Print Friendly
Categories Tags 8 Comments Author Related Posts
  • No Related Posts

Featured Image


Show Extras

If you want certain members to be local administrators of computers, you can do it through Group Policy. The idea here is to create a Local Admin security group and then a GPO that adds that security group to the local Administrators group of the computer.

Create the Security Group

  1. Open Active Directory Users and Computers
  2. Select your Security Group OU
  3. Right Click and select New > Group
  4. Give the Group a name, I used “SG – Local Admins”

Create the GPO

  1. Open Group Policy Management Console.
  2. Right click the OU that contains the systems you want to set the local admin on
  3. Select “Create a GPO in this domain, and Link it here…”
  4. Name the GPO. I used “Set Local Administrators”
  5. Right Click the GPO and select Edit.
  6. Set the following:
    1. Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups
    2. Right Click and select “Add Group…”
    3. Select browse and add the Administrators group
    4. Select OK
    5. Double click Administrators
    6. Select Add for “Members of this group:”
    7. Browse and find your security group. I added “SG – Local Admins”

Screen Shot 2013-10-05 at 1.47.08 PM

That should be it. Now you can set which users of the domain are local administrators of their computers.

Update: You can use the above process to add local users to the administrator group as well. When adding the security group, you can just type in the local administrator’s username created in the previous post. It would then look like the following:

Screen Shot 2014-01-18 at 10.58.43 AM

Series Navigation<< Create Local Administrator Account through Group Policy (GPO)

Post a Comment

Your email is never published nor shared. Required fields are marked *


8 thoughts on “Create Local Administrator Security Group with GPO

  1. Reply BigDog42 February 5, 2015 at 6:22 am


    When I attempt to add the local user I created it does not seem to locate the user.

    Basically I created a local user through GPO in the previous step but am unable to locate it in this step (of course because I am doing this from the DC).

    How do I select to add the local user created through GPO into the local admin group.

  2. Reply Noufal February 8, 2015 at 6:19 am

    Good working fine

  3. Reply Henry May 14, 2015 at 5:55 pm

    You can add this user to the local Administrators group through the local computer’s lusrmgr mmc, but as soon as the GPO defining the Restricted Groups is applied to the computer again (which it will every 90 minutes by default or at the next login), it is removed from the local computer’s Administrators group because the GPO sees that the account is not a part of the Administrators group named in the Restricted Groups. It would be helpful if this user could be added to the Restricted Groups GPO setting, but since it is a local account and not a domain account, it is not aware of this user and cannot it to the group.

  4. Reply Henry May 14, 2015 at 6:11 pm

    Nevermind. I figured out how to do it. You can’t search for it because it won’t be in the domain and AD of course won’t know which local accounts are on each machine, so you just have to type it in manually. After the GPO updates, the account should be in the Administrators group. Sorry for the mixup.

  5. Reply Lars Panzerbjørn January 11, 2016 at 7:12 am

    This is indeed nifty, but is there a way to specify a group based on the server that is getting the policy?
    For example, I have a different group for servers A, B & C, and I don’t want them all to have the same groups as admin.

    • Ken July 6, 2016 at 2:36 pm

      Be carefull setting this if trying to combo a new local user and adding them to local administrator group. it will wipe out any user already in the local admin group from the domain.

      Make sure you add the user and choose the this groups is a member of because if you use the top option. Members of this group it will remove others not listed in here.

  6. Reply Techno4x4 March 15, 2016 at 10:49 am

    Be careful when using this as it will overwrite any other policies that add user accounts to the Administrators group. i.e. Domain Admins and any domain service accounts will be removed unless added to this policy.

  7. Reply Shane June 2, 2016 at 7:03 am

    This will delete any current accounts that have Local admin access already to their PC.

Copyright © 2013 All rights reserved. | Site design by Daniel J. Eckes | Privacy