Assigning Local Administrator Priviledges using Group Policy

Published on
16,819 Points
5 Endorsements
Last Modified:


You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies.

This article will demonstrate how to do this easily and how to manage which computers receive the policy.

Step 1 – Creating the Group Policy

Using the Group Policy Management Console(GPMC) we can create a Group Policy.  I like to give all my Group Policies a relevant name and prefix but you may have something different in your organisation.

I am going to call min PERM_ClientLocalAdminPermissions

The PERM allows me to quickly identify this policy as being related to permissions and then a descriptive name.

Launch the GPMC and locate the Group Policy Objects container.  Right Click and select New. Enter the policy name as shown below and click OK
 RestrictedGroups-01.jpgOnce done, locate your policy in the list, right click and select Edit

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups (as shown below)
 RestrictedGroups-02.jpg You now need to do the following:
Right Click on Restricted Groups and select Add Group
Click the Browse button
In the Enter the object names to select check box enter the name of the group you want to add to the local Administrators group
Click OK
In the This group is a member of dialog box click Add
Click Browse
Click Locations and ensure your local machine is selected
In the Enter the object names to select check box enter Administrators
Click OK and then OK again.

Step 2 – Assigning the Policy

It’s not possible to assign a Group Policy to the default computers container.  So you will either need to do this at the root Domain level, which I wouldn’t recommend because it would also be applied to servers (by default) or create a new Organisational Unit (OU), move all the computer objects in here and then assign the policy.

To create a new OU launch Active Directory Users and Computers, right click on the domain name at the top and select New and then OU.

Enter the name for your new OU and then click OK.

You can then move the computer objects from the default Computers container in to your new OU, either by dragging or dropping them, or by right clicking and selecting Move.

If you do not wish to apply this policy to all computers then only copy the computer object you want.

Once this has been completed we can link the new Group Policy we have created to the new OU.

To do this, using GPMC navigate to your new OU and right click on it.  Select Link an Existing GPO then locate your new Group Policy in the list and click OK.

Congratulations! You have now assigned a Group Policy to add all members of a Domain Group to the local Administrators group on all computers located in your new Organisational Unit.
Author:Glen Knight
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free