This tutorial shows you how to add specific users to local Administrators group via Group Policy. This is very useful when you need to provide specific users Admin access on domain computers without providing them Domain Admin rights.
There are two ways for achieving this:
- Adding users to local Administrators group via modifying members of Administrators group. This method overwrites the existing members of Administrators group.
- Add users to a new security group and change the membership of this new group and make it member of Administrators group. This method doesn’t overwrite existing members of Administrators group.
In this tutorial, we will be discussing the second method. We will first create a new security group and add users to this group. Then we will change the membership of this group and add this group as the member of BUILTIN\Administrators.
Follow these steps to configure the policy and deploy on target OU.
First Open Active Directory Users and Computers and create a group which will be added to local Administrators on domain computers
Create a group and provide a name for it. In this tutorial we are creating a group named ServerAdmins. We will use this group to provide admin access on some servers in specific OU.
Now Add users to this newly created group. These users will be provided Administrator access on the target computers/servers.
Now we need to start creating Group policy for providing this group Admin rights on target computers/servers.
Open Group Policy Console. Goto RUN, type gpmc.msc and press Enter.
In Group Policy Console, right click on Group Policy Objects and select New to create new policy.
Provide the name for new group policy we have just created. In this tutorial, we are using Add Group to LocalAdmins as the name of our group policy.
After you have created group policy, right-click on this newly created policy and select Edit… This will open Group Policy Editor.
In Group Policy Editor console, go to following path:
Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Right-click on right pane and select Add Group…
Now, click on Browse and select the group that you have created recently.
Finally click OK.
New properties window will open, click on Add button under This group is a member of:
In the browse window, select the Administrators group and click OK twice.
Finally click Apply and then OK.
Close Group policy editor and in Group Policy console.
Our Policy is ready. It’s time to deploy it on target computers/servers. Move all target computers/servers to a new OU. And if you already have them in right place, simply right-click on the target OU (which contains the servers/computers on which policy is to be deployed) and select Link an Existing GPO…
Now select newly created GPO and click OK.
Policy has been deployed on selected OU. It will be replicated in next group policy refresh cycle.
It’s time to check the policy. Go to client computer on which this policy is applied, run gpupdate once. Now open Computer Management > Local Users and Groups > Groups and double-click on Administrators group. Newly created group should show up there. In case it’s not reflecting there, try to restart the computer.
Add a Group to Local Administrators via Group Policy
This tutorial was for adding a user group to local Administrators group on domain computers/servers via group policy. The method described above adds new group to local Administrators group without overwriting existing members of the group. Hope this tutorial helps you. In case you have any queries or suggestions, feel free to comment below.