How to Grant Local Admin Permissions to a Group [Part 1]
In Part 1 of the article, I demonstrate how to grant local admin permissions to a group on a domain computer in Windows Server using Group Policy and manually using the Windows Command Prompt and PowerShell. This is helpful when you want to give some users administrator access to domain computers without giving them domain admin credentials. Please see Pleasant User Group Permission and User Access, How to grant public access to S3 Bucket using Policy, and how to Add or delete users and set permissions in Azure AD.
Adding a group to the local administrators’ group via Group Policy is the fastest. On the other hand, the manual method is time-consuming and inefficient in situations where manual tasks are to be eliminated.
This process is achievable using Group Policy, Windows Command Prompt, PowerShell, and the manual method. One of the reasons you would want to grant local administrator permissions to some users on your domain computer is to enable them to carry out their tasks effectively.
For job roles such as technical support personnel, the Helpdesk team, certain users, and other privileged accounts, you must add the necessary Active Directory users or groups to the local Administrators group on servers or workstations.
Grant Local Admin Permissions to Users and Groups via Group Policy
Group Policy offers the fastest and most efficient way of granting local admin permissions to users and groups. A few things to note when granting local admin permissions to users are:
1. By modifying the members of Local Administrators group. This method overwrites the existing members of Administrators group.
2. Adding users to a new security group and make it the member of Administrators group. This method doesn’t overwrite existing members of Administrators groupThe first thing to do is to create a new security group and add users to it. After adding users to the group, we will modify the membership of the group and add the group as members of the BUILTIN\Administrators group.
Step 1: Creating a User Group in Active Directory Users and Computers
To create a group in Active Directory Users and Computers, run the dsa.msc command from Run to open the console.
dsa.msc in RunWhen Active Directory Users and Computers open up, right-click on the organizational units of your choice to create a group.
As shown above, we are creating the group under the LocalAdmins-OU OU. In the below screen, we name the group LocalAdminUsers
In the next step, we will add this user group to local Administrators’ domain computers using Group Policy (GPO) after adding users to the group.
Also, see how to Install Windows Admin Center on Windows 10 and Windows 11, and how to Apply and Enable Automatic Windows Admin Center Update.
Step 2: Add Users to the Group
To add users to the group, double-click the Users Container. In the User Container, right-click on the name of the user you want to add, select Properties -> Member Of ->Add -> Check Names.
After checking and finding the name, click on OK and Apply and then OK to effect changes.
Here, we’re adding the users called HelpDesk and LocalAdminUser1.
Step 3: Create a new GPO in the Group Policy Management Console
To create a new GPO in the Group Policy Management Console, press Windows + R to open Run and type the gpmc.msc command. When you’re on the GP Management Console, right-click on Group Policy Object -> New -> Specify the name -> Ok
Step 4: Edit the Newly Created GPO
To do this, right-click on the newly created GPO and click edit.
In the Group Policy Editor Console, click to expand the Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups -> Add Group
Step 5: Select User Group to Add to Local Administrators
Next, from the Add Group, click on Browse and select the group that we have created.
Step 6: Add the Group selected above as a Member of the Local Administrators Group
Once you click OK on the previous screen, a dialogue box will pop up prompting you to add the group to the Local Administrators Group.
Click OK as shown above and then click on Apply and OK on the next screen to effect the change.
Now you should see the group as a member of the Local Administrator Group
Step 7: Link the GPO to an existing Computer OU
The GPO we created is ready. It’s time to link it to the existing computer OU. This means that you have to move all the computers you want to GPO to be deployed to the computer OU.
To link the GPO, on the target OU which is the LocalAdminComputers in our case, right-click on it and select Link an Existing GPO...
On the Select GPO dialog box, select the newly created GPO and click on OK.
Now, the Group Policy has been deployed successfully to the selected OU. It will be replicated in the next group policy refresh cycle.
You can force the policy to replicate immediately by running the grpudate /force command on Windows Command Prompt. Make sure you run Command Prompt as an Administrator.
In part 2 of this article, I will show you how to manually grant Local Administrative Permissions to a group using the Windows Command Prompt and PowerShell.
I hope you found this post useful on how to Grant Local Admin Permissions to Users and Groups. Please feel free to leave a comment below.
