Set account permissions on Windows 10 devices

Supported editions for this feature: Frontline Starter and Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Standard, Education Plus, and Endpoint Education Upgrade; Enterprise Essentials and Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition

As an administrator, you can set the local administrative permissions level a user can have on their Microsoft Windows 10 devices. For example, you can allow limited control or full access. This permission level is granted to the Windows account that's associated with a user's Google Account, not to a user's Google Account.

You can also provide administrative permissions to other existing Windows accounts. These accounts can be local to the device or Active Directory users and groups, even if they haven't yet signed in to the device.

Requirements

  • To set administrative permissions for the user's account, the device must have Google Credential Provider for Windows (GCPW) installed on it and be under Windows device management.
  • To give administrative permissions to other existing Windows accounts, the device must be under Windows device management.

Set administrative permissions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenMobile and endpointsand thenSettingsand thenWindows.
  3. Click Account settings.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Under Manage local administrative access to devices, select Enabled from the list of items.
  6. To set the user's account permissions (requires GCPW):
    • Select Standard User to assign users standard accounts without administrative permissions. If you choose this option, enter at least one account in the Give local administrative access field (described in the next step). Otherwise, no accounts will be in the Local administrator group.
    • Select Local Administrator to assign users local administrative permissions.

      Windows limitations:

      • The user gets the Local Administrator permission level after they sign in to their device the second time after you assign the permission level.

      • Changing a user's permission level from Local Administrator to Standard User isn't supported on Windows 10, version 1803.

  7. Under Give local administrative access, enter existing Active Directory users, Active Directory groups, or local Windows user accounts that also get local administrative privileges. Use the following formats:
    • Active Directory users: YourDomain\user
    • Active Directory groups: YourDomain\group
    • Local users: username

    Separate values with commas. For example: YourDomain\Win10admins, YourDomain\jsmith, prayes, rnguyen

    Important:

    • If this field is blank, the existing Local Administrators group is cleared. If you set the user account type as Standard user, then no accounts have administrative access. If you set the user account type as Local administrator, then only the user has administrative access.
    • If you enter an account that doesn't exist, a new account is not created on the device, no accounts are added to the Local Administrator group, and the existing Local Administrator group is cleared.
  8. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
6115314240281358020
true
Search Help Center
true
true
true
true
true
73010
false
false