As an administrator, you can set the local administrative permissions level a user can have on their Microsoft Windows 10 or 11 devices. For example, you can allow limited control or full access. This permission level is granted to the Windows account that's associated with a user's Google Account, notto a user's Google Account.
You can also provide administrative permissions to other existing Windows accounts. These accounts can be local to the device or Active Directory users and groups, even if they haven't yet signed in to the device.
Requirements
- To set administrative permissions for the user's account, the device must have Google Credential Provider for Windows (GCPW) installed on it and be under Windows device management.
- To give administrative permissions to other existing Windows accounts, the device must be under Windows device management.
Set administrative permissions
Before you begin:If you need to set up a department or team for this setting, go to Add an organizational unit .
- Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
- Go toMenu Devices > Mobile and endpoints > Settings > Windows .
Requires having the Services and devices administrator privilege.
- Click Account settings.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Under Manage local administrative access to devices, select Enabledfrom the list of items.
- To set the user's account permissions (requires GCPW):
- Select Standard Userto assign users standard accounts without administrative permissions. If you choose this option, enter at least one account in the Give local administrative accessfield (described in the next step). Otherwise, no accounts will be in the Local administrator group.
- Select Local Administratorto assign users local administrative permissions.
Windows limitations:
-
The user gets the Local Administrator permission level after they sign in to their device the second timeafter you assign the permission level.
-
Changing a user's permission level from Local Administrator to Standard User isn't supported on Windows 10 and 11.
-
Adding users to the Local Administrator group replaces the existing users. Any users that the GCPW does not recognize will be deleted from the group.
-
- Under Give local administrative access, enter existing Active Directory users, Active Directory groups, or local Windows user accounts that also get local administrative privileges. Use the following formats:
- Active Directory users: YourDomain\user
- Active Directory groups: YourDomain\group
- Local users: username
Separate values with commas. For example: YourDomain \Win10admins, YourDomain \jsmith, prayes, rnguyen
Important:
- If you do not enter any accounts, the existing Local Administrator group is cleared. If you set the user account type as Standard user, then no accounts have administrative access . If you set the user account type as Local administrator, then only the user has administrative access.
- If you enter an account that doesn't exist, a new account is not created on the device, and no changes are made to the Local Administrator group.
- If you repeat the same username in a case-insensitive way, for example, Admin and admin, the action will fail. Adding administrator will also fail, because Administrator is already built in by default.
- Click Save.Or, you might click Overridefor an organizational unit
.
To later restore the inherited value, click Inherit.
Related topic
Overview: Enhanced desktop security for Windows
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
