Assigning Local Administrator Priviledges using Group Policy

Published on
16,476 Points
5 Endorsements
Last Modified:


You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies.

This article will demonstrate how to do this easily and how to manage which computers receive the policy.

Step 1 – Creating the Group Policy

Using the Group Policy Management Console(GPMC) we can create a Group Policy.  I like to give all my Group Policies a relevant name and prefix but you may have something different in your organisation.

I am going to call min PERM_ClientLocalAdminPermissions

The PERM allows me to quickly identify this policy as being related to permissions and then a descriptive name.

Launch the GPMC and locate the Group Policy Objects container.  Right Click and select New. Enter the policy name as shown below and click OK
 RestrictedGroups-01.jpgOnce done, locate your policy in the list, right click and select Edit

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups (as shown below)
 RestrictedGroups-02.jpg You now need to do the following:
Right Click on Restricted Groups and select Add Group
Click the Browse button
In the Enter the object names to select check box enter the name of the group you want to add to the local Administrators group
Click OK
In the This group is a member of dialog box click Add
Click Browse
Click Locations and ensure your local machine is selected
In the Enter the object names to select check box enter Administrators
Click OK and then OK again.

Step 2 – Assigning the Policy

It’s not possible to assign a Group Policy to the default computers container.  So you will either need to do this at the root Domain level, which I wouldn’t recommend because it would also be applied to servers (by default) or create a new Organisational Unit (OU), move all the computer objects in here and then assign the policy.

To create a new OU launch Active Directory Users and Computers, right click on the domain name at the top and select New and then OU.

Enter the name for your new OU and then click OK.

You can then move the computer objects from the default Computers container in to your new OU, either by dragging or dropping them, or by right clicking and selecting Move.

If you do not wish to apply this policy to all computers then only copy the computer object you want.

Once this has been completed we can link the new Group Policy we have created to the new OU.

To do this, using GPMC navigate to your new OU and right click on it.  Select Link an Existing GPO then locate your new Group Policy in the list and click OK.

Congratulations! You have now assigned a Group Policy to add all members of a Domain Group to the local Administrators group on all computers located in your new Organisational Unit.
Author:Glen Knight
LVL 38

Expert Comment

demazter -
A very nice (and clean) set of instructions for this process. Thank you for publishing it.

"Yes" vote above.
LVL 76

Expert Comment

by:Alan Hardisty
Excellent article - If you were from Liverpool, I would have understand your choice of PERM for other reasons than the one you mentioned!

Yes vote from me :)

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Join & Write a Comment

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month