Avatar of introlux
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Adding Logged User to Local Administrator

Hi Experts,

I would like to add a domain user to the local administrator group and then removed once they are logged off.

How can this be done within group policy?

Thanks in advance
Windows Server 2003ExchangeActive Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon
Dhanesh Kansari

Machine Script Solution:
By combine Windows 2000/2003 GPO and creating a machine script, we can get
A good Solution to this problem, and by avoiding the problems that "Restrict Groups" option from Windows 2000/2003 GPO create.
The script structure:
    Script Name: Machine_Startup_Script.vbs (You can use any name that you like,
                                       But you need to verify that the file name suffix end with
    Operation Interval:  Each machine startup or/and shutdown.
'Beginning Of the Script
On Error Resume Next
'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )
'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain/Domain Admins,group" )
'End of the Script
mywindowsdomain = The NetBIOS name of the Domain that the user workstation log into.
Sentence that begin with " ' " use for a comment only.
After creating the script, we need add this script to Domain Default GPO – as
 Computer startup or/and shutdown script and we done.
Dhanesh Kansari

I usually use scripts like this as part of the workstation build process as it requires local administrator rights. However if your users are local admins it makes it possible to run or call the script below through their login script.

Substitute your domain name for the word DOMAINNAME. You can also use this script to add other domain groups to local groups (eg create a domain group LOCALPOWER, modify GROUPSTRING to be the name of the local group to add members to (eg "Power Users", and edit line starting with groupobj.add so the LOCALPOWER group is add instead of "Domain Admins" to the local computer group. This lets you control people with power user rights without visiting the desktop).

The on error resume next line ensures that if for some reason the script cannot be run (eg insufficient rights) it does not hang or notify of a problem. Cut and paste the text between the lines as a *.vbs file:

Dim WSHShell, WshSysEnv
Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("PROCESS")
On Error Resume Next

UserString = WshSysEnv("COMPUTERNAME")

GroupString = "Administrators"
Set GroupObj = GetObject("WinNT://" & UserString & "/" & GroupString)
GroupObj.Add ("WinNT://DOMAINNAME/Domain Admins")
Set GroupObj = Nothing

Set WshShell = Nothing
Set WshSysEnv = Nothing

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck


I would prefer to do it via group policy rather than using a script. I have tried to use the script and it does not seem to work. I have also tried following the last GP tutorial but I am somewhat confused.

Basically I would like to add the user to the Admin group or NT Group. I need the user the have enough permissions to add/remove software, remote desktop on their computer. I am aware being admin may give them too much permission.

Can you please advise.


View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

So can you not just add the current logged on user into the Administrators group then? It has worked with the Windows 7 machines but it does not seem to work with XP workstations using group policy.

I added this in the restricted user config area and it worked for Windows 7 but not XP.

Any idea?