Print Friendly
Show Extras

Having a local administrator of your workstations can come in handy. Sometimes you might need to logon locally to troubleshoot or rejoin a computer to your domain. You can create a group policy that creates a local admin users and sets the local password. In addition I am having mine disable the built-in Administrator account. This is a security precaution and in my opinion a best practice.

Create the GPO

  1. Launch Group Policy Management Console.
  2. Right click the OU that you want the GPO to apply to.
  3. Select “Create a GPO…”
  4. This will Launch Group Policy Editor.
  5. Navigate to: Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  6. Right Click in the blank area and select New > “Local User”
    Screen Shot 2013-10-05 at 1.58.05 PM
  7. Give your local admin a username. I set mine to “Ecorp” which is my domain name.
  8. Make sure the Password and the Account never expire
    Screen Shot 2013-10-05 at 1.53.54 PM
  9. Select OK. It will warn you that the password is stored in SYSVOL, that is OK.
  10. Repeat the Process for the Administrator Account, but select the drop down to highlight the Built-in Administrator.
  11. Set this account to Disabled
    Screen Shot 2013-10-05 at 2.00.07 PM
  12. Select OK.

Screen Shot 2013-10-05 at 2.00.36 PM

 

This will disable the built-in Administrator account and create a new local administrator. Make sure you are selecting this as a Computer Configuration and not a User configuration when you are creating the GPO.

Update: It came across my attention that this is only creating a local user. This is correct. The above process creates a local user on your systems. Please see the next post on how to add these users as local administrators.

Series Navigation<< Server 2012 Enable Remote Desktop (RDP) through Group Policy (GPO)Create Local Administrator Security Group with GPO >>

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*


12 thoughts on “Create Local Administrator Account through Group Policy (GPO)

  1. Reply Roger January 6, 2014 at 7:25 am

    Hello,
    The steps work well to create the new local administrator account. Unfortunately, it does not make the new user a member of the administrators group as the standard built-in administrator account. What can be done to accomplish this?
    Thanks,
    Roger

    • Daniel Eckes
      Daniel Eckes January 18, 2014 at 11:01 am

      Hey Roger, Thanks for catching this. In my next post in the series I show how to add users to the Administrators group through GPO. In this particular case you want to add the local user you created to the list of users you are adding. I just tested it and it works great. I will update both posts to reflect this.

  2. Reply Mike April 25, 2014 at 4:05 am

    Hi Daniel,

    any idea how to disable the creation of new groups in AD structure? I am particularly interested in prohibiting the creation of a Group in which name one has a space. Like Users New instead of Users_New.

    • Scott June 8, 2014 at 4:09 pm

      Hi Daniel,

      did you ever complete the add local admins through GPO instruction.
      I volunteer at a church and we sure could use this. It gives us quite the run around when people log on to different computers and the software they need can not be installed because they need local admin privledges. If you could direct me to the post I would greatly appreciate it.

      Thank you.
      Scott

    • Daniel Eckes
      Daniel Eckes July 12, 2014 at 11:02 am

      Scott,

      I did finish the article. there is a link at the bottom. Here is the second part where you add the local user to the administrator group. http://www.dannyeckes.com/create-local-administrator-security-group-gpo/

      Thanks,

    • Daniel Eckes
      Daniel Eckes July 12, 2014 at 11:04 am

      Sorry Mike I do not know. I’d imagine this is just something you’d have to manage. Typically you don’t have lots of people making groups in AD just domain admins. So make sure the admins are following a naming convention.

      Thanks,

  3. Reply Mark January 26, 2015 at 11:19 am

    Danny,

    This method of adding a local user no longer works. Microsoft has removed the ability to add a password for the local user, due to insecurely stored passwords. MS KB2962486

  4. Reply Fabian February 3, 2015 at 10:53 pm

    Hi,
    the way you mentioned is not longer supported: http://support.microsoft.com/kb/2962486/en-us
    Regards,
    Fabian

  5. Reply Bogusław Świerczek August 19, 2015 at 5:31 am

    Hi,

    I managed to make it this way in one GPO :
    On AD Server
    1) Computer Configuration/Prefernces/ControlPanelSettiing/LocalUserandGroups/…. NEW->Local User (Create) type admin name manually
    2) Computer Configuration/Prefernces/ControlPanelSettiing/LocalUserandGroups/…. NEW->Local Group (Update)
    a) type Administrators name manually (this will be interpreted as Built in group on PC)
    b) type group member like “rootguest” or other name you want

    On PC :
    Type gpupdate and you will see new user assigned to local Administrators group

  6. Reply Hasan September 9, 2015 at 3:50 am

    I have successfully created a local user with the name “Support” on all of my domain computers using the above method, but the problem is that this local user account is not getting added to the Administrators group. When I login on the computer with this local account “Support”, it does not let us do any administrative task.

    Please help.
    Many thanks

  7. Reply Tadas October 25, 2015 at 2:26 am

    IMPORTANT: This no longer works. You cannot create a local user – Microsoft has identified vulnerability with CPassword and disabled an option to provide a password when creating new local user. More info here: https://support.microsoft.com/en-gb/kb/2962486

  8. Reply Pauline July 27, 2016 at 6:34 am

    i like the presentation on how to create local administrator account through group policy (gpo) but i would like to learn how to create a domain, forest and others.
    thanks

Copyright © 2013 DannyEckes.com. All rights reserved. | Site design by Daniel J. Eckes | Privacy