Windows OS Hub / Group Policies / Adding Domain Users to Local Administrators in Windows

November 12, 2025

Adding Domain Users to Local Administrators in Windows

To grant local administrator permissions on domain computers to the HelpDesk staff, specific users, and other privileged accounts, the necessary Active Directory users or groups must be added to the local Administrators group on the target servers or workstations. In this article, we’ll show you how to manage members of the local Administrators group on domain computers manually and through GPO.

On a single computer in an Active Directory domain, a user can be manually added to the local Administrators group. It is preferable to use a centralized method, such as domain Group Policies, to manage the local Administrators group membership on computers. This approach is more convenient and secure than manually adding users to the local group on each computer. The AD Group Policy offers two ways to manage local groups on domain computers.

Restricted Groups GPO feature – this is an old method of managing local group membership that is rarely used now.
Managing local groups with Group Policy Preferences – this is the most flexible way and is ideal for managing members of the local Administrators group on domain computers.

Contents:

Manually Add a User Account to the Local Admins Group
How to Add Domain Users to Local Administrators via Group Policy Preferences
Adding a Single User to the Local Admins Group on a Specific Computer with GPO
Create a Local Administrators Group for Each Computer
Managing Local Admins with Restricted Groups GPO

Manually Add a User Account to the Local Admins Group

After a computer joins an Active Directory domain, the Domain Admins group is automatically added to the local Administrators group, and the Domain Users group is added to the local Users group. Other user accounts can be added to the Administrators group either manually or through a GPO

The easiest way to grant local administrator rights on a specific computer for a user or group is to add them to the local Administrators group using the graphical Local Users and Groups snap-in (lusrmgr.msc)

Click the Add button and specify the name of the user, group, computer, or service account (gMSA) that you want to grant local administrator rights. Use the Location button to switch between searching for principals in the domain or on the local computer.

You can also use the command prompt to list members of the local Administrators group:

net localgroup administrators

Or use PowerShell to list users in a local group:

Get-LocalGroupMember administrators

This command shows the object class that has been granted administrator permissions (ObjectClass = User, Group, or Computer), the account or group’s PrincipalSource (ActiveDirectory, Azure AD, Microsoft, or Local).

To add a domain group munWksAdmins (or a user) to the local administrators, run the command:

net localgroup administrators /add munWksAdmins /domain

Or add user accounts to the local Administrators group using PowerShell:

Add-LocalGroupMember -Group Administrators -Member ('woshub\j.smith', 'woshub\munWksAdmins','wks1122\user1') –Verbose

In this example, we added a user and groups from the woshub domain and a local user wks1122\user1 to the computer administrators.

You can add users to the Administrators group on multiple computers at once. Use the Invoke-Command cmdlet from PowerShell Remoting to access the remote computers over a network:

$WKSs = @("PC001","PC002","PC003") Invoke-Command -ComputerName $WKSs –ScriptBlock {Add-LocalGroupMember -Group Administrators -Member woshub\munWksAdmins'}

You can also completely refuse to provide any administrator privileges to domain users or groups. In this case, you can use the built-in local administrator with a password stored in AD (implemented using the Local Administrator Password Solution/LAPS) to perform one-time administrative tasks on computers, such as installing programs and configuring system settings.

How to Add Domain Users to Local Administrators via Group Policy Preferences

Group Policy Preferences (GPP) offer the most flexible and convenient method for granting local administrator privileges on domain computers through a GPO.

Suppose the task is to grant local administrator privileges on computers in a specific Active Directory OU (Organizational Unit) to a HelpDesk team group. Create a new security group in your domain using PowerShell and add the Helpdesk team accounts to it:

New-ADGroup munWKSAdmins -path 'OU=Groups,OU=Munich,OU=DE,DC=woshub,DC=com' -GroupScope Global –PassThru Add-AdGroupMember -Identity munWKSAdmins -Members amuller, dbecker, kfisher

Open the domain Group Policy Management console (GPMC.msc), create a new policy (GPO) AddLocaAdmins, and link it to the OU containing the workstations (in my example, it is OU=Computers,OU=Munich,OU=DE,DC=woshub,DC=com).

Edit the AddLocaAdmins GPO you created earlier.
Navigate to Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups;
Add a new rule (New -> Local Group);
Select Update in the Action field (an important option!)
Select Administrators (Built-in) in the Group Name dropdown list. Even if this group has been renamed on the computer, the settings will be applied to the local Administrators group by its well-known SID (S-1-5-32-544);
Click the Add button and select the groups you want to add to the local Administrators group (in our case, this is munWKSAdmins).
You can remove all manually added users and groups from the local Administrators on all computers. Check the “Delete all member users” and “Delete all member groups” options. This will ensure that only approved domain groups have administrator permissions on your domain workstation. If a user is added to the Administrators group manually using the “Local users and groups” snap-in, that membership will be automatically removed the next time the Group Policy is applied.
Save the GPO and wait for it to be applied to the client workstations. To apply the Group Policy settings immediately, run the command gpupdate /force on a user’s computer.

Open the lusrmgr.msc snap-in on the target domain computer and check the local Administrators group members. Only the munWKSAdmins group should be added to this group, while other users and groups should be removed (except for the built-in Windows Administrator account).

If adding to the local group via Group Policy doesn’t work, enable Group Policy Preferences logging on the client computer. In the GPO editor, navigate to Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Logging and tracing. Enable the option Configure Local Users and Group preferences logging and tracing with the following event logging level: Informational, Warnings and Errors.

After this, in the Event Viewer’s Application section on the client, you can filter GPO application events by the Group Policy Local Users and Groups source to understand why the policy is not applied.

The computer 'Administrators (built-in)' preference item in the 'AddLocaAdmins' Group Policy Object applied successfully.

If the GPO is not applied to a domain computer, use the gpresult command to troubleshoot the resulting GPO settings.

Adding a Single User to the Local Admins Group on a Specific Computer with GPO

Sometimes you may need to grant a single user the administrator privileges on a specific computer. For example, you have several developers who periodically need elevated privileges to test, debug, or install drivers on their computers. It is not secure to add them to the workstation admin group, which has privileges on all domain workstations.

You can use either GPO WMI filters or Item-level Targeting to grant local admin permission to a specific computer.

Create a new entry in the GPO Preference section (Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups) of the AddLocalAdmins policy that was created earlier.

Action: Update
Group Name: Administrators (Built-in)
Members: Add -> amuller
In the Common -> Targeting tab, configure this rule: “the NETBIOS computer name is mun—dev-wks24.” This means that this Group Policy item will only be applied to the specified computer here.

Also, note the order in which group membership is applied on the computer (the Order GPP column). Local group membership is applied from top to bottom (with the Order 1 policy).

The first GPP policy option (with the “Delete all member users” and “Delete all member groups” options enabled) removes all users/groups from the local Administrators group and adds the specified domain group. Then, the computer-specific policies will be applied, adding the specified user to the local administrators. Use the buttons at the top of the GPO editor console to change the order in which the Administrators group membership is applied.

Create a Local Administrators Group for Each Computer

If you only want to add users as administrators on a specific computer, you can create a separate local admins group for each computer, which is a slightly different conceptual approach. The name of the security group will contain the computer name via the %ComputerName% environment variable in the Group Policy Preferences. This makes it easier to identify the group and grant permissions to users.

Create a separate security group in the domain with the format <Computer Name>_LocalAdmins for each computer where local admin permissions need to be granted to a specific user or group.

For example, I will use PowerShell to create a group for a computer with the hostname WKS25H2.

$compname= "WKS25H12" If (Get-ADComputer $PC | Where { $_.Enabled -eq $true }) { New-ADGroup $compname"_LocalAdmins" -path 'OU=Groups,OU=DE,DC=woshub,DC=com' -GroupScope Global }

A security group containing the computer name will be created in the specified OU (WKS25H12_LocalAdmins in my case). Add users who require administrator privileges on this computer to this group.

Create a new GPO to assign local administrator permissions, then link it to a target OU. (or edit an existing GPO)
Go to Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups
Select New -> Local Group
Group name: Administrators (built-in)
Options: Delete all member users and Delete all member groups – enable or disable these options to control whether all other administrators (added manually or by other GPOs) should be removed.
Members: Click Add and enter the group name in the following format: <Domain Name>\%ComputerName%_LocalAdmins
Check the Remove this item when it is no longer applied option on the Common tab (when prompted, select No to automatically remove your group from local administrators after unlinking the policy).
This policy will add an individual security group for each computer to the local Administrators.

Using this approach, granting administrator permissions to a new user only requires adding the user to the domain group. This task can be delegated to the security department and doesn’t require editing the GPO.

Managing Local Admins with Restricted Groups GPO

The Restricted Groups GPO option also allows you to add domain groups or users to local security groups on computers. This is the legacy way of granting local administrator permissions, but it is rarely used now because the Group Policy Preferences method is more flexible.

Edit your GPO
Expand Computer Configuration -> Policies -> Security Settings -> Restricted Groups
Select Add Group from the context menu
In the next window, type Administrators and then click OK;
In the Members of this group section, click Add and specify the group you want to add to the local admins
Save the changes, apply the policy to users’ computers, check the members of the local Administrators group. It must only contain the group specified in the policy.
These Group Policy settings always (!) remove all existing members of the local Administrators group (whether they were added manually, by other policies, or by scripts).

If you need to keep the current membership of the Administrators group and add an additional group to it using the Restricted Groups Group Policy Object (GPO):

Create a new entry in Restricted Groups and select the AD security group (!!!) that you want to add to the local admins.
Then add the Administrators in the This group is a member of section
Update the GPO settings on the client computer and make sure your domain group has been added to the local Administrators group. Current members of the local group will not be removed.

Here are some recommendations for managing administrator permissions on Active Directory computers and servers. Microsoft’s classic security guidelines recommend using the following groups to grant administrative privileges within a domain.

Domain Admins are only used on domain controllers.
For security reasons, it is not recommended to perform daily administration tasks on workstations and servers under an account with the Domain Admin privileges. These accounts should only be used for AD management tasks (adding new domain controllers, replication management, modifying the AD schema, etc.). Most user, computer, and policy management tasks within a domain can be delegated to regular administrator accounts (without Domain Admin permissions). Never use a Domain Admin account to log on to any workstation or server other than a domain controller.
Server Admins is a group that allows managing the member Windows Server hosts in an AD domain. It should not be a member of the Domain Admins group and should not be added to the local Administrators group on user workstations.
Workstation Admins is a group for performing administrative tasks on workstations only. Must not be a member of the Domain Admins and Server Admins groups.
Domain Users are common user accounts used for typical office operations. They must not have administrator privileges on servers or workstations.
It is not recommended to add individual user accounts to the local Administrators group. It is better to use the domain security groups. In this case, granting local admin privileges to the next tech support employee requires only adding him to the domain group, without needing to edit the GPO.

Active Directory Group Policies Windows 10 Windows 11 Windows Server 2022

Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

15 comments

None December 9, 2020 - 5:52 pm

Thank you. This site is a gem.

Personne April 13, 2021 - 2:57 pm

Nice clear article.

but I have found a interesting behavior where adding user(s) or group(s) using the GPO Preference control panel works perfectly on Domain Members, but does not work at all on Domain Controllers.

I’m also not very clear if we can use a wildcard with the Netbios computer name is *TEST*
In the sense that I want only to target the server with the word TEST in their name

David July 29, 2021 - 10:27 am

Domain Controllers dont have local groups. In the computer management snapin you dont even see it anymore on a domain controller. Also in my experience the NETBIOS item level targeting does not work at all, if it is a single client that needs a special admin, just do it manually.

Praz Silva July 26, 2021 - 11:14 am

Amzing. Helped me for exact GPO

Anthony Wallace September 9, 2022 - 10:08 pm

Great write up man! Exactly what I needed with clear instructions.

Very much appreciated.

Sebastian December 20, 2022 - 11:47 am

The description mentioned in “Adding a Single User to the Local Admins Group on a Specific Computer with GPO” in step 3 is the description of the group which you see in the local mmc under “Local Users and Groups”. So you maybe don’t want “Add amuller to the local administrators on the mun-dev-wsk21 computer” as description for the local administrator group :).

Zine January 3, 2023 - 1:46 pm

Great explantation thanks a lot, I have one tricky question. How can I know which admin account have added a member into this administrator group ? I tried on the event log (ID 4728, 4732, 4746, 4751, 4756, 4761) but I don’t find the responsible of theses actions.

Gabriel February 17, 2023 - 1:39 pm

Could I use something like this to add domain users to a specific AD security group?

admin February 21, 2023 - 5:11 pm

Use PowerShell to add users to AD groups. Why would you want to use a GPO to do this?
Add-AdGroupMember -Identity TestADGroup -Members user1, user2

peace March 20, 2023 - 12:08 pm

Hi Guys,

As always, thank you very much for your help and guidance.

I have applied this in my testing environment but i am not able to see the GPO when i do a gpresult /r.

The gpo is deployed to authenticated users.
I have added domain computers and authenticated users as read.

The scenario that i am testing is adding a user to the local admin group.

COuld you please help me understand what am i missing?

Thank you and best.

Peace.

peace March 20, 2023 - 5:05 pm

One more thing, I can confirm that it is working, however, the rights are removed after a gpupdate /force, is this normal?

mubeen November 28, 2023 - 7:44 am

how to give admin privilege to member of domain in windows 10 pc from computer managment then i go to user then what is the next step???

Am November 18, 2024 - 6:25 am

Thank you for the guide. I followed it and successfully configured the GPO. However, my question now is, how do I revoke local admin rights? Can I simply unlink the GPO, or is there another step required?

admin November 26, 2024 - 5:54 am

Yes. To undo changes, simply unlink the GPO.
Any added local administrator group members are removed after you unlink the GPO from the OU.

PP April 23, 2025 - 7:59 am

The best concept for large environments using variables in preferences is missing. Group for each computer can be auto-created in computer startup script or via preferences.
https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/using-group-policy-preferences-to-manage-the-local-administrator-group/259223