Active DirectoryGroup Policies

Adding Users to the Local Admin Group via Group Policy

By February 15, 2021No Comments

You can use Group Policy to add Active Directory users and groups to the local Administrators group on domain-joined servers and workstations. This allows you to grant local admin privileges on domain computers to technical support staff, HelpDesk team, specific users or other privileged accounts. In this post we’ll show how to manage members of the local Administrator group on domain computers using Group Policy.

Local Administrators Group in Active Directory Domain

When you joining a computer to an AD domain, the Domain Admins group is automatically added to the local Administrators group, and the Domain User group is added to the local Users group.

The easiest way to grant local admin privileges on a computer is to add a user or group to the local security group Administrators using the Local users and groups snap-in (lusrmgr.msc). However, this method is not convenient if there are a lot of computers and in some time unwanted people may stay the members of the privileged group. If you are using this method of granting local privileges, it is not convenient to control the members of the local admins group on each domain computer.

add user to the local administrator group manually using local users and groups snap-in (lusrmgr.msc)

Microsoft recommends using the following groups to separate administrative privileges in an AD domain:

  1. Domain Admins are used only on domain controllers; From the security point of view for privileged administrator accounts, it is not recommended to perform daily administration tasks on workstations and servers under an account with the Domain Admin privileges. These accounts must be used only for AD management  (adding new domain controllers, replication management, Active Directory schema modification, etc.). Most user, computer or GPO management tasks must be delegated to regular administrator accounts (without Domain Admin permissions). Do not use Domain Admin accounts to log on to any workstations or servers other than domain controllers.
  2. Server Admins is a group that allows to manage the domain member servers. It must not be a member of the Domain Admins group or local Administrators group on your workstations;
  3. Workstation Admins is a group for performing administrative tasks on workstations only. Must not be a member of the Domain Admins and Server Admins groups;
  4. Domain Users are common user accounts to perform typical office operations. They must not have any administrator privileges on servers or workstations.

You can also completely refuse from providing any administrator privileges to domain users or groups. In this case, the built-in local Administrator account with a password stored in AD (LAPS-based) is used to perform administrative tasks on workstations.

Suppose, you want to grant local administrator privileges on computers in the specific OU to the group of technical support and HelpDesk employees. Create a new security group in your domain using PowerShell and add the technical support accounts to it:

New-ADGroup WorkStationAdmins -path 'OU=Groups,DC=contoso,DC=com' -GroupScope Global –PassThru
Add-AdGroupMember -Identity WorkStationAdmins -Members john.smith, jane.doe

Open the domain Group Policy Management console (GPMC.msc), create a new policy (GPO) AddLocaAdmins and link it to the OU containing computers (in my example, it is ‘OU=Computers,DC=contoso,DC=com’).

AD Group Policy provides two methods to manage local groups on domain computers. Let’s look at them in turn:

  • Local groups management using Group Policy Preferences;
  • Restricted Groups.

How to Add Domain Users to the Local Administrators via GPO Preferences?

Group Policy Preferences (GPP) provide the most flexible and convenient way to grant local administrator privileges on domain computers through a GPO.

  1. Open the AddLocaAdmins GPO you created earlier in the Edit mode;
  2. Go to the following GPO section: Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups;
  3. Add a new rule (New -> Local Group); group policy preferences manage local groups
  4. Select Update in the Action field;
  5. In the Group Name dropdown list, select Administrators (Built-in). Even if this group has been renamed on the computer, the settings will be applied to the local Administrators group by its SID — S-1-5-32-544;
  6. Click the Add button and select the groups you want to add to the local administrators group; If you want to remove manually added users and groups from the current local Admins group, check the “Delete all member users” and “Delete all member groups” options. In most cases it is reasonable since you guarantee that only the assigned domain groups will have administrator permissions on your domain computers. Then if you add a user to the Administrators group manually using the “Local users and groups” snap-in, it will be automatically removed next time when the policy is applied.add domain user group to the local admin group using gpo
  7. Save the policy and wait till it is applied on the workstation. To apply the policy immediately, run this command gpupdate /force on a user computer;
  8. Open the lusrmgr.msc snap-in on any computer and check the local Administrators group members. Only the WorkStationAdmins group will be added to this group, while other users and groups will be removed. You can display the list of the local administrators using the command: net localgroup Administrators

If the policy has not been applied on a domain computer, use the gpresult command to diagnose the problem. Also make sure that the computer is located in the OU the GPO is linked to and check the recommendations from the post “Group policy objects not being applied to computers“ .

You can configure additional (granular) conditions for targeting the policy on the specific computers using the GPO WMI filters or Item-level Targeting.

In the second case, go to the Common tab and check the Item-level targeting. Click Targeting. Here you can specify the conditions when the policy will be applied. For example, I want the policy of adding administrator groups to be applied only to Windows 10 computers, which NetBIOS/DNS names don’t contain adm. You can use your own filtering options.

Updating Administrators (built-in) group with GPO item-level targeting

It is not recommended to add individual user accounts to this policy. It is better to use the domain security groups. In this case, to grant administrator privileges to another tech support employee, it is enough to add them to the domain group (you won’t need to edit the GPO).

Managing Local Admins Group Using Restricted Groups

The Restricted Groups policy also allows to add domain groups/users to the local security group on computers. It is an older method of granting local administrator privileges and is used less often now (it is less flexible than that the Group Policy Preferences method).

  1. Open a GPO in the editing mode;
  2. Expand the section Computer Configuration -> Policies -> Security Settings -> Restricted Groups;
  3. Select Add Group in the context menu;gpo restricted group policy
  4. In the next window, type Administrators and then click OK; gpo: add to local admin
  5. Click Add in the Members of this group section and specify the group you want to add to the local admins;
  6. Save the changes, apply the policy to user computers and check the local Administrators group. It must contain only the group you have specified in the policy.

This policy always removes all other members of the local administrators group (added manually, or using other policies or scripts). If several policies with the Restricted Groups settings are active for a computer, only the last one is applied. You can bypass this limitation by first adding the WorkStationAdmins group to the Restricted Groups, and then adding this group to the Administrators group.

Using GPO to Add a Single User to the Local Admin Group on a Specific Computer

Sometimes you may need to grant a single user the administrator privileges on the specific computer. For example, you have several developers who need elevated privileges from time to time to test drivers, debug or install them on their computers. It is not advisable to add them to the group of workstation admins on all computers.

To grant local administrator privileges on the specific computer, you can use the following scheme:

Right in the GPO preference section (Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups) of AddLocalAdmins policy created earlier create a new entry for the Administrators group with the following settings:

  • ActionUpdate
  • Group NameAdministrators (Built-in)
  • Description: “Add john.smith to the local administrators on the dev-wks-01 computer
  • Members: Add -> john.smith add user user to the local admin group using group policy preferences
  • In the Common -> Targeting tab, specify this rule: “the NETBIOS computer name is dev-wks-01.” It means that this policy will be applied only to the computer specified here. gpo: adding local admin permissions on specific computer only

Also, pay attention to the order in which groups are applied on the computer (the Order GPP column). Local group settings are applied from top to bottom (starting from the Order 1 policy).

The first GPP policy (with the “Delete all member users” and “Delete all member groups” settings as described above) removes all users/groups from the local administrator groups and adds the specified domain group. Then the additional  computer-specific policies are applied that add the specified user to the local admins. If you want to change the membership order in your Administrators group, use the buttons on top of your GPO Editor console.

Leave a Reply