Add a User to the Administrators Group Using PowerShell

Local & Domain Users | Verify & Remove Access

Granting Local Admin Rights the Right Way

PowerShell makes it fast to grant a user administrative rights on a Windows machine — but "fast" and "safe" aren't the same thing. This guide covers adding both local and domain accounts to the local Administrators group, how to verify it worked, and how to remove access when it's no longer needed.

Every command below manages the local Administrators group on the machine you run it on — not Active Directory's Domain Admins group, which is a much more sensitive, domain-wide privilege managed differently (via Add-ADGroupMember). Mixing these up is a common and costly mistake.

Requires: An elevated (Run as Administrator) PowerShell session on the target machine.
Add a user to the Windows Administrators group using PowerShell

Method 1: Add a Local User Most Common

Open PowerShell as Administrator, then run the following — replace jsmith with the target local username:

Add-LocalGroupMember -Group "Administrators" -Member "jsmith"

No output means it succeeded. If the user is already a member, PowerShell will return an error saying so.

Method 2: Add a Domain User to a Local Admin Group

On a domain-joined machine, you can grant a domain account local admin rights on just that machine by including the domain name:

Add-LocalGroupMember -Group "Administrators" -Member "CONTOSO\jsmith"

Replace CONTOSO with your domain's NetBIOS name and jsmith with the domain username. This grants admin rights on this one machine only — it does not touch anything in Active Directory.

Verify Group Membership

Confirm the change by listing everyone currently in the local Administrators group:

Get-LocalGroupMember -Group "Administrators"

Sample output:

ObjectClass   Name                PrincipalSource
-----------   ----                ---------------
User          DESKTOP-01\jsmith   Local
Group         CONTOSO\Domain Admins  ActiveDirectory
User          CONTOSO\jsmith      ActiveDirectory

Removing Admin Access

Access reviews matter as much as granting access in the first place. To remove a user from the local Administrators group:

Remove-LocalGroupMember -Group "Administrators" -Member "jsmith"
Why This Matters More Than It Looks

Local admin rights let a user install software, change security settings, and disable protections like antivirus — on that machine, they can do almost anything. That's also exactly what ransomware and malware look for once an account is compromised.

  • Follow the principle of least privilege: grant admin rights only to the users and only for the duration they actually need it.
  • For businesses managing many machines, consider Local Administrator Password Solution (LAPS) or Privileged Identity Management (PIM) for time-limited, audited elevation instead of standing admin access.
  • Periodically re-run Get-LocalGroupMember across your fleet to catch admin rights that were granted and never revoked.

When using any software or code, it is important to remember that there is always a certain level of risk involved. As a user, you are responsible for ensuring that the software or code you are using is suitable for your needs and that you are aware of any potential risks associated with its use.

If you are considering using any code or software provided by ITMS, we advise you to review our terms of service at https://www.itms-us.com/Website-Terms-Of-Use.

Any code provided by ITMS is provided "as is," without warranties or guarantees. By using our code, you acknowledge and accept the risks associated with its use and agree to hold ITMS harmless for any damages or losses that may result.

Worried About Who Has Admin Access?

IT Master Services can audit privileged access across your entire environment and implement least-privilege controls that keep your business secure.

Managed IT Services