In this tutorial, we are going to show you how to add a user group to local Administrators group of domain computer via Group Policy. This is very useful when you need to provide specific users Admin access on domain computers without providing them Domain Admin rights.
You can also add specific users or groups to local Administrators group of domain computers manually. But that process is time consuming and inefficient. So, to make this process easy, you can use Group Policy Management. You just need to create a policy and it will do it’s magic on all the computers it is applied to.
Add a User Group to Local Administrators Group of Domain Computers via Group Policy (GPO)
We can add a user group to local administrators in following two ways:
- By modifying the members of Local Administrators group. This method overwrites the existing members of Administrators group.
- Add users to a new security group and make it the member of Administrators group. This method doesn’t overwrite existing members of Administrators group.
So, in this tutorial, we will first create a new security group and add users to this group. Then we will change the membership of this group and add this group as the member of BUILTIN\Administrators via GPO. We have used Windows Server 2019 in this tutorial, but it will work for earlier versions as well.
Step 1: Create a User Group in Active Directory Users and Computers
First of all, open Active Directory Users and Computers console. You can do so by running
dsa.msc command from RUN.
After that, create a group by in any OU. For doing that, click on group icon at the top bar and type a name for the group. In this tutorial, we have used ServerAdmins as the group name. Finally, click Apply and OK.
We will add this user group to local Administrators on domain computers using Group Policy (GPO).
Step 2: Add Users to the Group
Now, add the users to the group you have just created. You can do so from Members tab of group properties. So, double-click newly created group, go to Members tab and click Add button to add users to the group. When you are done with adding the users, click Apply and OK.
Now we will create a group policy (GPO) to add this group to local Administrators group on domain computers.
Step 3: Create a New GPO in Group Policy Management Console
Now, press Windows + R to launch RUN. After that, type
gpmc.msc and press Enter to launch Group Policy Management console.
In Group Policy Console, right-click on Group Policy Objects folder and select New to create new policy (GPO).
Now, type a name for new GPO and click OK. So, in this tutorial, we are using Add Group to LocalAdmins as the name of our group policy.
Step 4: Edit the Newly Created Group Policy
After creating the group policy, it’s time to configure it to add user group to local Administrators on domain computers. So, right-click on this newly created policy and select Edit… This will open Group Policy Editor.
In Group Policy Editor console, go to following path:
Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Step 5: Select User Group to Add to Local Administrators via GPO
Now, select Restricted Groups from left pane. After that, right-click on right pane and select Add Group…
Now, click on Browse and select the group that we have created in Step 1.
Finally, click OK twice to select this group.
Step 6: Add Selected Group as Member of Local Administrators Group
A new properties window will open for the selected group. So, click on Add button under the “This group is a member of:” section to add the newly created group here.
Now, browse and select the Administrators group. After that, click OK twice.
Finally, click Apply and then OK to save and close the selected group’s properties window.
After that, you can close the Group Policy editor and go back to the Group Policy Management console.
Step 7: Link GPO to Computer’s OU
Our Group Policy is ready. Now, it’s time to deploy it on target domain computers. So, move all target computers to a new OU. And if you already have them in the right place, you can apply the policy on existing OU as well.
So, right-click on the target OU (which contains the target computers) and select Link an Existing GPO…
Now, select the newly created GPO from the list of group policies and click OK to apply it to the selected OU.
Finally, Group Policy to add user groups to local administrators has been deployed on selected OU successfully. It will be replicated in the next group policy refresh cycle. But you can also run
gpupdate command manually to replicate policy immediately.
Step 8: Check Local Administrators Group Members on Domain Computer
Now, it’s time to check if the policy is working correctly or not. So, go to a domain computer on which this policy is applied and run
After that, open Computer Management > Local Users and Groups > Groups and double-click on the Administrators group. You will see the selected group (ServerAdmins in our case) here. If it is still not showing up here, restart the computer and it will show up.
Add a Group to Local Administrators via Group Policy (GPO)
This tutorial showed you how to add a user group to the local Administrators group on domain computers via group policy. The method described above adds the new group to the local Administrators group without overwriting existing members of the group. And this tutorial should work on all Windows Servers be it Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016, or Server 2019.
Hope you found this tutorial helpful. In case you have any queries or suggestions, feel free to write them down in the comments below. We suggest you subscribe to our newsletter to get the latest tutorials directly into your inbox.