Add A Domain Admin Group as Admin on Windows 11

Shane DeMun 6 Reputation points
2022-07-14T23:38:57.217+00:00

Hello

Background: One of my clients uses AD to manager their users and machines. The site manager who is an ADMIN user in AD was having difficulty installing apps on her new PC because it kept telling her that her user account did not have Admin privileges (She is logged in as her domain user which does have admin privileges). I figured out that I needed to perform the following steps to give her admin privileges on Windows 11 despite her domain user having full admin rights.

Open Control Panel. Type admin in the Control panel Search bar. Under USER ACCOUNTS click on 'Give administrative rights to a domain user'.

In the window that opens up click ADD.

Enter the username and domain info for the user who should have administrator rights on this PC. Click OK. Then click next.

Select Administrator level access

Click Next, Then Click Finish.

Now this Domain User has Admin privileges on this Windows 11 PC

So Now My Question: How can I tell a Windows 11 PC that is joined to the domain that all domain Users who are a part of a specific Domain Group (Administrators or Admin Temp for example) should have admin rights on the Windows 11 PC from the moment they login for the first time? It will be tedious to have to add each and every admin user in each instance, especially since new employees are added to Admin Temp for only 1 week after hire then they are reduced to standard user permissions via AD.

Reply

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Rafael da Rocha 5,251 Reputation points
    2022-07-15T01:15:34.77+00:00

    I'm not sure that you're saying users are added to the domain admin group in AD. Hope I'm just reading it wrong, and you have a group called Administrators that is used for access.

    Anyway, I couldn't reproduce the issue on my lab.
    Spun up a clean install of Windows 11, logged in with a domain administrator account and the permissions were there, as the domain admins group is part of the local administrators.

    Maybe review the groups the user is part of in AD, and see if any of the groups is a member of the local administrators group on the workstation.
    If it isn't, consider adding the relevant group via GPO (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups)

    If this should already happen, and has worked in the past, maybe check if the policy applies to the OU where the computer object is.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.