HOW TO: Add a domain group or user to the local Administrators group

The question of how to add a domain group to the local administrators group of a client or number of clients is probably one of the most popular questions in the Microsoft Public Active Directory newsgroups. And the answer is the same almost every time - use one of the following methods:
  • Restricted Groups GPO Security feature
  • Startup Scripts (also applied via GPO)
  • CUSRMGR command-line resource kit tool
Note. Two of these solutions are configured through a GPO. The scope of the GPO will vary; therefore where you link the GPO will vary. It is only important to note that in both instances we are talking about computer policy, and as such the GPO must be linked to a container that contains the computer objects for the domain members in question. If all your computer objects reside in the default Computers container then you should either link the GPO to the domain object and filter based on Group membership (the computers will reside in the group, not users) or you should move the computer objects into an OU and link the GPO to that OU. GPO cannot be linked to the default Computers container. This is a container object and therefore does not support the ability to link a GPO. For more information on GPO filtering, please refer to the following article:

Restricted Groups

Restricted Groups is a security setting that was designed to resolve the potential problem of somebody adding unauthorised objects to a group. This addresses issues ranging from an administrator temporarily adding a user into a group and forgetting to remove the user to a malicious attempt to add and remove users from a group.

However, due to the way in which it works, it also gives administrators the flexibility to centrally manage local, domain-member, groups. It is for this reason, that the feature is covered here -for adding a domain group to the local Administrators group of all computers within scope of a GPO.

The restricted groups feature can be configured in two different ways:
  • Compulsory. Configuring the group’s membership through the “member” property (labelled in the UI as “Members of this group”) enforces the membership. The security principals added to the group via this option will be the only members of the group (other than builtin\administrators which is never removed). Any security principals currently in the group will be removed.
  • Optional. Configuring the group’s membership through the “member of” property (labelled in the UI as “This group is a member of”) appends to the existing membership. The security principals added to the group via this option will be added to the existing membership. The existing members will be retained.
For the purpose of adding groups to the builtin\administrators [local] group on workstations the preferred mode of modifying the group is using the addition, rather than replace, method, for obvious reasons.

Implementing Restricted Groups

You implement restricted groups through GPO. To do this, perform the following instructions.
  • Once you have decided where this GPO is to be linked, edit the GPO and drill down to: 
    Computer Configuration\ Windows Settings\ Security Settings\ Restricted Groups

  • In the right-hand pane, right-click and choose Add Group...
  • The Add Group window appears. Add the name of the group that you wish to configure here, or use the Browse list to select a group from the Object Picker.
  • In the resultant window, click Add... next to the “This group is a member of:” section, and add the name of the group (or user, but groups are recommended for such configurations) that you wish to add to this group.
  • Repeat this step until all members are added and then Click OK

    • Note. You must be careful which option you select here. If you use the “Members of this group” option, instead of the “This group is a member of” option, then once this policy is defined, only the objects listed in the “Members of this group” box will be members of that group. Any other members will have been removed. If you follow the instructions and use the “This group is a member of” option then the security principals that you add will be added to the existing membership of the group you are configuring, in this case the Administrators group.
    Note. It is often recommended that you implement this policy from a workstation with the Windows Server Administration Tools (ADMINPAK.MSI) installed. This is because you can then use local groups that you cannot find on a Domain Controller such as the Power Users group.
Once this policy replicates amongst Domain Controllers, the next time a computer that is within the scope of this GPO starts or refreshes its policy, the group membership will be enforced as stipulated in the Restricted Groups configuration.


Startup script

Any user account and /or applicable group (this statement doesn't include invalid nesting operations) can be added to a local group provided the operation is undertaken with suitable credentials (security context). In order to add a domain group to a user group, you would use the following command:

net localgroup /add \

For example, to add the testlab.com (TESTLAB) Domain Local Group Desktop Admins to the local Administrators group you would write the following:

net localgroup Administrators /add TESTLAB\Desktop Admins

Note. This particular example assumes that the domain is running in Native mode. In mixed mode, domain local groups are only valid on Domain Controllers.

To implement the NET LOCALGROUP command in a startup script you would perform the following steps:

Create the script

  • Write/ paste the aforementioned command into NOTEPAD and make the necessary changes to the group and domain names.
  • Save the file as either a .BAT or .CMD file, e.g. .bat

    Note. In Notepad you must either select All Files from the Save as type drop down list, or enclose the file name in quotes, i.e. "filename.bat". Otherwise, NOTEPAD will append its own file extension on the end -.TXT.

Once the script has been written, you need to configure a computer startup script. This is done via GPO (Group Policy Object). The reason why this is done as a startup script (computer settings) and not a Logon script (user settings) is because logon scripts run under the user context of the user account that is logging on; computer scripts, on the other hand, run under the context of the computer, which is the SYSTEM account. This means startup scripts run with local administrative privileges.

Create the GPO

  • Once you have decided where this GPO is to be linked, edit the GPO and drill down to:
    Computer Configuration\ Windows Settings\ Scripts (Startup/ Shutdown)

  • In the right-hand pane, double-click on Startup and click Show Files...
  • Paste the script into the resultant window and close the window
    Click Add Files... and either type the name of the script (including file extension) or simply click Browse... and then select the script. Browse... automatically opens the location where you just pasted the script.
  • In this case, no parameters are necessary, so simply click OK and then close the Group Policy Editor


Once this policy replicates amongst Domain Controllers, the next time a computer that is within the scope of this GPO starts, the script will execute and the user or group will have been added to the PCs Administrators group.

Further reading


Group Policy


Restricted Groups


Startup Scripts


Other links of interest


Group Policy Management Tool (GPMC): Group Policy Settings Reference: Type the following into Google or Live for more information: 
site:microsoft.com "group policy" | GPO
"restricted groups" site:support.microsoft.com
"logon scripts" site:support.microsoft.com


Document information

Author: Paul Williams
Written: 10-04-2004
Version: 2.1
Last updated: 14-01-2008
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!