How to Remove or Add Users in Local Administrators Group on Domain computers via Group Policy (GPO).

This tutorial contains step-by-step instructions on how to remove domain users or other local user accounts (other than the built-in Administrator account), from the local Administrators group on domain-joined computers.

A major security risk in an Active Directory environment is allowing Domain or Local users to manage a workstation.

Removing domain users, and local users from the Local Administrators group on domain computers is a best practice for domain security, and we'll explain why this should be done below.

• When a domain or a standard local user has administrator rights on a domain computer, any breach of their account by an unauthorized person can lead to full control of the computer. For example, an attacker can use this increased access to install malware, steal data, or gain access to other systems on the network.

In this guide, you'll find detailed instructions to delete the standard domain user(s)", or other local users (other than the standard "Administrator" account) from the local "Administrators" group on each domain computer.

How to Delete Unwanted Accounts from Local Administrators Group and Set any Domain User as Local Administrator in Active Directory Domain Workstations.

Info: In this example we will show how to remove from the local "Administrators" Group, the local user "Admin" and the domain user "User1", while keeping only in the group the "Administrator"* account and the "Domain Admins"** group as shown in the image(s) below.

* After removing the unwanted accounts, you can use Microsoft's Local Administrator Password Solution (LAPS) to manage the passwords of local Administrators on your domain computers.

** If you want to keep your network more secure, you can deny Domain Admins to logon locally on domain PCs, by applying the instructions on this article: How to Deny Domain Admins to Log On Locally on Workstations.

1. Open Server Manager and from the Tools menu open the Group Policy Management.

2. In Group Policy Management, either edit the default domain policy or create a new group policy for the entire domain or just for the OU that contains the Computers on which you want to specify the Local Administrator accounts.*

* Note: In this example, we will define the local administrator accounts with a new policy, in a specific OU called "Workstations" that contains all the domain computers where we want this policy to apply.

3. Right-click and select Create a GPO in this domain, and Link it here…

4. Name the new GPO as "Local Administrators on Workstations" and click OK.

5. Now Edit the created GPO.

6. Go to Computer Configuration > Preferences > Control Panel Settings > Local users and Groups.

7. Right-click on Local users and Groups and select New > Local Group.

8. On the "New Local Group Properties" window, do the following:

1. 1. In Action, choose: Update
   2. In Group Name, choose: Administrators (Built-in)
   3. Check Delete all member users
   4. Check Delete all member groups

   5. Click the Add button.

      

   6. Type Administrator and click OK.

      

   7. Now, click Add again.

   8. Click on three dots next to the "Name" filed.

      

   9. Type "Domain Admins", click Check Names and click OK & OK.*

      * Related article: Why and how to prevent Domain Admins to logon locally on domain workstations.

      

       

   10. Finally click Apply > OK to save the GPO. *

       * Note: Repeat (if you want) the same steps, to add any other standard or domain user(s) in the local administrators group.

       

11. Close all the Group Policy Management windows.

12. Finally, open Command Prompt as Administrator and give the following command to apply the changes (or restart the workstations):

• gpupdate /force

That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

• Author
• Recent Posts

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

• FIX: Device encryption is temporarily suspended and does not resume after the computer restarts (Windows 11). - May 5, 2026
• How to Install Chrome or any 'Line of Business' app on Intune Enrolled Windows Devices. - April 29, 2026
• How to Create a DDM Update Policy for iOS Devices in Intune. - April 23, 2026