How to Add a Group to Local Administrators via Group Policy

In this tutorial, we are going to show you how to add a user group to the local Administrators group of domain computers via Group Policy. This is very useful when you need to provide specific users Admin access on domain computers without providing them Domain Admin rights.

You can also add specific users or groups to local Administrators’ group of domain computers manually. However, that process is time-consuming and inefficient. So, to make this process easy, you can use Group Policy Management. You just need to create a policy and it will do its magic on all the computers it is applied to.

SEE ALSO: How to Rename Local Administrator User and Change Its Password using GPO?

Add a User Group to the Local Administrators Group of Domain Computers via Group Policy (GPO)

We can add a user group to local administrators in the following two ways:

  • By modifying the members of the Local Administrators group. This method overwrites the existing members of the Administrators group.
  • Add users to a new security group and make it a member of the Administrators group. This method doesn’t overwrite existing members of the Administrators group.

So, in this tutorial, we will first create a new security group and add users to this group. Then we will change the membership of this group and add this group as a member of BUILTIN\Administrators via GPO. We have used Windows Server 2019 in this tutorial, but it will work for earlier versions as well.

Step 1: Create a User Group in Active Directory Users and Computers

First of all, open the Active Directory Users and Computers console. You can do so by running dsa.msc command from RUN.

Go To Run Type Dsa Msc To Open Ad Users And Computers
Go to RUN, type dsa.msc and press Enter

After that, create a group in any OU. To do that, click on the group icon at the top bar and type a name for the group. In this tutorial, we have used ServerAdmins as the group name. Finally, click Apply and OK.

Select An Ou And Create A Security Group There
Create a user Group in the Active Directory

We will add this user group to local Administrators on domain computers using Group Policy (GPO).

SEE ALSO: How to Fetch the List of Local Users from Domain Computers using PowerShell Script?


Step 2: Add Users to the Group

Now, add the users to the group you have just created. You can do so from the Members tab of group properties. So, double-click the newly created group, go to the Members tab, and click the Add button to add users to the group. When you are done with adding the users, click Apply and OK.

Add Users To Newly Created Group To Add To Local Administrators Using Gpo
Add users to the newly created group

Now we will create a group policy (GPO) to add this group to the local Administrators group on domain computers.

SEE ALSO: How to Create Bulk Users in Active Directory using PowerShell?


Step 3: Create a New GPO in the Group Policy Management Console

Now, press Windows + R to launch RUN. After that, type gpmc.msc and press Enter to launch the Group Policy Management console.

Go To Run Type Gpmc Msc To Start Group Policy Editor
Open the Group Policy console from RUN

In the Group Policy Console, right-click on the Group Policy Objects folder and select New to create a new policy (GPO).

Right Click On Group Policy Objects And Select New To Create A New Gpo
Right-click on Group Policy Objects and select New

Now, type a name for the new GPO and click OK. So, in this tutorial, we are using Add Group to LocalAdmins as the name of our group policy.

Type A Name For Gpo
Type a name for GPO

Step 4: Edit the Newly Created Group Policy

After creating the group policy, it’s time to configure it to add the user group to local Administrators on domain computers. So, right-click on this newly created policy and select Edit… This will open Group Policy Editor.

Right Click On Gpo And Select Edit To Change Policy Settings To Add Group To Local Admins
Right-click on GPO and select Edit to change policy settings

In the Group Policy Editor console, go to the following path:

Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups


Step 5: Select User Group to Add to Local Administrators via GPO

Now, select Restricted Groups from the left pane. After that, right-click on the right pane and select Add Group…

Select Restricted Groups From Left And Right Click On Right Side And Select Add Group
Right-click on the right side and select Add Group in Restricted Groups

Now, click on Browse and select the group that we have created in Step 1.

Select The Group We Just Created In Ad Users And Computers Console
Select the group we just created

Finally, click OK twice to select this group.


SEE ALSO: Misconfigured Audit Policy may cause the Shell Infrastructure Host Issue. Check this fix.

Step 6: Add Selected Group as Member of Local Administrators Group

A new properties window will open for the selected group. So, click on the Add button under the “This group is a member of:” section to add the newly created group here.

Click Add Under This Group Is Memeber Of To Add This Group To Local Administrators
Click Add to add the newly created group

Now, browse and select the Administrators group. After that, click OK twice.

Add Server Admins Group To Administrators Group
Add ServerAdmins group as a member of the Administrators group

Finally, click Apply and then OK to save and close the selected group’s properties window.

Click Apply And Ok To Save The Settings
Click Apply and OK

After that, you can close the Group Policy editor and go back to the Group Policy Management console.


Our Group Policy is ready. Now, it’s time to deploy it on target domain computers. So, move all target computers to a new OU. And if you already have them in the right place, you can apply the policy on existing OU as well.

So, right-click on the target OU (which contains the target computers) and select Link an Existing GPO…

Right Click On Computers Ou And Select Link An Existing Gpo
Right-click on Computers OU and select Link an Existing GPO

Now, select the newly created GPO from the list of group policies and click OK to apply it to the selected OU.

Select And Add The New Policy Gpo To Computers Ou
Select and add the GPU to Computers OU

Finally, Group Policy to add user groups to local administrators has been deployed on selected OU successfully. It will be replicated in the next group policy refresh cycle. But you can also run gpupdate command manually to replicate policy immediately.


Step 8: Check Local Administrators Group Members on Domain Computer

Now, it’s time to check if the policy is working correctly or not. So, go to a domain computer on which this policy is applied and run gpupdate command.

After that, open Computer Management > Local Users and Groups > Groups and double-click on the Administrators group. You will see the selected group (ServerAdmins in our case) here. If it is still not showing up here, restart the computer and it will show up.

Group Added To Local Administrators Using Gpo Successfully
Group Added to Local Administrators Successfully

SEE ALSO: How to Reset Passwords of Users from Multiple Domains using PowerShell Script?


Add a Group to Local Administrators via Group Policy (GPO)

This tutorial showed you how to add a user group to the local Administrators group on domain computers via group policy. The method described above adds the new group to the local Administrators group without overwriting existing members of the group. And this tutorial should work on all Windows Servers be it Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016, or Server 2019.

Hope you found this tutorial helpful. In case you have any queries or suggestions, feel free to write them down in the comments below. We suggest you subscribe to our newsletter to get the latest tutorials directly into your inbox.

Editorial Staff

Hi there, we are the editorial staff at WINDOSPC (former HELLPC). We are a team of funny and technical people. Feel free to get in touch with us via Contact-Us page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.