Set account privileges on Windows 10 or 11 devices

Supported editions for this feature: Frontline Starter, Frontline Standard, and Frontline Plus; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium.  Compare your edition

As an administrator, you can set the local administrative privilege level a user can have on their Microsoft Windows 10 or 11 devices. For example, you can allow limited control or full access. This privilege level is granted to the Windows account that's associated with a user's Google Account, not to a user's Google Account.

You can also provide administrative privileges to other existing Windows accounts. These accounts can be local to the device or Active Directory users and groups, even if they haven't yet signed in to the device.

Before you begin

To give local administrative privileges, the device must be under Windows device management.

Set administrative privileges

Before you begin: If you need to set up a department or team for this setting, go to Add an organizational unit.

This setting helps you manage the local administrative access for Google Credential Provider for Windows (GCPW) users. A GCPW user can be a standard user or a local administrator.

To apply these privilege settings, the system uses the Microsoft LocalUsersAndGroups Configuration Service Provider (CSP) during the device sync event. When Manage local administrative access to devices is turned on in the Google Admin console, the CSP processes the configuration to grant local administrator privileges to the GCPW users and the existing Active Directory users, groups, or local Windows users specified in the Accounts with local administrative access field.

  1. In the Google Admin console, go to Menu and then Devices and thenMobile & endpoints and thenSettings and thenWindows

    Requires having the Services and devices administrator privilege.

  2. Click Account settings.
  3. (Optional) To apply the setting to a department or team, at the side, select an organizational unit.
  4. Under Manage local administrative access to devices, select Enabled from the list of items.

  5. To set the account privileges for GCPW users:

    • For User account type, select Standard User to assign users standard accounts without administrative privileges.

    • For User account type, select Local Administrator to assign users local administrative privileges.

      Windows limitation: GCPW users are granted local administrator privileges during their second device login. Although the device sync following their initial sign-in adds them to the administrators group, the change only becomes active upon a subsequent login.

  6. (Optional) To give local admin privileges to existing Active Directory users, Active Directory groups, or local Windows user accounts, add them in the Accounts with local administrative access field. Use the following formats and separate multiple values with commas:

    • Active Directory users: YourDomain\user
    • Active Directory groups: YourDomain\group
    • Local users: username

    If you provide an account name that doesn't exist, a new account will not be created on the device. Non-existent accounts will be disregarded, and the remaining valid accounts will be processed. Removing user or group names from the field won't remove them from the Local Administrator group, but the removed names will not be added during future device syncs.

    Important: We recommend not using this field, which exists for historical continuity and is unlikely to be needed.

  7. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit.

Troubleshooting

If administrative settings are not applied as you intended, you can review the device management event logs on the Windows device for detailed diagnostic information.

  1. Open Event Viewer on the target device by searching for "Event Viewer" in the Windows Start menu.
  2. Navigate to Applications and Services Logs and thenMicrosoft and thenWindows and thenDeviceManagement-Enterprise-Diagnostics-Provider and thenAdmin.
  3. Review events related to the CSP LocalUsersAndGroups.

Example logs:

MDM PolicyManager: Set policy string, Policy: (Configure), Area: (LocalUsersAndGroups), EnrollmentID requesting set: (<Enrollment GUID>), Current User: (Device), String: (<GroupConfiguration><accessgroup desc="<Target Group>"<group action="U" /><add member="TEST_DEVICE\test1"/></accessgroup></GroupConfiguration>), Enrollment Type: (0x0), Scope: (0x0), Result: (0x80070534) No mapping between account names and security IDs was done.

Overview: Enhanced desktop security for Windows


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.