Adding a Domain Group to the Local Administrators Group


KB ID 0000589 Dtd 02/04/12


This weekend I've been doing a school migration, (go live is tomorrow). Just as we were finishing up today, we found out a client application needed a certain user group to have LOCAL administrator rights on the client machines.

I remembered that it could be done and it had something to do with "Restricted Groups". So when I got home I fired up the test network and ran though it for tomorrow.


1. Launch "Active Directory Users and Computers" (Start > Run > dsa.msc {enter}). Ensure you have a domain security group, (Not a distribution group) with the domain members you wish to grant access to.

Domain Security Group

2. On a domain Controller, Start > Administrative Tools > Group Policy Management > Locate the OU that contains the computers that you wish to grant administrative rights to > Right Click >Create a GPO in this domain, and Link it here.

Warning: Do not create a GPO on an OU that contains servers or anything you would NOT want you users to have administrative access to.

Create a GPO

3. Give the policy a sensible name.

Name a GPO

4. Edit the policy that you have just created.

Edit a GPO

5. Navigate to:

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Right click > Add Group.

Add Restricted Group

6. Browse and locate your domain security group > OK.

Add Domain Group To Restricted Group

7. Under "This group is a member of" > Add > Add in Administrators >OK.

Add Domain Group To Local Group

8. Apply > OK

Add Security Group To Local Group

9. Now on your clients, the domain group will be added to the local administrators group.

Note: this may require a reboot or a "gpupdate /force" command.

Local Administrator Group Add Domain Group


Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On