Grant Local Admin Rights in Windows with CMD

Skip to the commands: Click here!

Introduction

Adding a user as a Local Administrator can be necessary for performing high-privilege tasks on a Windows machine. This is particularly relevant for Azure AD or domain-joined devices where standard users are not permitted to install software or change system settings.

In this guide, you’ll learn:

  • Why elevated privileges are required
  • Exactly how to add accounts using PowerShell
  • Best practices for security and administration

Why Add a User to the Local Administrators Group?

Local Admin rights are required for tasks such as:

  • Installing software
  • Updating drivers
  • Modifying system configurations
  • Running elevated PowerShell scripts

However, granting these rights comes with security risks, so it’s important to grant them only when necessary and record these changes

Exact Commands to Add a Local Administrator

For Azure AD Accounts:

net localgroup administrators /add “AzureAD\[email protected]

For Domain Accounts:

net localgroup administrators /add “Domain\username”

Tip: Replace [email protected] with the actual Azure AD user and Domain\username with your domain and user identifier. These are the original commands, ensuring consistency with your existing documentation.

Best Practices

  • Minimize scope: Avoid permanent elevated access—remove accounts when not needed.
  • Use scripts for bulk deployments: Automate with caution and incorporate logging.
  • Document changes: Keep a record of when, why, and by whom admin access was granted.
  • Security awareness: Ensure users understand the risks of elevated access.

Conclusion

To allow elevated operations, use one of the above PowerShell commands depending on whether the account is Azure AD or domain-based. Always follow good security hygiene when managing admin privileges.

Source: Microsoft Learn

Also view my downloads: Click here!