[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Assigning Local Administrator Priviledges using Group Policy

Published on
16,585 Points
5 Endorsements
Last Modified:


You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies.

This article will demonstrate how to do this easily and how to manage which computers receive the policy.

Step 1 – Creating the Group Policy

Using the Group Policy Management Console(GPMC) we can create a Group Policy.  I like to give all my Group Policies a relevant name and prefix but you may have something different in your organisation.

I am going to call min PERM_ClientLocalAdminPermissions

The PERM allows me to quickly identify this policy as being related to permissions and then a descriptive name.

Launch the GPMC and locate the Group Policy Objects container.  Right Click and select New. Enter the policy name as shown below and click OK
 RestrictedGroups-01.jpgOnce done, locate your policy in the list, right click and select Edit

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups (as shown below)
 RestrictedGroups-02.jpg You now need to do the following:
Right Click on Restricted Groups and select Add Group
Click the Browse button
In the Enter the object names to select check box enter the name of the group you want to add to the local Administrators group
Click OK
In the This group is a member of dialog box click Add
Click Browse
Click Locations and ensure your local machine is selected
In the Enter the object names to select check box enter Administrators
Click OK and then OK again.

Step 2 – Assigning the Policy

It’s not possible to assign a Group Policy to the default computers container.  So you will either need to do this at the root Domain level, which I wouldn’t recommend because it would also be applied to servers (by default) or create a new Organisational Unit (OU), move all the computer objects in here and then assign the policy.

To create a new OU launch Active Directory Users and Computers, right click on the domain name at the top and select New and then OU.

Enter the name for your new OU and then click OK.

You can then move the computer objects from the default Computers container in to your new OU, either by dragging or dropping them, or by right clicking and selecting Move.

If you do not wish to apply this policy to all computers then only copy the computer object you want.

Once this has been completed we can link the new Group Policy we have created to the new OU.

To do this, using GPMC navigate to your new OU and right click on it.  Select Link an Existing GPO then locate your new Group Policy in the list and click OK.

Congratulations! You have now assigned a Group Policy to add all members of a Domain Group to the local Administrators group on all computers located in your new Organisational Unit.
Author:Glen Knight
LVL 38

Expert Comment

demazter -
A very nice (and clean) set of instructions for this process. Thank you for publishing it.

"Yes" vote above.
LVL 76

Expert Comment

by:Alan Hardisty
Excellent article - If you were from Liverpool, I would have understand your choice of PERM for other reasons than the one you mentioned!

Yes vote from me :)

Featured Post

Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month