PowerShell makes it fast to grant a user administrative rights on a Windows machine — but "fast" and "safe" aren't the same thing. This guide covers adding both local and domain accounts to the local Administrators group, how to verify it worked, and how to remove access when it's no longer needed.
Every command below manages the local Administrators group on the machine you run it on — not Active Directory's Domain Admins group, which is a much more sensitive, domain-wide privilege managed differently (via Add-ADGroupMember). Mixing these up is a common and costly mistake.
Add-ADGroupMember
Open PowerShell as Administrator, then run the following — replace jsmith with the target local username:
jsmith
Add-LocalGroupMember -Group "Administrators" -Member "jsmith"
No output means it succeeded. If the user is already a member, PowerShell will return an error saying so.
On a domain-joined machine, you can grant a domain account local admin rights on just that machine by including the domain name:
Add-LocalGroupMember -Group "Administrators" -Member "CONTOSO\jsmith"
Replace CONTOSO with your domain's NetBIOS name and jsmith with the domain username. This grants admin rights on this one machine only — it does not touch anything in Active Directory.
CONTOSO
Confirm the change by listing everyone currently in the local Administrators group:
Get-LocalGroupMember -Group "Administrators"
Sample output:
ObjectClass Name PrincipalSource ----------- ---- --------------- User DESKTOP-01\jsmith Local Group CONTOSO\Domain Admins ActiveDirectory User CONTOSO\jsmith ActiveDirectory
Access reviews matter as much as granting access in the first place. To remove a user from the local Administrators group:
Remove-LocalGroupMember -Group "Administrators" -Member "jsmith"
Local admin rights let a user install software, change security settings, and disable protections like antivirus — on that machine, they can do almost anything. That's also exactly what ransomware and malware look for once an account is compromised.
Get-LocalGroupMember
When using any software or code, it is important to remember that there is always a certain level of risk involved. As a user, you are responsible for ensuring that the software or code you are using is suitable for your needs and that you are aware of any potential risks associated with its use.
If you are considering using any code or software provided by ITMS, we advise you to review our terms of service at https://www.itms-us.com/Website-Terms-Of-Use.
Any code provided by ITMS is provided "as is," without warranties or guarantees. By using our code, you acknowledge and accept the risks associated with its use and agree to hold ITMS harmless for any damages or losses that may result.
IT Master Services can audit privileged access across your entire environment and implement least-privilege controls that keep your business secure.