Back to Basics – How to define a user in the Local Administrator Computer group by GPO

The objective of this post is to add a user to the Local Administrator Group in all the desktop computers in a Organizational Unit.

This are kind of things that you do in the school were you are studying, but if you don’t need it never, are forgotten in your mind.

In this case I googled a little bit to refresh my knowledge, and after two or three posts I found this great post  that it’s so helpful.

Then, find the steps below:

1- Create a new group in Active Directory. You can select the user directly, but I think that is better to use a group, because if in the future you need to grant more users with this permissions, it’s easily to be member ship of this group.

Go to Server Administrator => Tools => Active Directory Users and Computers => and at the level that you want (it depends on your own organization preferences) create a new group by right click => new group and type a name. I.E. “G_local_Administrators”


2- The next step is add the user that we want to becomes local administrator from the desktops to this group. So you should open de group and go to the Members tab => click Add button => type de name of the user and select it


3- After this, the next step is create a GPO and link it to the Organizational Unit where the group resides. To do it you should go to Server Administrator => Tools => Group Policy Management => Group Policiy Objets => Rigth Click and select New => Type a descritption name for the new GPO. For example “Set Local Administrators”


With this action you will create a new empty GPO. Then right click on the new GPO object and select edit. Navigate into the settings tree and go to Computer Configuration => Preferences => Control Panel Settings => Rigth click on Local Users and Groups => New Local Group.

This action shows a window where you can set different options:

    • On the Action field select Update.
    • On the Group Name Select Administrators (built-in)
    • Leave in black the field Rename to
    • On Description type a description if you want
    • Not check Delete All member users and Delete all member groups
    • In Members => Select Add => And type de group name that you has created before in step 2 and click Ok


4-Now you can close the Group Policy Management Editor and navigate to de OU where the desktops accounts redides. Rigth Click on the OU Folder and select Link an Existing GPO => And select the GPO that you have created a minute ago.


 5- Then, if you want to apply this new GPO at the moment in one desktop, you should open the command prompt at the desktop and type gpupdate /force and reboot the desktop


After this steps, all the users that are members of the group that you were created, will become Local Administrators membership on the Desktops.


Acerca de gonzalezaitor

Me dedico a la consultoria IT, especializado en virtualización de infraestructura y escritorio, archivado, disponibilidad y cifrado. Actualmente trabajo en Contec IT Services, donde desarrollo proyectos focalizados en VMWare, NetApp, Symantec y Microsoft.
Esta entrada fue publicada en Sin categoría. Guarda el enlace permanente.