We help IT Professionals succeed at work.

How to Add Domain Account on Local Administrator Group

infoplateform asked
Hi Member,
I am going to perform intraforest migration and i m using ADMT V3.2

For ADMT V3.2 there is below mention requirement

I need to add target "admin" id on every local machine administrator group to fullfill this requirment of Active directory migration i found one way which is restricted group feature but problem is that we have some users whose are on this local administrator group already on local machines because some applications need admin rights so kindly tell me any idea how can i add my target domain user to local machine administrator group

Thanks & Regards
Osama Mansoor
Watch Question

Philip ElderTechnical Architect - HA/Compute/Storage

You can use Group Policy Preferences to deliver an AD account to the Local Admin group on the applicable machines.

Group Policy Client Side Extensions need to be installed on Vista and below to accept the GPPref delivered changes.

It is a machine level GPPref so GPUpdate /Force plus reboot or 90 minutes to take plus a reboot.

Sandesh DubeyTechnical Lead
Top Expert 2011

Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

You can also use restricted group GPO,refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Hope this helps



I have Tried to through restricted group but problem is that some users who have added in administrator group of local machine removed after applying restricted group GPO


NET localgroup Administrators /add "domain_name\domain_Userid

Save as localadmin.bat

and add on startup script but not working

Kindly Help ?

Osama Mansoor
Philip ElderTechnical Architect - HA/Compute/Storage

You can configure the GPPrefs to add, change membership, or even remove all users in the group.

Technical Lead
Top Expert 2011
NET localgroup Administrators /add "domain_name\domain_Userid" should work
check the script is placed in sysvol share folder.

Refer below link for how to apply startup script.

Also check disable the fast logon by GPO and check:

Hope this helps.


Thanks For you Always Help But my problem resolved by Following method

Using GPO From Target Domain :

The command for the batch file that would be the startup script would be:

net localgroup administrators DOMAIN\UserName /add

Save as VBScript.bat