Even easier managing local administrators

This week is back in the Windows platform. This week is another time about managing local administrators on Windows 10 devices and later. That subject has been discussed multiple times before – either by using custom device configuration profiles or by using proactive remediations – and this time it’s about a new configuration option within Microsoft Intune that provides a friendly configuration experience for the IT administrator around the custom device configuration profile option. That configuration relies on the LocalUsersAndGroups policy that is available with Windows 10 20H2 or later, or Windows 11. This blog post will provide an introduction to a new profile type and will show how to use that new profile type to easily manage local administrators. This blog post will end by showing the configuration results.

Important: This post relies on preview functionality and requires Windows 10 20H2 or later, or Windows 11.

Introducing local user group membership profile

With the latest service release of Microsoft Intune (2201), a new profile for account protection policies is introduced. That profile is the Local user group membership profile and can be used to manage the memberships of built-in local groups on Windows 10 and later devices. Basically, that profile is a friendly user interface (UI) around the LocalUsersAndGroups policy. That policy was introduced with Windows 10 20H2 and later and enables the IT administrator to configure the membership of built-in local groups, as shown in this post about managing local administrators. The UI does limit the configuration options a little bit, but does provide the most common configuration options. The following options are available (as shown below in Figure 1):

  • Local group: This drop-down enables the IT administrator to select one or more groups that will be configured with the same configuration line. At this moment the following groups are available for configuration: Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
  • Group and user action: This drop-down enables the IT administrator to select the action that will be applied to the selected groups. At this moment the following actions are available for configuration: Add (Update) to add members to the selected group, Remove (Update) to remove members from the selected group and Add (Replace) to replace the members of the selected group.
  • User selection type: This drop-down enables the IT administrator to select how to add users and groups to the selected groups. At this moment the following options are available: Users/Groups to select the users and groups that are available from Azure AD and Manual to manually specify users and groups that are available from Azure AD by specifying username, domain\username, or the groups security identifier (SID).
  • Selected users/groups: This selection enables the IT administrator to select, or specify, the users and groups that should be added to the selected groups. Depending on the previous choice, one of the following options is available: Select users/groups to select the users and groups that are available from Azure AD, or Add user(s) to manually specify users and groups that are available from Azure AD.

Important: As the local group membership profile relies on the LocalUsersAndGroups policy, only a single policy (XML) can be applied to a device. Multiple policies with result in a conflict.

Note: The Users user selection type is only supported for Azure AD joined devices and the Manual user selection type is supported for Azure AD joined devices and hybrid Azure AD joined devices.

Configuring local user group membership profile

The local user group membership profile can be used to configure the membership of the built-in local administrators group. And the configuration steps are actually pretty straight forward. The following eight steps walk through the process of adding an additional user and group to the built-in local administrators group by simply selecting the required options.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security Account protection
  2. On the Endpoint security | Account protection blade, click Create Policy
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Windows 10 and later as value
  • Profile: Select Local user group membership as value
  1. On the Basics page, provide a valid name for the local user group membership profile and click Next
  2. On the Configuration settings page, as shown below in Figure 2, provide the following information and click Next
  • Local group: Select Administrators to configure the membership of the administrators group
  • Group and user action: Select Add (Update) to update the membership of the administrators group
  • User selection type: Select Users/Groups to enable the easy selection of the new members
  • Selected users/groups: Click Select users/groups to open an additional blade to easily select the required new users and/or groups that should be member of the administrators group
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, add the required user/device group and click Next
  3. On the Review + create page, review the configuration and click Create

Note: Optionally use a filter to make sure to only target this new profile to the minimal required Windows versions.

Experiencing the configuration result

Once the local user group membership profile has been applied, it’s time to have a look at the configuration results. The easiest method to experience the results of that configuration, is by having a look in the Event Viewer and comparing that information with the members of the local administrators group. The Event Viewer will show the applied configuration and its results (as shown below on the left in Figure 3). That contains the XML configuration that’s automatically created by using the new profile. The members of the local administrators group will show the newly added members (as shown below on the right in Figure 3).

Important: At the moment of writing, there are still issues with using this new profile on non-English Windows devices. For the latest status of that, keep an eye on this Microsoft blog post.

Note: The other members of the local administrators group are the built-in administrator, the primary user and the SIDs that are representing the Global administrator role and the Device administrator role.

More information

For more information about managing local administrators on Windows devices, refer to the following docs.

16 thoughts on “Even easier managing local administrators”

  1. Hi Peter,
    as always great article. Have you got during the test an issue with assigning the group to any role?

    On one of my test tenants, I try to assign the group to local administrators and get error: “Please review policy.” and under the group information “The field for Selected user(s) is required. “. I test the scenario where I have only Intune role without any additional roles like GA, Security Admin etc. It’s like the wizard doesn’t select the group what I want to add πŸ™‚

    Reply
  2. Peter,

    Great article with super detail, does this have the same effect as using Device Settings ‘manage additional local administrators’ but with more granular control and should I disable the Device Settings config after applying this policy.

    Thanks – Gerry

    Reply
    • Hi Gerry,
      That setting basically configures device administrators role that applies to all devices. This configuration can be a bit more granular, and can also configure more than just administrators.
      Regards, Peter

      Reply
  3. Dear Peter,

    Thanks for this create article. But its not working when you select a group in step 5 Selected users/groups.
    When i select a group i get the following message:
    Please review policy. The field for Selected user(s) is required.

    If i only add some users than its works.

    Could you let me know if this i not working yet?

    Thank you.

    Greetings,
    Rico

    Reply
  4. If you want the user to only be member of the local administrators group on their own device (so not on any other device that gets the policy) how would you do that? With a classic GPO we added the account INTERACTIVE to the Administrators group. Is that still an option for Intune Manage devices (no Hybrid Join, just a Azure AD join)?

    Reply
  5. Hi Peter, thanks for the great post, very informative! One question, how do I use this functionality remove the current user from the Administrators group so they get converted to standard users? I have some systems configured before we rolled out autopilot that we need to modify. Thanks!

    Reply
  6. Hej Peter, thank you for this article. I tried it but I kept on getting an error “No mapping between account names and security IDs was done” actually i got 3 different errors i the log that looks very much like described in this blog: https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/

    All my devices are registered i only in AAD (no hybrid) and I was trying to add an AAD group to the local administrators group.
    I think that the reason for the error was because I am using a ‘Danish talking’ system… ‘Administrators’ are called ‘administratorer’ in danish… I tried therefor to use the OMA-URI version (thank you for that article as well! πŸ™‚ ) where I used the SID of the administrators group instead, and it worked. I think though that there has been a little error in your article: https://www.petervanderwoude.nl/post/easier-managing-local-administrators-via-windows-10-mdm-on-windows-10-20h2-and-later/
    You mentioned the string: ./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure and it didn’t work for me. Kept getting errors. I changed it to: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure – and i worked.

    Besides, when i tried to use the policy described here (under account protection). I got other problems when i tried to add the groups. kept on getting errors in the graphic interface… I think this policy is not working as i should… Something is wrong with it I am afraid.. πŸ™‚

    best regards, Ido Yavin

    Reply
  7. Any reason the groups populate as the SID and not the resolved name. Mine is applying the policy, the SID shows up, but it still seems like it didn’t give that group admin rights. I’m still troubleshooting but was wondering if you had thoughts.

    Reply
    • Hi Kevin,
      The permissions are not immediately applicable in all scenarios. For example a user that is already logged on, and is added to the group, won’t immediately recieve local admin permissions.
      Regards, Peter

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.