# Granting Local Administrator Rights on Image Builders
<a name="active-directory-image-builder-local-admin"></a>

By default, Active Directory domain users do not have local administrator rights on image builder instances. You can grant these rights by using Group Policy preferences in your directory, or manually, by using the local administrator account on an image builder. Granting local administrator rights to a domain user allows that user to install applications on and create images in an WorkSpaces Applications image builder.

**Topics**
+ [Using Group Policy preferences](group-policy.md)
+ [Using the local Administrators group on the image builder](manual-procedure.md)

# Using Group Policy preferences
<a name="group-policy"></a>

You can use Group Policy preferences to grant local administrator rights to Active Directory users or groups and to all computer objects in the specified OU. The Active Directory users or groups to which you want to grant local administrator permissions must already exist. To use Group Policy preferences, you'll need to do the following first:
+ Obtain access to a computer or an EC2 instance that is joined to your domain.
+ Install the Group Policy Management Console (GPMC) MMC snap-in. For more information, see [Installing or Removing Remote Server Administration Tools for Windows 7](https://technet.microsoft.com/en-us/library/ee449483.aspx) in the Microsoft documentation.
+ Log in as a domain user with permissions to create Group Policy objects (GPOs). Link GPOs to the appropriate OUs.

**To use Group Policy preferences to grant local administrator permissions**

1. In your directory or on a domain controller, open the command prompt as an administrator, type `gpmc.msc`, and then press ENTER.

1. In the left console tree, select the OU where you will create a new GPO or use an existing GPO, and then do either of the following: 
   + Create a new GPO by opening the context (right-click) menu and choosing **Create a GPO in this domain, Link it here**. For **Name**, provide a descriptive name for this GPO.
   + Select an existing GPO.

1. Open the context menu for the GPO, and choose **Edit**.

1. In the console tree, choose **Computer Configuration**, **Preferences**, **Windows Settings**, **Control Panel Settings**, and **Local Users and Groups**.

1. Select **Local Users and Groups** selected, open the context menu , and choose **New**, **Local Group**.

1. For **Action**, choose **Update**.

1. For **Group name**, choose **Administrators (built-in)**.

1. Under **Members**, choose **Add…** and specify the Active Directory users or groups to which to assign local administrator rights on the streaming instance. For **Action**, choose **Add to this group**, and choose **OK**.

1. To apply this GPO to other OUs, select the additional OU, open the context menu and choose **Link an Existing GPO**.

1. Using the new or existing GPO name that you specified in step 2, scroll to find the GPO, and then choose **OK**. 

1. Repeat steps 9 and 10 for additional OUs that should have this preference.

1. Choose **OK** to close the **New Local Group Properties** dialog box.

1. Choose **OK** again to close the GPMC.

To apply the new preference to the GPO, you must stop and restart any running image builders or fleets. The Active Directory users and groups that you specified in step 8 are automatically granted local administrator rights on the image builders and fleets in the OU to which the GPO is linked.

# Using the local Administrators group on the image builder
<a name="manual-procedure"></a>

To grant Active Directory users or groups local administrator rights on your image builder, you can manually add these users or groups to the local Administrators group on the image builder. Image builders that are created from images with these rights maintain the same rights. 

The Active Directory users or groups to which to grant local administrator rights must already exist.

**To add Active Directory users or groups to the local Administrators group on the image builder**

1. Open the WorkSpaces Applications console at [https://console.aws.amazon.com/appstream2](https://console.aws.amazon.com/appstream2).

1. Connect to the image builder in Administrator mode. The image builder must be running and domain-joined. For more information, see [Tutorial: Setting Up Active Directory](active-directory-directory-setup.md).

1. Choose **Start**, **Administrative Tools**, and then double-click **Computer Management**.

1. In the left navigation pane, choose **Local Users and Groups** and open the **Groups** folder.

1. Open the **Administrators** group and choose **Add...**.

1. Select all Active Directory users or groups to which to assign local administrator rights and choose **OK**. Choose **OK** again to close the **Administrator Properties** dialog box.

1. Close Computer Management.

1. To log in as an Active Directory user and test whether that user has local administrator rights on the image builder, choose **Admin Commands**, **Switch user**, and then enter the credentials of the relevant user.