Group Policy: Create and Lock down Windows Domain Account for Local Administrator access

This tutorial is written to help administrator create and manage administrator accounts using domain account for Local Administrator on specific computer with central control using Group Policy.


  1. Create Domain User Account


  1. On Account tab, click on Log On To button


  1. Enter Computer DNS Name to restrict logon using this account


  1. Open Group Policy Management (Administrative Tools -> Group Policy Management).

  2. Create New GPO SP Local Administrators

In this case, the above servers are group under INFRA_SERVERS\SharePoint group.


  1. Edit New GPO SP Local Administrators and GPO Editor will appear

  2. Navigate Configuration Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups


  1. Click on + button to Add a new item


  1. Set New Local Group Properties Value
Action     : Update
Group Name : Administrators (built-in)
Members    : Domain User


  1. Closed GPO Editor Windows

  2. On New GPO, under Security Filtering, add computers to apply this GPO


12. Right Click on this GPO, and set Enforced


  1. Once Enforced, GPO will have Locked icon


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.