Managing the Local Administrators group is essential for maintaining security and operational control over Windows Devices. Granting administrative access only to trusted users or service accounts helps prevent unauthorized changes, limits the attack surface, and ensures compliance with organizational Policies.
With Applivery, you can centrally manage the Local Administrators group on all enrolled Windows Devices by applying a Policy configuration. This allows IT administrators to add or remove specific users or groups from the local administrators group across the entire device fleet—automatically and consistently.
The group policy we’ll use can manage various local groups; however, this article will focus specifically on managing the Local Administrators group.
Local Users and Groups
Once in the Applivery Dashboard, head to Policies 1. Choose the Policy where you want to create an admin user.
Next, in the left-hand menu, select + Add configuration 2, and search for Local Users And Groups 3.
We will use the following template:
<GroupConfiguration>
<accessgroup desc = "">
<group action = ""/>
<add member = ""/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>
Here's a breakdown of the XML elements:
<GroupConfiguration>: Encloses the entire group management configuration.<accessgroup desc="">: Defines the local group you want to manage (e.g., Administrators).<group action=""/>: Specifies how the group membership should be managed:U = Update: Modifies the group by adding or removing only the specified members. Existing members not mentioned will remain unchanged.
R = Replace: Clears all current members and replaces them with the ones defined. Use only
<add member=""/>with this action.
<add member=""/>: Adds a user or group to the specified access group.<remove member=""/>: Removes a user or group from the specified access group.
This configuration does not create new users or groups; it only manages those that already exist on the Device.
Administrator group management example
In this example, our goal is to replace all current members of the local Administrators group with only the users explicitly defined in the XML configuration.
The existing Administrators group contains three users.
We define the group we want to manage—in this case, the Administrators group. This can be identified in two ways:
By name: Use Administrators if all your Devices share the same OS language.
By SID: Use the well-known SID S-1-5-32-544 to avoid localization issues, since the group name varies depending on the operating system’s language.
We use the R (Replace) action in the <group> node. This will remove all current members of the group and replace them with those defined in the XML.
Use <add member=""/> to specify the users or groups you want to include.
In this case, we want only Administrator and Applivery to remain in the group.
Once deployed, the Administrators group will contain only the users defined in the XML. All others will be removed.
If you’re managing the built-in Administrator account, remember that its name also varies based on the OS language. To avoid inconsistencies, you can rename it across all Devices using the Accounts Rename Administrator Account setting under the Local Policies Security Options group policy.
Downgrading users from Administrator to standard
A common compliance scenario — for example, to meet ISO 27001 requirements — is moving users from the Administrators group to the standard Users group. When Windows downgrades a user from Administrator to standard, it does not automatically add them to the Users group, leaving the user without any group membership and unable to access the device.
To handle both actions at once, configure a single XML with two blocks — one to remove the user from Administrators (S-1-5-32-544) and another to add them to Users (S-1-5-32-545):
<GroupConfiguration>
<accessgroup desc="S-1-5-32-544">
<group action="U"/>
<remove member="ExactUsername"/>
<add member="BackupAdminName"/>
</accessgroup>
<accessgroup desc="S-1-5-32-545">
<group action="U"/>
<add member="ExactUsername"/>
</accessgroup>
</GroupConfiguration>
Replace ExactUsername with the username exactly as it appears on the device, and BackupAdminName with your organization’s backup administrator account.
The built-in Windows Administrator account cannot be removed from the Administrators group — this is enforced at the OS level. Always include at least one named administrator in the <add member> line of the Administrators block to avoid this error.
You can use member="*" to target the currently logged-in user instead of a specific username. If * does not produce the expected result, replace it with the exact username as it appears on the device.
Only one Local Users and Groups XML configuration can be active per device. If you need to manage multiple groups, include all <accessgroup> blocks within the same <GroupConfiguration> element — never apply two separate policies to the same device.
Troubleshooting
Verifying that the policy was applied correctly
To check whether the configuration was applied on a device, open Event Viewer (eventvwr.exe), navigate to Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin, and search for LocalUsersAndGroups.
PutOrAddCommandFailedBecauseTargetAlreadyExists
This error does not necessarily mean the policy failed. It appears when Windows attempts to add a user who is already considered a member of that group — either directly or through implicit inheritance. For example, members of the Administrators group inherit Users group permissions at the OS level, so Windows may report this error even though the user is not explicitly listed in the Users group.
To confirm whether the configuration has been applied correctly, verify the group membership directly on the device via Computer Management → Local Users and Groups → Groups.