How to Add a Group to Local Administrators via Group Policy

In this tutorial, we are going to show you how to add a user group to local Administrators group of domain computer via Group Policy. This is very useful when you need to provide specific users Admin access on domain computers without providing them Domain Admin rights.

You can also add specific users or groups to local Administrators group of domain computers manually. But that process is time consuming and inefficient. So, to make this process easy, you can use Group Policy Management. You just need to create a policy and it will do it’s magic on all the computers it is applied to.

SEE ALSO: How to Rename Local Administrator User and Change It’s Password using GPO?

Add a User Group to Local Administrators Group of Domain Computers via Group Policy (GPO)

We can add a user group to local administrators in following two ways:

  • By modifying the members of Local Administrators group. This method overwrites the existing members of Administrators group.
  • Add users to a new security group and make it the member of Administrators group. This method doesn’t overwrite existing members of Administrators group.

So, in this tutorial, we will first create a new security group and add users to this group. Then we will change the membership of this group and add this group as the member of BUILTIN\Administrators via GPO. We have used Windows Server 2019 in this tutorial, but it will work for earlier versions as well.

Step 1: Create a User Group in Active Directory Users and Computers

First of all, open Active Directory Users and Computers console. You can do so by running dsa.msc command from RUN.

Go To Run Type Dsa Msc To Open Ad Users And Computers
Go to RUN, type dsa.msc and press Enter

After that, create a group by in any OU. For doing that, click on group icon at the top bar and type a name for the group. In this tutorial, we have used ServerAdmins as the group name. Finally, click Apply and OK.

Select An Ou And Create A Security Group There
Create user Group in Active Directory

We will add this user group to local Administrators on domain computers using Group Policy (GPO).

SEE ALSO: How to Fetch the List of Local Users from Domain Computers using PowerShell Script?


Step 2: Add Users to the Group

Now, add the users to the group you have just created. You can do so from Members tab of group properties. So, double-click newly created group, go to Members tab and click Add button to add users to the group. When you are done with adding the users, click Apply and OK.

Add Users To Newly Created Group To Add To Local Administrators Using Gpo
Add users to newly created group

Now we will create a group policy (GPO) to add this group to local Administrators group on domain computers.

SEE ALSO: How to Create Bulk Users in Active Directory using PowerShell?


Step 3: Create a New GPO in Group Policy Management Console

Now, press Windows + R to launch RUN. After that, type gpmc.msc and press Enter to launch Group Policy Management console.

Go To Run Type Gpmc Msc To Start Group Policy Editor
Go to RUN, type gpmc.msc and press Enter

In Group Policy Console, right-click on Group Policy Objects folder and select New to create new policy (GPO).

Right Click On Group Policy Objects And Select New To Create A New Gpo
Right-click on Group Policy Objects and select New

Now, type a name for new GPO and click OK. So, in this tutorial, we are using Add Group to LocalAdmins as the name of our group policy.

Type A Name For Gpo
Type a name for GPO

Step 4: Edit the Newly Created Group Policy

After creating the group policy, it’s time to configure it to add user group to local Administrators on domain computers. So, right-click on this newly created policy and select Edit… This will open Group Policy Editor.

Right Click On Gpo And Select Edit To Change Policy Settings To Add Group To Local Admins
Right-click on GPO and select Edit to change policy settings

In Group Policy Editor console, go to following path:

Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups


Step 5: Select User Group to Add to Local Administrators via GPO

Now, select Restricted Groups from left pane. After that, right-click on right pane and select Add Group…

Select Restricted Groups From Left And Right Click On Right Side And Select Add Group
Right-click on Right-Side and select Add Group in Restricted Groups

Now, click on Browse and select the group that we have created in Step 1.

Select The Group We Just Created In Ad Users And Computers Console
Select the group we just created

Finally, click OK twice to select this group.


Step 6: Add Selected Group as Member of Local Administrators Group

New properties window will open for the selected group. So, click on Add button under This group is a member of: section to add newly created group here.

Click Add Under This Group Is Memeber Of To Add This Group To Local Administrators
Click Add to add newly created group

Now, browse and select the Administrators group. After that, click OK twice.

Add Server Admins Group To Administrators Group
Add ServerAdmins group as member of Administrators group

Finally, click Apply and then OK to save and close selected group’s properties window.

Click Apply And Ok To Save The Settings
Click Apply and OK

After that, you can close the Group policy editor and go back to Group Policy Management console.


Our Group Policy is ready. Now, it’s time to deploy it on target domain computers. So, move all target computers to a new OU. And if you already have them in right place, you can apply the policy on existing OU as well.

So, right-click on the target OU (which contains the target computers on) and select Link an Existing GPO…

Right Click On Computers Ou And Select Link An Existing Gpo
Right-click on Computers OU and select Link an Existing GPO

Now, select newly created GPO from the list of group policies and click OK to apply it on selected OU.

Select And Add The New Policy Gpo To Computers Ou
Select and add the GPU to Computers OU

Finally, Group Policy to add user group to local administrators has been deployed on selected OU successfully. It will be replicated in next group policy refresh cycle. But you can also run gpupdate command manually to replicate policy immediately.


Step 8: Check Local Administrators Group Members on Domain Computer

Now, it’s time to check if the policy is working correctly or not. So, go to a domain computer on which this policy is applied and run gpupdate command.

After that, open Computer Management > Local Users and Groups > Groups and double-click on Administrators group. You will see selected group (ServerAdmins in our case) here. If it is still not showing up here, restart the computer and it will show up.

Group Added To Local Administrators Using Gpo Successfully
Group Added to Local Administrators Successfully

SEE ALSO: How to Reset Passwords of Users from Multiple Domains using PowerShell Script?


Add a Group to Local Administrators via Group Policy (GPO)

This tutorial showed you how to add a user group to local Administrators group on domain computers via group policy. The method described above adds new group to local Administrators group without overwriting existing members of the group. And this tutorial should work on all Windows Servers be it Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016 or Server 2019.

Hope you found this tutorial helpful. In case you have any queries or suggestions, feel free to write them down in comments below. We suggest you to subscribe to our news letter to get latest tutorials directly into your inbox.

Editorial Staff

Hi there, we are the editorial staff at WINDOSPC (former HELLPC). We are a team of funny and technical people. Feel free to get in touch with us via Contact-Us page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button