Add a user to the local Administrators group on a remote computer

In this post, you will learn how to add an Active Directory user to the local Administrators group on a remote Windows computer with PowerShell, PsExec, the Computer Management console, and the desktop management tool Desktop Central.

By default, the local Administrators group on Windows machines only contains the Domain Admins group and the local Administrator account. This is not really a good configuration because it means that anyone who is allowed to manage a Windows client machine has all rights in the Active Directory domain. Thus, it is better to create a domain group for all local administrators, which you add to a local Administrators group. Then, you add all users who are allowed to manage your Windows desktops to this domain group.

The local Administrators group should be reserved for local admins, help desk personnel, etc. However, in some cases, you might want to temporarily grant an end user administrator privileges on his machine so he can install a driver or an application. I know this is not really best practice, but, in my experience, overworked admins often opt for this solution if an important user keeps nagging. This is where the procedures described below come in.

Computer Management ^

The easier way to add a user to the local Administrators group is to use the Computer Management app. You can connect to the remote computer via Remote Desktop, press SHIFT-R, and then enter compmgmt.msc. However, a faster way is to launch Computer Management on your own computer and establish a remote connection to the user’s computer. To do so, right-click the Computer Management icon, select Connect to another computer, and then enter the computer name of the machine you want to manage.

Computer Management - Connect to another computer

Computer Management - Connect to another computer

Note: You can also right-click the corresponding computer name and then select Manage in Active Directory Users and Computers.

If you are logged in to an Active Directory domain, and if you have sufficient privileges to manage the remote machine, the connection should be established without the need to provide credentials. You can then navigate to Local Users and Groups and add the user to the Administrators group.

Add user to the local Administrator group in Computer Management

Add user to the local Administrators group in Computer Management

A problem with this method is that it will only work if the Windows Firewall on the remote desktop is configured to allow remote administration. If not, you will get an error message that the computer cannot be connected.

Hence, if you want to manage remote computers with Computer Management, you have to enable the Group Policy setting Allow inbound remote administration exception for the Windows Firewall. You can find the policy in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

Allow inbound remote administration exception

Allow inbound remote administration exception

PsExec and net localgroup ^

The solution with PsExec from Microsoft’s free PsTools works with the same firewall settings. After you unzip the PsTools to the folder of your choice, you can add a user to the local Administrators group with the following command:

On my test machine, the computer name was “win81update,” my Active Directory domain was “domr2,” and the name of my user was “TestUser.”

Add user to the local administrator group with PsExec and net localgroup

Add user to the local Administrators group with PsExec and net localgroup

PowerShell ^

Of course, you can also use PowerShell to accomplish the task. The little script below demonstrates how you can add a user to the local Administrators group with PowerShell:

The first three lines are just for prompting you to input the domain, computer, and user names. In line 4, the script creates the reference object for the local Administrators group of the remote computer using the [ADSI] type adapter. Line 5 creates the corresponding reference to the user, and the last line adds the user to the Administrators group.

For this method to work, we need another firewall setting as with the Computer Management solution. You have to enable the Group Policy Allow inbound file and printer sharing exception. The policy is also located in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

Allow inbound file and printer sharing exception

Allow inbound file and printer sharing exception

Note that this policy is also sufficient for the PsExec method described above.

If you want to add a user to multiple computers, you should check out Jaap Brasser’s PowerShell script. The script can load a list of computers from a text file and allows you to work with parameters on the PowerShell console.

ManageEngine Desktop Central ^

Yet another option is to use a desktop management tool such as ManageEngine Desktop Central. Of course, if you just want to add one user to a group, you wouldn’t deploy such a tool. However, if you often have similar remote management tasks to do—in particular, if you have to automate such tasks for many computers—you are better off with a GUI tool than with command-line tools or PowerShell; you can automate the task for any number of machines (including those that are currently offline) with just a few clicks and without the need to write a longwinded script. You will hardly find a remote management task that you can’t automate with Desktop Central.

ManageEngine Desktop Central

ManageEngine Desktop Central

Desktop Central requires you to install an agent on the remote machine, which you can easily do from the Desktop Central console. Once the agent is running on the remote machine, you have to add a Group Management Configuration. Under Step 2 - Define Configuration, you click Modify Group and then enter Administrators in the Group Name field. Under Add Members, you select Domain User and then enter the user name. Finally, in Step 3 – Define Target, you add the computer name.

Add user to the local Administrator group with Desktop Central

Add user to the local Administrators group with Desktop Central

You also have to configure Windows Firewall so Desktop Central can work properly. You can find more information about the ports you have to open here.

The downside of using a desktop management tool is, of course, that you have to buy it. Desktop Central is free for 25 devices.

How to remove a user from the Administrators group ^

If you only want to assign admin rights to a user temporarily, you might want to set yourself a reminder to remove the user from the group.

Removing the user with Computer Management or Desktop Central shouldn’t be a problem if you were able to add the user to the Administrators group.

To remove the user with PsExec, you just have to replace “add” in the above command with “delete,” like this:

And, in the PowerShell script, replace the last line with this one:

2+

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

28 Comments
  1. Milan 6 years ago

    One could also use GPO and Restricted Groups policy setting to add groups to local administrators remotely and automatically. Very useful for managing local group membership.

    0

  2. Milan, thanks for the hint. Group Policy is certainly a good option, but I think you can't use it to add individual users to the Administrators group

    0

  3. Milan 6 years ago

    Yes, but it is better practice to apply security settings to groups rather than individual user accounts 🙂

    0

  4. That's certainly true. The instructions in the post are mostly for the case where you temporarily want to grant admin rights to an end user on his or her machine only.

    1+

  5. Henrik 6 years ago

    To make someone a local admin on just one machine, I just have to add this computer’s name to the user’s Description in AD.
    http://serverfault.com/questions/79614/group-policy-administrator-rights-for-specific-users-on-specific-computers/685331#685331

    0

  6. GJ 5 years ago

    Thanks for listing multiple options. I could use PsExec flawlessly. However; I have a little different requirement. I need to add multiple users to one computer or one user to multiple computers. Does the command have an option for this? I am just about to write a batch file for this (calling the command multiple times in a loop of machine names) but thought I should check with you once.

    0

  7. David 5 years ago

    Since Microsoft disabled the GPO for setting local users in the Local Security Policy, this has proven a bit more difficult. I have had great success with powershell, but this only works for an existing local user or an existing domain user.

    $ComputerName = Get-ADComputer -LDAPFilter "(Name=workstation1)" | foreach {$_.name}

    invoke-command { net localgroup "Administrators" Domain\LocalAdmin /add} -computername $ComputerName

    Are there any ways that I can create a new local user with this or something similar? thanks!

    0

  8. JaJe 4 years ago

    Just use Psexec to create a profile remotelly

     

    psexec \\<remote_computer_ -d -u <domain>\<username> -p <password> cmd.exe /c echo.

    0

  9. WinFan 3 years ago

    Michael, great article! There is one more option available, using the winrs remote shell:

    winrs -r:win81update net localgroup administrators "domr2\TestUser" /add

    If ssl certificates configured for https, can go the more secure way:

    winrs -r:win81update -usessl net localgroup administrators "domr2\TestUser" /add

    Cheers

    0

  10. Your PC needs to restart.
    Please hold down the power button.
    Error code: 0x000000C4
    Parameters:
    0x0000000000000091
    0x000000000000000F
    0xFFFFF801E5962A80
    0x0000000000000000

    it is not going to fix with command:

    C:\>cd Program Files\Oracle\VirtualBox\VBoxManage.exe
    The directory name is invalid.

    I am installing windows server 2012r2 in vertualbox.

    1+

  11. WinFan 3 years ago

    If I'm not wrong, MS has just added a module to its latest Powershell v5 iteration which has native cmdlets for managing local user accounts. Since not all of us work with the "latest and greatest" Windows 10 version in the enterprise which contains these new "goodies", the legacy methods presented here are still relevant 🙂 The majority of my users are still on Win 7 btw. due to legacy line-of-business compatibility issues

    0

    • @WinFan,

      The module which handles local accounts is not related to the operating system.
      You only need Powershell 5.1, whatever operating system you have.
      I have tested this module successfully on Windows 7.

      1+
      avatar
  12. WinFan 3 years ago

    @Luc Fullenwarth

    Thanks for the hint! Was under the impression downward-OSes do not support this module.

    0

  13. Chris 3 years ago

    Is it safe to do the powershell method? Will it exposed my domain administrator password to domain member server? I'm concerned about attack like mimikatz

    0

  14. Author

    Interestingly, I couldn't find information what kind encryption the ADSI WinNT Provider uses nowadays, but I don't think that administrator passwords are sent in clear text. Anyway, I would no longer use ADSI WinNT to add a user remotely to a group with PowerShell. I think PowerShell remoting is now the better option.

    If you only want to add a single user to the administrators group, you can establish an interactive remote session:

    If you want to do this in a script for multiple computers, you can use Invoke-Command:

    Just make sure that you enabled remoting.

    1+

  15. Etchell 3 years ago

    This script does not work. I am getting the message that an invalid path is used.

    Perhaps it is not working in more complicated environments where servers are in different domains than the accounts are?

    Server name is used either with or without FQDN and from the source system the destination remote server can be reached. Also it is not clear in which way a domain should be given, @DOMAIN, short DOMAIN, detailed DOMAIN?

    Would be great to get it working since I need to setup on multiple remote servers the local groups.

    0

    • Author

      If I remember it right, the domain name can be a NETBIOS name or a DNS name. You can find examples here. I never tried the script across domains. However, the fact that ADSI WinNT accepts domain names indicates that it works or at least that it worked before. Maybe you have an authentication problem? Can you add users with the Computer Management tool?

      If PowerShell remoting is enabled in your environment, you consider this option. See comment above.

      0

  16. Etchell 3 years ago

    Michael Pietroforte

    Your method only works if the remote server is on the higher PowerShell version which has the CMDLET Add-LocalGroupMember.

    If you try it with a Windows 2008 R2 SP1 server for instance, the INVOKE Command will just tell you that the CMDLET is not a known one.

     

    0

  17. Sarathy 3 years ago

    Thanks Michael for the scripts. It worked as described for me, I'm able to add/remove user to a user group in remote machine.

    Question:

    After adding a user to administrator group, it is not getting affected immediately on the user's active session. He has to log off and login to get admin rights. Is it possible achieve this without user re-login?

    0

  18. Author

    As far as I know, this is not possible.

    0

  19. Leonidas 2 years ago

    Thanks Michael for the scripts!

    I would still have a question because I am unfortunately at the despair.

    Is it possible with Powershell script to add one user in two or more groups at the same time?

    0

  20. Leonidas 2 years ago

    I meant locale groups on remote computers.

    Best regards

    0

  21. If you have the quest cmdlets you can do a simultaneous/parallel add for the user.

    1+
    avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account