GPO – make a domain user local administrator of a computer

Windows Server 2012R2 Windows Server 2016 Windows Server 2019

In this tutorial, I’ll show you how to make a domain user local administrator of a computer or server using Group Policy (GPO).

In a previous tutorial, I explain how to do this using restricted groups, which involved creating an Active Directory group, putting the user in that group and then using the group policy, the group was added to the Computer Administrators group.

In this tutorial, we will see how to directly add the user to the local Administrator group of the Windows machine without going through the creation of an intermediate group.

From the Group Policy Management console, right-click on Group Policy Objects 1 and click on New 2.

Name the Group Policy 1 and click OK 2 to create the object.

Find the object you have just created in the list, right-click on it 1 then click on Modify 2.

From the Group Policy Management Editor, go to the location: Computer Configuration / Preferences / Control Panel Settings / Local Users and Group.

In the central area, right-click then go to New 1 and click on Local group 2.

Check that the selected action is Update 1>, in the Group Name field, click on the 2 arrow to access the drop-down list and click on Administrator (built-in) 3> > to select it.

The Administrators group (built-in) which corresponds to the local Administrators group for computers, in the case of a domain controller, is the group found in the Builtin container.

Under the member area, click on the Add 1 button.

A new window opens, click on the … (browse) button to open the Active Directory object search.

Search for the Active Directory user account then click OK 1 to select it.

The account is selected 1, click on OK 2.

We can see that the user is added in the Member section, with the add action (ADD), now click on Apply 1 and OK 2 to validate and close the window.

The Group Policy is ready, you can close the editor.

Now, you must link the policy to the desired location, right-click on OR then click on Link an existing group policy object 1.

Select Group Policy 1 and click OK 2.

The policy is linked to the OU, to save time you can force an update of the group policies from the console, right-click on the OU and click on Group Policy Update.

Once the policy has been applied, if we look in the local Administrators group of the computer, we see that our user is added.

You now know how to add a user to the local Administrators group of a computer/server using a group policy (GPO) without going through restricted groups.

Leave a Comment