Add domain user/group to local administrator group on user computers using GPO

Step 1. Create a security group

Login to Domain Controller, create a security group e.g JAdmin and add members to JAdmin group


Step 2. Create GPO and link to your desired OU

Open Group Policy Management Console
Right click your domain or OU
Click Create a GPO in this domain, and link it here
Name the GPO “Local Administrators”
The policy should be in the tree now


Step 3. Modify the GPO

Right click “Local Administrators” Policy.
Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
In the Right pane of Restricted Groups, Right click and hit “Add Group…”
Type JAdmin and hit OK
Click Add under “This group is a member of:”
Add the “Administrators” Group


Step 3. Finally apply change.

Apply to client machines immediately
cmd > gpupdate /force


Delegate security permissions to desired OU (allow rename of computers)

dsa.msc > right click on the OU > Delegate Control >

Choose “Create a custom task to delegate”. Next

Choose “Only the following objects in the folder” then “Computer objects“. Next

Check the box before “Write All Properties

Click Next and Finish

Leave a Comment

Your email address will not be published. Required fields are marked *