![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
667 questions
Hello Albertosd77,
Thank you for posting in Microsoft Community forum.
You can user GPO Preferences.
1.Create one GPO and link it to domain.
2.Create one domain group and put all the domain computers except Domain Controllers to this group (such as group1).
3.Click the new GPO you created just now and add group1 under "Security Filtering".
Make Authenticated users have "Read" permission.
Make computer group have "Read" and "Apply group policy" permissions.
4.Edit this GPO and go to the following GPO section: Computer Configuration –> Preferences –> Control Panel Settings –> Local Users and Groups;
5.Add a new rule ( New -> Local Group );
6.Select Update in the Action field (it is an important option!);
7.Select Administrators (Built-in) in the Group Name dropdown list.
8.Click Add button.
9.In Local Group Member windows:
Name: select the domain user you want.
Action: Add to this group
10.Run gpupdate /force or restart the domain computers and check if the domain user is in local Administrators.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou