How to Enable the Built-in Local Administrator account on Domain computers via Group Policy (GPO).

This tutorial contains step-by-step instructions on how to enable (or even disable) the local Administrator account on domain joined computers using a GPO.

As you know, the built-in Administrator account is disabled by default on any Windows computer. But if a computer is part of a domain, it's a good practice to have the Administrator account enabled so you can log into the client machine to manage it and to prevent unauthorized users from accessing the computer's data if they enable the administrator account.

In this article I will show you how to enable the built-in administrator account on Active Directory computers using Group Policy.*

* Note: After you enable the built-in Administrator on domain computers, you can use Microsoft's Local Administrator Password Solution (LAPS) to securely manage administrator passwords on each machine on the domain.

How to Enable/Disable the local Administrator account on Active Directory Domain computers via Group Policy.

To enable or disable the Local Administrator (built-in) account on domain PCs.

1. On your Domain Controller, open Server Manager and from the Tools menu open the Group Policy Management.

2. In Group Policy Management, either edit the default domain policy or -better- create a new group policy for the entire domain or just for the OU that contains the Computers on which you want to enable the local administrator account.*

* Note: In this example we proceed to enable the local administrator account in the "Workstations" OU that contains all the domain computers where we want this policy to apply.

3. Right-click and select Create a GPO in this domain, and Link it here…

4. Name the new GPO as "Enable Local Administrator" and click OK.

5. Now Edit the created GPO.

5. Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

6a. Open the Accounts: Administrator account status policy.

6b. Here select Define this policy setting, check Enabled and click OK. *

* Note: To disable the built-in Admin account on domain pcs, set the policy to "Disabled"

7. Close all the Group Policy Management windows.

8. Finally, open Command Prompt as Administrator and give the following command to apply the changes (or restart the workstations):

• gpupdate /force

That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

If this article was useful for you, please consider supporting us by making a donation. Even $1 can a make a huge difference for us in our effort to continue to help others while keeping this site free:

• Author
• Recent Posts

Konstantinos Tsoukalas

Konstantinos is the founder and administrator of Wintips.org. Since 1995 he works and provides IT support as a computer and network expert to individuals and large companies. He is specialized in solving problems related to Windows or other Microsoft products (Windows Server, Office, Microsoft 365, etc.).

Latest posts by Konstantinos Tsoukalas (see all)

• How to Effectively Remove or Disable Microsoft Copilot on Windows 11. - May 11, 2026
• FIX: Device encryption is temporarily suspended and does not resume after the computer restarts (Windows 11). - May 5, 2026
• How to Install Chrome or any 'Line of Business' app on Intune Enrolled Windows Devices. - April 29, 2026