Manage Local Administrator Rights Using Group Policy

 Manage Local Administrator Rights is a must?

If you imagine users having local administrator rights it's a nightmare. They have (certainly) full control over their computer, and could do a lot of rubbish. To manage local administrator rights is definitely a must.

Manage Local Administrator Rights

The Active Directory Group Policies offer a great possibility to manage local groups on clients or servers. All the magic happens with "Restricted Groups".

Adding a group or users to a local group

If you want to add a certain group to a built-in group add the group to the restricted groups  under the "This group is a member of" sections:Group Policy Restricted Groups

When the GPO is no longer applied, the restricted group is being removed from the clients.

Overwrite local group members

When you wan't to take full control over a local group, you can choose the "Members of this group" option. Then all group members are replaced with the specified users or groups here, except the built-in local Administrator account.

Caution: Be careful overwriting the local Administrators group because you don't want to lock out yourself, do you?

So I would recommend to add at least the "Domain Admins" to the members: 

Resulting client settings

Last but not least with both options we achieve the following configuration for the local Administrators group on a client:

Local Administrators Group

The only but important difference between this two options is:

  • with the explicit declaration for the members the group gets overwritten with each policy refresh
    • you won't have any unwanted users or groups in your local Administrators group


Restricted Groups offer a great possibility to manage the local user rights in your environment. Combined with the Local Administrator Password Solution it's a big step towards a secure and easy maintainable solution.




The guy behind this blog. Combining work sports and social life.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.