Membership in Account Operators, Domain Admins, or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at

To assign user rights to a group in Active Directory Domain Services
  1. To open Group Policy Management, click Start, click Run, type gpmc.msc, and then click OK.

  2. In the console tree, right-click Default Domain Controllers Policy, and then click Edit.


    • Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy

  3. In the console tree, click User Rights Assignment.


    • Windows Settings\Security Settings\Local Policies\User Rights Assignment

  4. In the details pane, double-click the user right that you want to assign.

  5. Click Add User or Group.

    If the button appears dimmed, select the Define these policy settings check box.

  6. Type the name of the group to which you want to assign this right.

Additional considerations

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

  • To perform this procedure, you must first install Group Policy Management as a feature in Server Manager.

  • You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell. To open the Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell. For more information, see Assign User Rights to a Group in AD DS ( For more information about Windows PowerShell, see Windows PowerShell (

Additional references