Adding AD users to the local administrators group on multiple computers is simple using Group Policy. In this post I’ll describe the process.
Create a fresh group policy object (GPO) and link it to a test Organisation Unit (OU). Add a test server to the OU.
Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
Right click and choose Add Group. If you want to add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group. Note that any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.
The second method allows you to add an AD security group to the local administrators group. This process is additive and users and groups that are currently in the local administrators group are untouched.
Navigate to Restricted Groups as previous, right click and choose Add Group. This time enter the name of the AD security group you wish to add to the local administrators group. Click Ok and on the next screen in the “This group is a member of:” section click Add. Enter Administrators to add the group to the local administrators group. Click OK and close the GPO to save changes. You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.
Pingback: Group policy help please!
Nice concise article.
In Section two it states that “This process is additive and users and groups that are currently in the local administrators group are untouched.” however when I perform this task following your guide it is in fact removing members that are already in the local group Administrators. Is there any particular reason for this?
I found the same issue as Luke Welden. I added domain users and then found that domain and enterprise admins that I had in the local administrators group had been removed.
anyway to revert this and reapply the old local admin accounts? I read another article which didn’t highlight that caveat and just wiped a bunch of local users….
it’s wrong, upon adding the users as administrator, they become the domain administrators
you are right , but what is the alternative ?
That is exactly right! I just discovered this! Do not do what is suggested in this post!!!
No, the users are local admins, just a local admins ON EACH computer this policy is applied to. Not only on their own computer, unless there is one policy for each computer. They’re domain admins only if you apply this policy on domain servers (Local admin on domain server = domain admin)
Pingback: Windows Restricted Groups – Adding Domain Users To The Local Administrators Group Using Group Policy (GPO) – RickyAdams.com
This is embarrassing. This is the correct way, but the commenters aren’t understanding the very simple difference:
In the ‘this group is a member of’ field put in Administrators. Click apply, done, etc. Now, where you normally manage your groups – ADD THE PEOPLE TO THE GROUP VIA ‘ACTIVE DIRECTORY USERS AND COMPUTERS’ – NOT IN THIS GPO YOU’VE JUST MADE.
Just used the “second method” to add an AD group to the local admins group of my 2012/2016 servers OU via GPO. Worked exactly as expected. Existing members of the local admins group were unaffected. Thanks!
Momo is correct. I have just done this and comfirmed by running AD users and computers that an elevated login like this does get domain admin.
Pingback: Adding Domain Users To The Local Administrators Group Using Group Policy – sjtechsupport