
close
close
Chance to win $250 in Petri 2023 Audience Survey
When we think about administrative rights on Intune-enrolled Windows 10 devices, we need to consider two possible device states for that device: Azure AD joined (AADJ), or Hybrid Azure AD joined (HAADJ). This is due to the different administrative roles available at the directory level.
For Azure AD joined devices, at the time of performing the join, the security principals of global administrator and Azure AD joined device local administrator (previously named device administrator) are added to the local Administrators group. The user performing the join is also added as a local administrator in most cases, though Autopilot does allow you to prevent this. In the screenshot below, you can see the local Administrators group on an Azure AD joined device. Note the two SIDs prefixed S-1-12-1, which are the global administrator and Azure AD joined device local administrators, and the user prefixed AzureAD\, which is the user who performed a manual Azure AD join. When you see that S-1-12-1 beginning the SID, it denotes an Azure AD object.
Now, consider a few things:
Intune can be used for endpoint management on both Azure AD joined and on-premises domain-joined devices, as described in this article. Therefore, we can use it in either of the device states to manage local administrators – or membership of any other group. In this article, we’ll utilise a new Policy CSP introduced in Windows 10 version 20H2: LocalUsersAndGroups.
LocalUsersAndGroups supersedes another Policy CSP, RestrictedGroups, as the recommended way of configuring local groups. This new approach supports “selective add or remove”, whereas the legacy approach was a full replace action.
Control of LocalUsersAndGroups is managed by XML. We’ll work with an example that manages the local administrators, and in that example, below, you can see there are four sections of the XML to configure.
<GroupConfiguration> <accessgroup desc = "Administrators"> <group action = "U"/> <add member = "AzureAD\gradya@petri.com"/> <add member = "S-1-12-1-xxx"/> <remove member = "AzureAD\alexw@petri.com"/> </accessgroup> </GroupConfiguration>
To apply the XML to a device, use a custom OMA-URI configuration profile, specifying the XML as a string value. The specific OMA-URI you need to specify is ./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure.
More in Windows 10
Microsoft Offers Temporary Fix for Start menu or UWP App Freezing Issues on Windows 11 and 10
Jan 26, 2023 | Rabia Noureen
Microsoft Releases a Script to Recover Some Windows App Shortcuts Deleted on Friday 13
Jan 16, 2023 | Rabia Noureen
[Updated] Microsoft to Fix Defender Bug Deleting Windows Apps Shortcuts from Taskbar
Jan 13, 2023 | Rabia Noureen
Microsoft FastTrack Now Helps IT Admins Deploy Windows Autopatch at No Additional Cost
Jan 13, 2023 | Rabia Noureen
Microsoft's January Patch Tuesday Updates Fix 98 Windows Vulnerabilities
Jan 11, 2023 | Laurent Giret
Most popular on petri