The member accounts of the Administrators group on a Windows computer have full control permissions on the computer and do not require elevated privileges to perform a task. System administrators are often required to add users to the local Administrators group to allow them to control their PC as they please.
We have already discussed 6 methods to change a user account type on a Windows computer in another post. One of these methods is using Windows PowerShell. However, it is only valid if it is a local user account that you want to add to the Administrators group.
You may need to add different account types to this group, which can be:
- A local user account
- Microsoft account
- Active Directory (AD) account
- Azure Active Directory (AAD) account
This post discusses how you can add these accounts to the local Administrators group using PowerShell to grant them complete control of their computers. Furthermore, a system administrator can also use the method given at the end of this post to add users to the Administrators group remotely on another computer.
Learn how to enable, disable, or delete the built-in Administrator account in Windows, or create a new administrative account.
PowerShell LocalAccounts Module
Windows PowerShell comes with a preinstalled module called “LocalAccounts” that allows you to manage your system’s user account using PowerShell.
To get the complete list of the cmdlets that accompany this module, paste the following into PowerShell:
Get-Command -Module Microsoft.PowerShell.LocalAccounts
The list below briefly describes what each of these cmdlets is used for:
- Add-LocalGroupMember: Add a user to the local group
- Disable-LocalUser: Disable a local user account
- Enable-LocalUser: Enable a local user account
- Get-LocalGroup: View local group preferences
- Get-LocalGroupMember: View the list of all local group members
- Get-LocalUser: View local user account preferences
- New-LocalGroup: Create a new local group
- New-LocalUser: Create a new local user account
- Remove-LocalGroup: Remove a local group
- Remove-LocalGroupMember: Remove a member from a local group
- Remove-LocalUser: Remove local user account
- Rename-LocalGroup: Rename a local group
- Rename-LocalUser: Rename a local user account
- Set-LocalGroup: Change the settings of a local group
- Set-LocalUser: Change the account settings of a local user
That said, we are only going to be using the Add-LocalGroupMember
cmdlet since that is all that is required to add a user account to the Administrators group using PowerShell.
Add Local User to Administrators Group using PowerShell
Adding a local user account to the Administrators group is pretty simple. All you need to know is the name of the user account that you want to add to the group.
Use the following command in elevated PowerShell to add a user account to the local Administrators group:
Add-LocalGroupMember -Group "Administrators" -Member "Username"
Replace Username with the name of the user account, as in this example:
You can also add multiple users to the same Administrators group by separating the accounts with a comma (,).
Add-LocalGroupMember -Group "Administrators" -Member "FirstUsername" , "SecondUsername" , "ThirdUsername"
To remove a local user account from the Administrators group, use this command:
Remove-LocalGroupMember -Group "Administrators" -Member "Username"
Add Microsoft Account to Administrators Group using PowerShell
If a user account is logged in with a Microsoft account, then the following format will need to be used in PowerShell with administrative rights:
Add-LocalGroupMember -Group "Administrators" -Member "MicrosoftAccount\username@outlook.com"
Of course, MicrosoftAccount will need to be replaced with the name of the account and then followed by the Fully Qualified Domain Name (FQDN).
Add Active Directory Account to Administrators Group using PowerShell
If it is an active directory account that you want to give administrative privileges to, then the syntax of the cmdlet needs to be changed to the following:
Add-LocalGroupMember -Group "Administrators" -Member "Domain\User"
Replace Domain\User with the domain name and user account name respectively in the command above. For example, if the domain name is “Itechtics” and the user name is “Subhan,” then we will put in “Itechtics\Subhan”.
Add Azure Active Directory Account to Administrators Group using PowerShell
In the case of an AAD user account, you need to change the syntax of the command in an elevated PowerShell instance to the following:
Add-LocalGroupMember -Group "Administrators" -Member "AzureAD\Account@outlook.com"
You will need to replace AzureAD with the name of the Azure Active Directory, which will then be followed by the FQDN.
Add Local User to Administrators Group using PowerShell on Remote Computer
If you are a system administrator managing the bulk of PCs in your domain, then this can be considered a blessing in disguise. You can add local user accounts to remote computers on your network to their local Administrators group via PowerShell.
Now you won’t have a reason to get out of your chair!
Use the command below to add user accounts to the local Administrators group on remote computers:
Invoke-Command -ComputerName Computer1, Computer2 -ScriptBlock{
Add-LocalGroupMember -Group "Administrators" -Member "FirstUsername" , "SecondUsername"
}
Provide remote computer names replacing Computer1 and Computer2. You can also add more user accounts to the list, while separating them using commas. You can also add different types of accounts (local, AD, AAD, Microsoft account) to the Administrators group with a single command. Here is an example of what that command will look like:
Invoke-Command -ComputerName Computer1, Computer2 -ScriptBlock{
Add-LocalGroupMember -Group "Administrators" -Member "FirstUsername" , "Domain\Username" , "MicrosoftAccount\username@outlook.com"
}
Closing Thoughts
The LocalAccounts module in PowerShell is very useful if you know when and how to use it. It can fetch information in a jiffy which takes minutes when trying to use the Windows Graphical User Interface (GUI) and allows you to perform user-related administrative tasks using a single cmdlet.
The command line may not be everyone’s cup of tea, but if you are a system administrator, you can get used to Windows PowerShell and perform tasks more conveniently.