In this guide, I’m going to show you how to add a domain user account to the OpenVPN Administrators group. This group is only used to verify that users is able to use the OpenVPN interactive service.

If the user is an local administrator, then they automatically get added to this group during the installation process.

If the user is not an administrator (Standard user), then you may run into a few issues. Follow the troubleshooting guide below to fix the issue. Here’s one of the screens your end users may see:

Msg, Require membership of OpenVPN Administrators group

Clicking Yes on this popup will cause a weird loop and never actually add them to the group.

Other OpenVPN guides: https://smarthomepursuits.com/how-to-integrate-duo-2fa-into-openvpn/


Check if User is Added to OpenVPN Administrators Group

To check if the user is included the group, search Windows for “Edit Local Users & Groups” or go to Run > lusrmgr. Click Groups. If you see the OpenVPN Admins group, double-click it to see if the user was added to it:

You will not be able to add users to this group from this window, but you can see if anyone was already added. If you don’t see this group, then you’ll need to create it.


Powershell Script to Create OpenVPN Administrators Group & Add User

To create the group, use this command. If you don’t have a deployment tool like PDQ Deploy, then you can run these locally by opening Powershell as an administrator on the target computer.

New-LocalGroup "OpenVPN Administrators"

Then, add the user:

net localgroup "OpenVPN Administrators" domain\username /ADD

You can throw both of this into the same Powershell file if you’d like. Just change the username each time you use it.

After that, the user should have been successfully added. Most likely, the user will need to either be on your VPN or physically on your corporate network in order to be added to the group. For me, sometimes this works without being on either but I figured it’s worth mentioning in case you see a domain-trust error message when running on a remote machine.


Additional Thoughts

Since we are starting to deploy all computers with Standard user permissions, we typically do this BEFORE deploying or shipping someone a laptop. This is a simple way to prevent calls or tickets right after they get their new equipment.


Wrapping Up

Hopefully this guide helps you out! An alternative approach would be installing OpenVPN by simply logging into the local admin account. Then, you can just add the domain user. You’ll likely need to be on the VPN or corp network for that as well, but it will save you from needing to elevate the user session.



My Homelab Equipment

Here is some of the gear I use in my Homelab. I highly recommend each of them.

The full list of server components I use can be found on my Equipment List page.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *