Assigning Local Administrator Priviledges using Group Policy

Glen KnightLead Techical Consultant


You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies.

This article will demonstrate how to do this easily and how to manage which computers receive the policy.

Step 1 – Creating the Group Policy

Using the Group Policy Management Console(GPMC) we can create a Group Policy.  I like to give all my Group Policies a relevant name and prefix but you may have something different in your organisation.

I am going to call min PERM_ClientLocalAdminPermi ssions

The PERM allows me to quickly identify this policy as being related to permissions and then a descriptive name.

Launch the GPMC and locate the Group Policy Objects container.  Right Click and select New. Enter the policy name as shown below and click OK
  RestrictedGroups-01.jpgOnce done, locate your policy in the list, right click and select Edit

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups (as shown below)
  RestrictedGroups-02.jpg You now need to do the following:
Right Click on Restricted Groups and select Add Group
Click the Browse button
In the Enter the object names to select check box enter the name of the group you want to add to the local Administrators group
Click OK
In the This group is a member of dialog box click Add
Click Browse
Click Locations and ensure your local machine is selected
In the Enter the object names to select check box enter Administrators
Click OK and then OK again.

Step 2 – Assigning the Policy

It’s not possible to assign a Group Policy to the default computers container.  So you will either need to do this at the root Domain level, which I wouldn’t recommend because it would also be applied to servers (by default) or create a new Organisational Unit (OU), move all the computer objects in here and then assign the policy.

To create a new OU launch Active Directory Users and Computers, right click on the domain name at the top and select New and then OU.

Enter the name for your new OU and then click OK.

You can then move the computer objects from the default Computers container in to your new OU, either by dragging or dropping them, or by right clicking and selecting Move.

If you do not wish to apply this policy to all computers then only copy the computer object you want.

Once this has been completed we can link the new Group Policy we have created to the new OU.

To do this, using GPMC navigate to your new OU and right click on it.  Select Link an Existing GPO then locate your new Group Policy in the list and click OK.

Congratulations! You have now assigned a Group Policy to add all members of a Domain Group to the local Administrators group on all computers located in your new Organisational Unit.
Glen KnightLead Techical Consultant

Comments (2)

Author of the Year 2011
Top Expert 2006

demazter -
A very nice (and clean) set of instructions for this process. Thank you for publishing it.

"Yes" vote above.
Alan HardistyCo-Owner
Top Expert 2011

Excellent article - If you were from Liverpool, I would have understand your choice of PERM for other reasons than the one you mentioned!

Yes vote from me :)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.