Add / Modify Membership of the Local Administrator Group

Hi There,

It is sometimes necessary to udpate membership of local administrators group, for pushing a service account for exemple in case of ConfigMgr Client Push.

In the following post, I’ll give you a way do this using Group Policies Preference (GPP).

  1. Open GPMC
  2. Br0wse to the container “Group Policy Objects”
  3. Right Click and select New
  4. Name your GPO

Once the list of actions above is completed, we can go through the configuration of the GPO itself.

  1. Open the GPO
  2. Right Click on the name of the GPO and disable “User Configuration” – As it is not required, it is better to have it disabled
  3. Navigate to “Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups”
  4. Right click and select “New -> Local Group”


In this example, the selected option will push into de Local built-in Administrators group the Domain Account which I called EXT\SVC_SCCM_ClientPush which purpose is to provide local Administrator right for pushing Configuration Manager Agents from the Console using client push.

Voilà ! This is as simple as it gets.

Be careful if you choose to check boxes that are over the member list, as it says it’ll remove every users and / or groups. This, depending on the scenario, can be useful, but I can as well damage configuration depending on the environment you’re working in.

David Gaillard

Leave a Reply