrator Group, choose Administrators (built-in).

Note
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Once Administrators (built-in) has been selected, navigate to the Members section, and click Add to include the AD user (the user account you intend to add to the local administrator group).
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • As illustrated, the AD group has been added to the members section. Click OK to save the policy setting.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • As depicted here, the setting has been configured.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Now, it’s time to link the GPO to the Workstation Organizational Unit (OU) where you have all your Windows 10, 8.1, or Windows 7 machines.
  • If you wish to test the policy first, you can create a separate OU, move test machines to this OU, block inheritance, and apply this policy to test on a couple of machines before rolling it out to all the machines.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • On the next screen, choose GPO, then select the specific GPO to link it to the Workstation OU.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • Our policy, “Local Administrator Policy” has been successfully linked to the “Workstations OU“.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • On the Windows client PC, open Command Prompt and type gpupdate /force, then press Enter to apply the Local Administrator Policy.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • The account INSTAIT\InstaITadmin has been successfully added to the local Administrators group on my Windows 10 using the “Local Administrator Policy”.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
  • To confirm whether our policy is being applied to the workstation, open Command Prompt as an Administrator and run the highlighted command: GPRESULT.
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group
Steps to Add An AD User to Local Admin Group

4 thoughts on “Add a User to the Local Admin using Group Policy”

  1. To be honest, this isn’t the best method to implement this.

    Reason being, is that when you do things via preferences versus policy, they are “tattooed” so-to-speak. Policy is dynamic, meaning when you update that policy, it gets updated during the next gpupdate. If the GPO with the policy linked to a particular OU goes away, the systems in that OU will no longer have those policy settings.

    On the other hand, when you use preferences, those permanently affect a system, even if you unlink or otherwise remove the GPO.

    A better way to go about this would be go through Policy -> Windows Settings -> Security Settings -> Restricted Groups, then just add BUILTIN\Administrators.

    Reply
    • Yes, Correct. Thanks for the insight CatsAndIT. While using GPP and deleting a member from Administrator Group (which we added using Local Administrator Policy), another GPO will be required to remove members and just changing the Action from ADD to REMOVE. However,using Restricted Group can simplify management and make it a bit easier. You can add a security group e.g Techpress\WKSAdmins and add it to the BUILTIN\Administrators Group.

      Here is a screenshot of a GPO setting for removing a user added to Local Admin Group:

      Reply
  2. I want to implement this Local Admin Gpo for one user per PC.

    Like if a test user logs in test PC1 then he is Admin only on that PC.
    If test user 2 logs in the same PC1 then he should not be having Admin. Please suggest if I can implement such a policy.

    Reply

Leave a Comment

Discover more from TechPress

Subscribe now to keep reading and get access to the full archive.

Continue reading