Adding a Domain User to the Local Administrators Group in Windows |

To grant local administrator permissions on domain computers to technical support personnel, the helpdesk team, certain users, and other privileged accounts, you must add the required Active Directory user or group to the local. administrators Groups on servers or workstations. In this article, we will show you how to manage members of the Local Administrators group on a domain computer, manually and via a GPO.

Manually add the user to the local administrators group

The easiest way to grant local administrator rights for a user or group on a specific computer is to add it to the local administrator group using the graphical Local Users and Groups snap-in (lusrmgr.msc,

When you connect a computer to an AD domain, domain administrator The group is automatically added to the computer’s local administrators group, and domain user The group is added to the local users group.

press add Click the button and specify the name of the user, group, computer, or service account (gMSA) you want to grant local administrator rights. With the Location button, you can switch between searching for principals in the domain or on the local computer.

Add Users to the Administrators Group in Windows Manually with the Local Users and Groups Console (lusrmgr.msc)

You can also display a list of users with local computer administrator permissions with Command Prompt:

net localgroup administrators

You can use the following PowerShell command to get the list of users in a local group (using the built-in Local Account module to manage local users and groups):

Get-LocalGroupMember administrators

This command displays the object class that has been granted administrator permissions (ObjectClass = User, Group, or Computer) and the source of the account or group (ActiveDirectory, Azure AD, Microsoft, or Local).

List Local Administrators Group Membership with Powershell

To add a domain group munWksAdmins For local administrators (or users), run the command:

net localgroup administrators /add munWksAdmins /domain

Using PowerShell, you can add a user to Administrators as follows:

Add-LocalGroupMember -Group Administrators -Member ('woshub\j.smith', 'woshub\munWksAdmins','wks1122\user1') –Verbose

add domain users to local admins with powershell

In this example, we have added a user and group from the woshub domain and a local user wks1122\user1 to computer administrators.

You can add users to the Administrators group on multiple computers at once. In this case, you can use the Invoke-Command cmdlet from PowerShell Remoting to access remote computers on a network:

$WKSs = @("PC001","PC002","PC003")
Invoke-Command -ComputerName $WKSs –ScriptBlock {Add-LocalGroupMember -Group Administrators -Member woshub\munWksAdmins'}

You can also completely refuse to grant any administrative privileges to domain users or groups. In this case, you can use the built-in local admin with password stored in Active Directory (implemented using Local Admin Password Solution/LAPS) to perform one-time administrative tasks on user computers.

In an Active Directory domain environment, it is preferable to use Group Policy to grant local administrator rights to the domain computer. This is much easier, more convenient, and safer than manually adding users to the local Administrators group on each computer. You can use two Group Policy options to manage the Administrators group on domain computers:

  • Manage local group membership with Group Policy preferences;
  • Adding users to local groups using the Restricted Groups GPO feature.

How to add domain users to Local Administrators via Group Policy Preferences?

Group Policy Preferences (GPP) provide the most flexible and convenient way to grant local administrator privileges on domain computers via GPOs.

Assume that your task is to grant local administrator privileges to a helpdesk team group on a computer in a specific Active Directory OU (organizational unit). Create a new security group in your domain using PowerShell and add Helpdesk team accounts to it:

New-ADGroup munWKSAdmins -path 'OU=Groups,OU=Munich,OU=DE,DC=woshub,DC=com' -GroupScope Global –PassThru
Add-AdGroupMember -Identity munWKSAdmins -Members amuller, dbecker, kfisher

Open the Domain Group Policy Management Console (GPMC.msc), create a new policy (GPO) AddLocaAdmins And link it to the computer with the OU (in my example, it’s ‘OU=Computers,OU=Munich,OU=DE,DC=woshub,DC=com’).

  1. Edit AddLocaAdmins the GPO you created earlier;
  2. Go to the following GPO section: Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups,
  3. Add a new rule (new , local group, Group Policy preferences manage local groups
  4. to select Updates in the work area (this is an important option!);
  5. to select admin (built-in) group name dropdown list, Even if this group is renamed on the computer, the settings will be applied to the local Administrators group by its SID (S-1-5-32-544,
  6. press add button and select the groups you want to add to the Local Administrators group (in our case, it is munWKSAdministrator,

    You can delete all users and groups you manually added from local administrators on all computers. Control “Delete all member users” And “delete all member groups“Option. In most cases, this is appropriate because you guarantee that only approved domain groups will have administrative permissions on your domain computer. If you manually enter the Administrators group using the “Local Users and Groups” snap-in If you add a user, it will be automatically removed the next time the policy is applied.

    gpo.  Add the Domain Users group to the Local Administrators group by using

  7. Save the policy and wait for it to be applied on the client workstation. To apply Group Policy settings immediately, run this command gpupdate /force on the user’s computer;
  8. open lusrmgr.mscSnap-in to any domain computer and check the members of the local administrators group. Only munWKSAdministrator The group must be added to this group, while other users and groups will be removed (except for the built-in Windows Administrator account).

Adding a single user to the local Administrators group on a specific computer with a GPO

Sometimes you may need to grant administrative privileges to a single user on a specific computer. For example, you have many developers who need elevated privileges from time to time to test drivers, debug or install them on their computers. It is not advisable to add them to the Workstation Administrators group with privileges on all domain computers.

You can use GPO WMI Filter or item-level targeting To grant local administrator permissions on a specific computer.

Create a new entry in the GPO Preferences section (Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups) AddLocalAdmins Previously created policy:

  1. action, Update
  2. group name, Administrators (Built-in)
  3. description,Add amuller to the local administrators on the mun-dev-wsk21 computer,
  4. members:add -> amuller Add the Users user to the Local Administrators group using Group Policy Preferences
  5. In General , goal setting tab, specify this rule: “the NETBIOS computer name is mun—dev-wks24.This means that this Group Policy item will only apply to the computers specified here. gpo: adding local administrator permissions only on specific computers

Also, pay attention to the order in which group membership is applied to the computer Order gpp column). Local group membership is applied top to bottom (starting with Order 1 Policy).

The first GPP policy option (with the “Delete all member users” and “Delete all member groups” settings as described above) removes all users/groups from the local administrators group and adds the specified domain group. Then additional computer-specific policies are applied that associate the specified user with the local administrator. If you want to change the membership order in your Administrators group, use the buttons at the top of your GPO editor console.

Managing Local Administrators with Restricted Groups GPO

banned group The policy also allows domain groups/users to be added to the local security group on the computer. This is an older method of granting local administrator privileges and is now used less frequently (it is less flexible than the Group Policy preference method described above).

  1. Open your GPO;
  2. expand section Computer Configuration -> Policies -> Security Settings -> Restricted Groups,
  3. to select Add group in the context menu;GPO Restricted Group Policy
  4. in the next window type administrators and then click OK; GPO: Add to Local Admin
  5. Click add In members of this group section and specify the group that you want to add to the local administrators;Configure membership for the Administrators of the domain group
  6. Save changes, apply policy to users’ computers, and perform local checks administrators group. It should only contain the group that you have specified in the policy.

    These Group Policy settings always (,) Delete all existing members of the local administrators group (which are added manually by other policies or scripts).

If you need to maintain the current membership of the Administrators group and add an additional group (user) to it using the Restricted Groups GPO, you must:

  1. Create a new entry in Restricted Groups and select the AD Security Group (!!!) you want to add to Local Administrators;gpo.  Add domain security group to local windows administrator using
  2. then add administrators In this is a member of the group section;Add an additional domain group to Local Administrators with Restricted Groups gpo
  3. Update the GPO setting on the client and make sure your domain group is added to the local administrators group. In this case, the current principal in the local group remains untouched (not removed from the group).

At the end of the article, I will leave some recommendations for managing administrator permissions on Active Directory computers and servers.

Microsoft’s classic security best practices recommend using the following groups to isolate administrator permissions in an AD domain:

  1. domain administrator Used only on domain controllers;
    For privileged administrator accounts, for security reasons, it is not recommended to perform daily administration tasks on workstations and servers under an account with domain administrator privileges. These accounts should only be used for AD management tasks (adding new domain controllers, replication management, Active Directory schema modification, etc.). Most user, computer, or GPO management tasks must be delegated to regular administrator accounts (without domain administrator permissions). Do not use domain administrator accounts to log on to any workstation or server other than domain controllers.
  2. server administrator A group that allows you to manage Windows Server hosts in an AD domain. Workstations must not be a member of the Domain Administrators group or the Local Administrators group;
  3. workstation administrator There is a group for performing administrative tasks only on workstations. Must not be a member of the Domain Admins and Servers Admins groups;
  4. domain user There are general user accounts to perform specific office operations. They must not have administrative privileges on the server or workstation;
  5. It is not recommended to add individual user accounts to the Local Administrators group. It is better to use domain security groups. In this case, in order to grant administrative privileges to the next technical support worker, it is enough to add him to the domain group (without the need to edit the GPO).

Leave a Comment