- Results of the AI poll: Is AI the next big thing in IT? - Thu, Nov 26 2020
- Poll: Does your organization plan to introduce AI? - Wed, Sep 9 2020
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
By default, the local Administrators group on Windows machines only contains the Domain Admins group and the local Administrator account. This is not really a good configuration because it means that anyone who is allowed to manage a Windows client machine has all rights in the Active Directory domain. Thus, it is better to create a domain group for all local administrators, which you add to a local Administrators group. Then, you add all users who are allowed to manage your Windows desktops to this domain group.
The local Administrators group should be reserved for local admins, help desk personnel, etc. However, in some cases, you might want to temporarily grant an end user administrator privileges on his machine so he can install a driver or an application. I know this is not really best practice, but, in my experience, overworked admins often opt for this solution if an important user keeps nagging. This is where the procedures described below come in.
Computer Management ^
The easier way to add a user to the local Administrators group is to use the Computer Management app. You can connect to the remote computer via Remote Desktop, press SHIFT-R, and then enter compmgmt.msc. However, a faster way is to launch Computer Management on your own computer and establish a remote connection to the user’s computer. To do so, right-click the Computer Management icon, select Connect to another computer, and then enter the computer name of the machine you want to manage.
Computer Management - Connect to another computer
Note: You can also right-click the corresponding computer name and then select Manage in Active Directory Users and Computers.
If you are logged in to an Active Directory domain, and if you have sufficient privileges to manage the remote machine, the connection should be established without the need to provide credentials. You can then navigate to Local Users and Groups and add the user to the Administrators group.
Add user to the local Administrators group in Computer Management
A problem with this method is that it will only work if the Windows Firewall on the remote desktop is configured to allow remote administration. If not, you will get an error message that the computer cannot be connected.
Hence, if you want to manage remote computers with Computer Management, you have to enable the Group Policy setting Allow inbound remote administration exception for the Windows Firewall. You can find the policy in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
Allow inbound remote administration exception
PsExec and net localgroup ^
The solution with PsExec from Microsoft’s free PsTools works with the same firewall settings. After you unzip the PsTools to the folder of your choice, you can add a user to the local Administrators group with the following command:
psexec \\ComputerName net localgroup Administrators "DomainName\UserName" /add
On my test machine, the computer name was “win81update,” my Active Directory domain was “domr2,” and the name of my user was “TestUser.”
Add user to the local Administrators group with PsExec and net localgroup
Of course, you can also use PowerShell to accomplish the task. The little script below demonstrates how you can add a user to the local Administrators group with PowerShell:
$DomainName = Read-Host "Domain name:"
$ComputerName = Read-Host "Computer name:"
$UserName = Read-Host "User name:"
$AdminGroup = [ADSI]"WinNT://$ComputerName/Administrators,group"
$User = [ADSI]"WinNT://$DomainName/$UserName,user"
The first three lines are just for prompting you to input the domain, computer, and user names. In line 4, the script creates the reference object for the local Administrators group of the remote computer using the [ADSI] type adapter. Line 5 creates the corresponding reference to the user, and the last line adds the user to the Administrators group.
For this method to work, we need another firewall setting as with the Computer Management solution. You have to enable the Group Policy Allow inbound file and printer sharing exception. The policy is also located in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
Allow inbound file and printer sharing exception
Note that this policy is also sufficient for the PsExec method described above.
If you want to add a user to multiple computers, you should check out Jaap Brasser’s PowerShell script. The script can load a list of computers from a text file and allows you to work with parameters on the PowerShell console.
ManageEngine Desktop Central ^
Yet another option is to use a desktop management tool such as ManageEngine Desktop Central. Of course, if you just want to add one user to a group, you wouldn’t deploy such a tool. However, if you often have similar remote management tasks to do—in particular, if you have to automate such tasks for many computers—you are better off with a GUI tool than with command-line tools or PowerShell; you can automate the task for any number of machines (including those that are currently offline) with just a few clicks and without the need to write a longwinded script. You will hardly find a remote management task that you can’t automate with Desktop Central.
ManageEngine Desktop Central
Desktop Central requires you to install an agent on the remote machine, which you can easily do from the Desktop Central console. Once the agent is running on the remote machine, you have to add a Group Management Configuration. Under Step 2 - Define Configuration, you click Modify Group and then enter Administrators in the Group Name field. Under Add Members, you select Domain User and then enter the user name. Finally, in Step 3 – Define Target, you add the computer name.
Add user to the local Administrators group with Desktop Central
You also have to configure Windows Firewall so Desktop Central can work properly. You can find more information about the ports you have to open here.
The downside of using a desktop management tool is, of course, that you have to buy it. Desktop Central is free for 25 devices.
How to remove a user from the Administrators group ^
If you only want to assign admin rights to a user temporarily, you might want to set yourself a reminder to remove the user from the group.
Removing the user with Computer Management or Desktop Central shouldn’t be a problem if you were able to add the user to the Administrators group.
To remove the user with PsExec, you just have to replace “add” in the above command with “delete,” like this:
psexec \\ComputerName net localgroup Administrators "DomainName\UserName" /delete
And, in the PowerShell script, replace the last line with this one: