Managing Local Admins with Intune Azure AD Join devices

This blog applies to Azure AD join scenarios.

Like many organisations there is often a requirement to restrict local administrator permissions for regular users on workstations. In the cloud world this is achieved via AutoPilot profiles configured in Intune or the Store For Business:

Configuring this setting means regular users do not get local admin permissions and are configured as a standard account satisfying the requirement.

Your next aim may be to configure your IT support team with admin permissions for troubleshooting and management purposes. Global Administrators are automatically local administrators, however if you follow best practice your likely to have only a very limited number of global admins. For none global admins the process is fairly straight forward – From the Azure Active Directory snap-in select Devices then Device Settings, from here you can choose individuals as local administrators.

Adding users in here will grant the account local admin permissions on the device, be mindful the user must use a User Principal Name (UPN) when using elevated rights. Further details can be found here:

A limitation of this method is the scope cannot be targeted, once a user is granted the device administrator role they are local administrators across all Azure AD joined devices. So what about Barry in the development team who may require local administrator rights to manage workstations within his team but not the organisation as a whole? In the old world you could simply use Group Policy to manage local admins via restricted groups and choose your scope. As we know a similar method in Intune is not possible so the answer lies with PowerShell scripts. Via the Intune management extension you can easily push a PowerShell script as follows:

“net localgroup administrators AzureAD\ /add > nul 2> nul” | cmd
“net localgroup administrators AzureAD\ /add > nul 2> nul” | cmd

Note I am using the net localgroup command due to receiving “CommandNotFoundException” errors in the IntuneManagementExtension.log (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs) when using the add-localgroupmember PowerShell cmdlet. The “> nul 2> nul” cmdlet suppresses any errors or warnings that you might receive such as account is already a member of the group. The | CMD tells PowerShell to run the command in a CMD window which will close once complete.

You can then use assignments to target the script at a user/device collection of your choice ensuring only the devices you target will allow Barry to use elevated permissions.

Remember it is best practice to use separate accounts for administrative tasks that are used solely for this purpose rather than elevating regular accounts.

About the author