The Administrator account is created automatically during Windows installation and is used to initialize the operating system. This account is then disabled and the user is prompted to create their own account, which is added to the local Administrators group.

As we said earlier, in modern versions of Windows, there is no password set for the administrator account. If a domain password complexity policy is applied to your computer, you may see the following message when you try to enable the administrator account:

How to rename the local administrator with Group Policy

Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups.

This group policy setting combined with the other setting made earlier (see Image 5.) will mean that the local administrator group on the computer DESKTOP01 in the CONTOSO domain will have the following members automatically added to the group:

But ANY other users or groups will be automatically removed after the next group policy refresh. This does mean there is a slight window of opportunity for someone to slip in an un-authorised account into the local administrators group but they will get removed at the next policy update.

Now that you are able to granuarlly add a single user or group to the local administrators group on a computer you might run into problems id you have more than a 1000 computers due to AD Token Bloat Issues . So to get around this we can setup some more broadly applied administrator groups to the computer that will give admin access to only a subset of computers such as all workstations or only the SQL Servers in your organisation.

To apply a Workstation administrators group to the local administrators group on all workstations make sure you have a group policy only targeted to your workstations. This is normally pretty easy as most companies isolate their workstations computer accounts to one (or a select) number of Organisational Unit.

This nice thing about this is that if SQL is installed on the server at some point in the future the SQL Admin group will be added automatically at the next group policy refresh without you having to do a thing.

I get a similar error to the one that IanG mentioned. I am confused as to why you would have to add the built in admin group to itself anyway. Were you trying to add the built in admin account? From my testing the built in admin account remained in my local admin group despite not being mentioned in the GPO.

The article is really informative, but I am still fuzzy on a few details on how to create a GPP that adds a specific user to an individual computer that is applied to an OU containing workstations. The closest I have come to doing this is by creating a GPP that that has an altered user configuration and is applied to an OU containing users. I had the GPP add the current user logged in become part of the local admin group and set the GPP to apply once. It added the current user but only after a log off then on or reboot. To make matters worse, the next user I logged in with also was added to the local admin group on the workstation. I thought the GPP was supposed to be applied once! Is there a generic GPP that can add one user to the machine they are tied to and can be applied to a workstation OU? Or does this magical policy only exist in my imagination? Any help would be appreciated. Thank you!

Problem: Currently GPO enabled in AD to lock down DomainIDs so we are not able to edit GPO locally to add local IDs.So need to find a solution to lock down local IDs without disturbing Domain GPO.How can I achieve this without disturbing the existing Domain GPO

I have Smal query.. in my company i can see uwanted user are accessing the server .. i have planned everything and consolidate and made plan who going to access the server with admin permission . But I have come across one strange thing is all the server administrtor need admin access so i have created a security group for the same. and move all the member into that group to gain the admin access. now one more challange is i have some of the user to be given as power user access.. But in Buldin/ad i cant able to find the power user . so i can able to Puser the user vio GPo.. Can you advice me .. and correct me if iam worng in some way..

Alan,With my GPP when I do created the security group I get eventid warning logged on the system. Is there anyway to avoid. I want it to skip and moveon without any signs of the group missing. Is this expected or how can I avoid? Am I doing something wrong.

Alan,I have a question regarding inheritance of this GPP as it pertains to the updating of a built-in local administrators group.Say we apply a GPP at the site leve to delete existing group-type members of the group and then to update the membership with the desired group-type membership. Let us also assume that a second GPP is applied at the OU level that is only configured to further update the membership of the same group.Assuming a workstation is within scope of both policies, should the membership of the group in question contain the membership as configured in both the site GPP as well as the OU GPP or will the OU GPP override the configuration of the site GPP?

The local group will be created on the local computer once the preference applies, then will become active once an AD group is created with the accounts populated? Is this thinking correct. If so, you are my hero!

@Stuart The local admin group is already created. If the domain group is not created then it will only give a warning in the event log. If the group is then created in AD it will be added at the next policy refresh on that computer. Hope it helps

Can i ask how you cross domain groups from parent domains, to add them to child domains. I used to do this with restricted groups, but i believe that this can cause issues when applying local groups preference. Any help would be much appreciated.

Excellent tutorial, however, I did some testing on a laptop and it seems that the Group Membership is not equal to specifying the exact account name: once I applied the policy to a notebook outside the local network (over VPN), I could not successfully elevate my permissions with that account any longer. Is that an expected limitation?

This way, I can achieve in one GPP, adding global security group domain admin/desktop admin for all PCs, then target individual necessary PCs to grant them a unique local user account with administrator right.

I am trying to add a domain group to the built in administrators group using %domainname%\groupname using the group update option.The description of the group local administrator group updates but the group is not added.

I have the same issue as Kris, following this guide to the letter all members of the local adminstrators group are deleted but Domain Admins is not placed back in as a member of the local admin group.

This works well for its intended purpose. However, according to our policies, the machine administrators are not allowed to know the built-in local administrator password. They are required to log in using their own credentials. We have about 1800 machines spread across the country. In the event that one of them no longer has trust with the domain or one of them drops off the network completely, our administrators are not able to log on loacally because they would never have logged onto the machine before. Is there any way to get around this? Is there some way to force password cache onto the machines to avoid this situation?

I saw different effect after having the policy. Sometime i can only see on group and some time all three. After mapping the same settings and order of Members group i was able to push the group via the policy.

Now In my case we have different servers used by people from different location. What we want is that they should not be able to made any local user on some machines and even not able to add those local user to admin group.

1. I should create a security group (Adminsecurity) and add users from other offices to it.2. Use the Restrict-admin group policy with the mentioned group(builtin-admins,domain-admin and AdminSecurity ).3. Create another Security group (Secure-LocalAdmin-Server) and add all the machines which are used by other location users to it4. Apply the group policy to only Secure-LocalAdmin-Server

Hi Alan,I work for a school and each student has a computer which is joined to our domain. So far, we gave them local admin rights manually.I would like to manage this by using a GPO on Student OU but according to your article, I have to create a group for each computer and that means I have to create thousands of groups. Am I right? I just feel like creating so many groups is too much load on my DC. Is there any alternative ways I can follow? What would you advise me? Thanks a lot.

In my first 6 orders I add members to the Administrators (built-in) group, Domain Admins, Domain Accounts, and some local accounts. The reason I have so many orders is because I found that if anything goes wrong in the policy when it is being applies, such as a non existing group or account it will stop executing, it will error out and move on to the next order. Hence 6 orders/policies to add users and groups to the Administrators (built-in) group.

I thin Item-level targeting might help you with this. You can target specific security groups or computers. Alternatively you can create security groups and make the servers members of these, then targeting your GPO to apply to said groups.

Since last year I have revised my AD skills and I have found a quicker and easier way to add users to the local Administrators group on a domain. Currently I am using Item-level targeting. I did a write up on this on my blog, head over here for the full instruction set for this: -level-targeting-use-gpo-to-set-user-as-a-local-administrator-on-a-single-computer/ 2ff7e9595c