The Group Policy helps us to add Active Directory users and groups to the local Admin group on domain-joined servers and workstations.
In this context, we shall look into the steps to add users to the local admin group via GPO and command line.
Local Administrators Group in Active Directory Domain
When we join a computer to an AD domain, it automatically adds the Domain Admins group to the local Administrators group. Further, it also adds the Domain User group to the local Users group.
Though adding a user or group to the local security group Administrators using the Local users and groups snap-in (lusrmgr.msc) is an easy method, it is not always convenient.
Microsoft recommends using the following groups to separate administrative privileges in an AD domain:
1. Domain Admins are used only on domain controllers. From the security point of view for privileged administrator accounts, it is not recommended to perform daily administration tasks on workstations and servers under an account with the Domain Admin privileges.
2. Server Admins is a group that allows to manage the domain member servers. It must not be a member of the Domain Admins group or local Administrators group on your workstations.
3. Workstation Admins is a group for performing administrative tasks on workstations only. Must not be a member of the Domain Admins and Server Admins groups.
4. Domain Users are common user accounts to perform typical office operations. They must not have any administrator privileges on servers or workstations.
Suppose, we want to grant local administrator privileges on computers in the specific OU to the group of technical support and HelpDesk employees.
Create a new security group in the domain using PowerShell and add the technical support accounts to it:
New-ADGroup munWKSAdmins -path 'OU=Groups,OU=Munich,OU=DE,DC=woshub,DC=com' -GroupScope Global –PassThru
Add-AdGroupMember -Identity munWKSAdmins -Members employee1, employee2, employee3
Open the domain Group Policy Management console (GPMC.msc), create a new policy (GPO) AddLocaAdmins and link it to the OU containing computers (in the above example, ‘OU=Computers,OU=Munich,OU=DE,DC=woshub,DC=com’).
AD Group Policy provides two methods to manage local groups on domain computers.
i. Local groups management using Group Policy Preferences
ii. Restricted Groups
How to Add Domain Users to the Local Administrators via GPO Preferences?
Group Policy Preferences (GPP) provide the most flexible and convenient way to grant local administrator privileges on domain computers through a GPO.
1. Open the AddLocaAdmins GPO you created earlier in the Edit mode.
2. Go to the following GPO section: Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups.
3. Add a new rule (New -> Local Group).
4. Select Update in the Action field (it is an important option)
5. In the Group Name dropdown list, select Administrators (Built-in).
Even if this group has been renamed on the computer, the settings will be applied to the local Administrators group by its SID — S-1-5-32-544
6. Then, click the Add button and select the groups you want to add to the local administrators group (in our case, it is munWKSAdmins).
7. Save the policy and wait till it is applied on the workstation. To apply the policy immediately, run this command gpupdate /force on a user computer.
8. Open the lusrmgr.msc snap-in on any computer and check the local Administrators group members. Only the munWKSAdmins group will be added to this group, while other users and groups will be removed. We can display the list of the local administrators using the command: net localgroup Administrators
Further, we can configure additional (granular) conditions for targeting the policy on the specific computers using the GPO WMI filters or Item-level Targeting.
Go to the Common tab and check the Item-level targeting. Click Targeting.
Here we can specify the conditions when the policy will be applied.
Do not add individual user accounts to this policy. It is better to use the domain security groups.
In this case, to grant administrator privileges to another tech support employee, it is enough to add them to the domain group and there is no need to edit the GPO.
How to manage Local Admins Group Using Restricted Groups ?
The Restricted Groups policy also allows to add domain groups/users to the local security group on computers.
It is an older method of granting local administrator privileges and is used less often now (it is less flexible than that the Group Policy Preferences method).
1. Open a GPO in the editing mode
2. Expand the section Computer Configuration -> Policies -> Security Settings -> Restricted Groups
3. Select Add Group in the context menu
4. In the next window, type Administrators and then click OK
5. Click Add in the Members of this group section and specify the group you want to add to the local admins
6. Save the changes, apply the policy to user computers and check the local Administrators group. It must contain only the group you have specified in the policy.
How to use GPO to Add a Single User to the Local Admin Group on a Specific Computer ?
Sometimes we may need to grant a single user the administrator privileges on the specific computer.
For example, we have several developers who need elevated privileges from time to time to test drivers, debug or install them on their computers.
It is not advisable to add them to the group of workstation admins on all computers.
To grant local administrator privileges on the specific computer, you can use the following scheme:
Right in the GPO preference section (Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups) of AddLocalAdmins policy created earlier create a new entry for the Administrators group with the following settings:
1. Action: Update
2. Group Name: Administrators (Built-in)
3. Description: “Add employee1 to the local administrators on the mun-dev-wsk21 computer”
4. Members: Add -> employee1
5. In the Common -> Targeting tab, specify this rule: “the NETBIOS computer name is mun—dev-wks24”.
It means that this policy will be applied only to the computer specified here.
Also, pay attention to the order in which groups apply on the computer (the Order GPP column). Local group settings applies from top to bottom (starting from the Order 1 policy).
The first GPP policy (with the “Delete all member users” and “Delete all member groups” settings) removes all users/groups from the local administrator groups and adds the specified domain group.
Then apply the additional computer-specific policies that add the specified user to the local admins.
Further, if we want to change the membership order in our Administrators group, use the buttons on top of your GPO Editor console.
How to add user to a group command line ?
Let us now discuss on how to add user to a group from command prompt using the net localgroup command.
To Replace the UserLoginName with the exact username to add a user:
net localgroup group_name UserLoginName /add
Further, to add a domain user to local users group use the format below:
net localgroup users domainname\username /add
Now, to add a domain user to local administrator group use the command below:
net localgroup administrators domainname\username /add
To add a user to remote desktop users group:
net localgroup "Remote Desktop Users" UserLoginName /add
Then, to add a user to debugger users group:
net localgroup "Debugger users" UserLoginName /add
To add a user to Power users group:
net localgroup "Power users" UserLoginName /add
To list the users belonging to a particular group we can run the below command.
net localgroup group_name