Adding Domain Users To The Local Administrators Group Using Group Policy

Adding AD users to the local administrators group on multiple computers is simple using Group Policy.  In this post I’ll describe the process.

Create a fresh group policy object (GPO) and link it to a test Organisation Unit (OU).  Add a test server to the OU.

Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings   -> Security Settings -> Restricted Groups.

RestrictedGroups1

 

Right click and choose Add Group.  If you want to add users to the local administrators group enter Administrators.  In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group.  Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here.  If that is what you want click OK and close the GPO.

RestrictedGroups2

The second method allows you to add an AD security group to the local administrators group.  This process is additive and users and groups that are currently in the local administrators group are untouched.

Navigate to Restricted Groups as previous, right click and choose Add Group.  This time enter the name of the AD security group you wish to add to the local administrators group.  Click Ok and on the next screen in the “This group is a member of:” section click Add.  Enter Administrators to add the group to the local administrators group. Click OK and close the GPO to save changes.  You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.

Advertisements

7 thoughts on “Adding Domain Users To The Local Administrators Group Using Group Policy

  1. Pingback: Group policy help please!

  2. Luke Welden

    Hello Guys,

    In Section two it states that “This process is additive and users and groups that are currently in the local administrators group are untouched.” however when I perform this task following your guide it is in fact removing members that are already in the local group Administrators. Is there any particular reason for this?

    Kind Regards,

    Luke Welden.

    Reply
    1. Chad Williams

      Hi

      I found the same issue as Luke Welden. I added domain users and then found that domain and enterprise admins that I had in the local administrators group had been removed.

      Thanks,

      Chad Williams

      Reply
  3. Interested

    anyway to revert this and reapply the old local admin accounts? I read another article which didn’t highlight that caveat and just wiped a bunch of local users….

    Reply
  4. Pingback: Windows Restricted Groups – Adding Domain Users To The Local Administrators Group Using Group Policy (GPO) – RickyAdams.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s