www.petervanderwoude.nl Open in urlscan Pro
2001:678:76c:3760::31 Public Scan

Back to summary

URL:
https://www.petervanderwoude.nl/post/even-easier-managing-local-administrators/
Submission: On February 23 via api (February 23rd 2023, 7:54:16 pm UTC) from DE — Scanned from NL

Form analysis
5 forms found in the DOM

GET https://www.petervanderwoude.nl/

<form method="get" class="search-form navigation-search" action="https://www.petervanderwoude.nl/">
  <input type="search" class="search-field" value="" name="s" title="Search">
</form>

POST https://www.petervanderwoude.nl/wordpress/wp-comments-post.php

<form action="https://www.petervanderwoude.nl/wordpress/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
  <p class="comment-form-comment"><label for="comment" class="screen-reader-text">Comment</label><textarea id="comment" name="comment" cols="45" rows="8" required=""></textarea></p><label for="author" class="screen-reader-text">Name</label><input
    placeholder="Name *" id="author" name="author" type="text" value="" size="30" required="">
  <label for="email" class="screen-reader-text">Email</label><input placeholder="Email *" id="email" name="email" type="email" value="" size="30" required="">
  <label for="url" class="screen-reader-text">Website</label><input placeholder="Website" id="url" name="url" type="url" value="" size="30">
  <p class="comment-subscription-form"><input type="checkbox" name="subscribe_comments" id="subscribe_comments" value="subscribe" style="width: auto; -moz-appearance: checkbox; -webkit-appearance: checkbox;"> <label class="subscribe-label"
      id="subscribe-label" for="subscribe_comments">Notify me of follow-up comments by email.</label></p>
  <p class="comment-subscription-form"><input type="checkbox" name="subscribe_blog" id="subscribe_blog" value="subscribe" style="width: auto; -moz-appearance: checkbox; -webkit-appearance: checkbox;"> <label class="subscribe-label"
      id="subscribe-blog-label" for="subscribe_blog">Notify me of new posts by email.</label></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="16063" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="8019cd5c48"></p>
  <p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1677182050553">
    <script>
      document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
    </script>
  </p>
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-3" data-blog="104754288" data-post_access_level="everybody">
  <div id="subscribe-text">
    <p>Provide your email address to subscribe to updates on this blog.</p>
  </div>
  <p id="subscribe-email">
    <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-3"> Email address </label>
    <input type="email" name="email" required="required" value="" id="subscribe-field-blog_subscription-3" placeholder="Email address">
  </p>
  <p id="subscribe-submit">
    <input type="hidden" name="action" value="subscribe">
    <input type="hidden" name="source" value="https://www.petervanderwoude.nl/post/even-easier-managing-local-administrators/">
    <input type="hidden" name="sub-type" value="widget">
    <input type="hidden" name="redirect_fragment" value="subscribe-blog-blog_subscription-3">
    <button type="submit" class="wp-block-button__link" name="jetpack_subscriptions_widget"> Subscribe </button>
  </p>
</form>

<form id="jp-carousel-comment-form">
  <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
  <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
  <div id="jp-carousel-comment-form-submit-and-info-wrapper">
    <div id="jp-carousel-comment-form-commenting-as">
      <fieldset>
        <label for="jp-carousel-comment-form-email-field">Email (Required)</label>
        <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-author-field">Name (Required)</label>
        <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
      </fieldset>
      <fieldset>
        <label for="jp-carousel-comment-form-url-field">Website</label>
        <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
      </fieldset>
    </div>
    <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
  </div>
</form>

POST

<form method="post">
  <input type="submit" value="Close and accept" class="accept">
</form>

Text Content

All about Microsoft Endpoint Manager

Peter blogs about Configuration Manager, Microsoft Intune and more

Menu
* Home
* Scripts
* Archive
* Contact
* About
*
*
*
*
*

EVEN EASIER MANAGING LOCAL ADMINISTRATORS

February 7, 2022February 7, 2022 by Peter van der Woude

This week is back in the Windows platform. This week is another time about
managing local administrators on Windows 10 devices and later. That subject has
been discussed multiple times before – either by using custom device
configuration profiles or by using proactive remediations – and this time it’s
about a new configuration option within Microsoft Intune that provides a
friendly configuration experience for the IT administrator around the custom
device configuration profile option. That configuration relies on the
LocalUsersAndGroups policy that is available with Windows 10 20H2 or later, or
Windows 11. This blog post will provide an introduction to a new profile type
and will show how to use that new profile type to easily manage local
administrators. This blog post will end by showing the configuration results.

Important: This post relies on preview functionality and requires Windows 10
20H2 or later, or Windows 11.

INTRODUCING LOCAL USER GROUP MEMBERSHIP PROFILE

With the latest service release of Microsoft Intune (2201), a new profile for
account protection policies is introduced. That profile is the Local user group
membership profile and can be used to manage the memberships of built-in local
groups on Windows 10 and later devices. Basically, that profile is a friendly
user interface (UI) around the LocalUsersAndGroups policy. That policy was
introduced with Windows 10 20H2 and later and enables the IT administrator to
configure the membership of built-in local groups, as shown in this post about
managing local administrators. The UI does limit the configuration options a
little bit, but does provide the most common configuration options. The
following options are available (as shown below in Figure 1):

Figure 1: Available configuration options
* Local group: This drop-down enables the IT administrator to select one or
more groups that will be configured with the same configuration line. At this
moment the following groups are available for configuration: Administrators,
Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
* Group and user action: This drop-down enables the IT administrator to select
the action that will be applied to the selected groups. At this moment the
following actions are available for configuration: Add (Update) to add
members to the selected group, Remove (Update) to remove members from the
selected group and Add (Replace) to replace the members of the selected
group.
* User selection type: This drop-down enables the IT administrator to select
how to add users and groups to the selected groups. At this moment the
following options are available: Users/Groups to select the users and groups
that are available from Azure AD and Manual to manually specify users and
groups that are available from Azure AD by specifying username,
domain\username, or the groups security identifier (SID).
* Selected users/groups: This selection enables the IT administrator to select,
or specify, the users and groups that should be added to the selected groups.
Depending on the previous choice, one of the following options is available:
Select users/groups to select the users and groups that are available from
Azure AD, or Add user(s) to manually specify users and groups that are
available from Azure AD.

Important: As the local group membership profile relies on the
LocalUsersAndGroups policy, only a single policy (XML) can be applied to a
device. Multiple policies with result in a conflict.

Note: The Users user selection type is only supported for Azure AD joined
devices and the Manual user selection type is supported for Azure AD joined
devices and hybrid Azure AD joined devices.

CONFIGURING LOCAL USER GROUP MEMBERSHIP PROFILE

The local user group membership profile can be used to configure the membership
of the built-in local administrators group. And the configuration steps are
actually pretty straight forward. The following eight steps walk through the
process of adding an additional user and group to the built-in local
administrators group by simply selecting the required options.

1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint
security > Account protection
2. On the Endpoint security | Account protection blade, click Create Policy
3. On the Create a profile page, provide the following information and
click Create

* Platform: Select Windows 10 and later as value
* Profile: Select Local user group membership as value

4. On the Basics page, provide a valid name for the local user group membership
profile and click Next
5. On the Configuration settings page, as shown below in Figure 2, provide the
following information and click Next

Figure 2: Configuration overview for local administrators
* Local group: Select Administrators to configure the membership of the
administrators group
* Group and user action: Select Add (Update) to update the membership of the
administrators group
* User selection type: Select Users/Groups to enable the easy selection of the
new members
* Selected users/groups: Click Select users/groups to open an additional blade
to easily select the required new users and/or groups that should be member
of the administrators group

6. On the Scope tags page, configure the required scope tags and click Next
7. On the Assignments page, add the required user/device group and click Next
8. On the Review + create page, review the configuration and click Create

Note: Optionally use a filter to make sure to only target this new profile to
the minimal required Windows versions.

EXPERIENCING THE CONFIGURATION RESULT

Once the local user group membership profile has been applied, it’s time to have
a look at the configuration results. The easiest method to experience the
results of that configuration, is by having a look in the Event Viewer and
comparing that information with the members of the local administrators group.
The Event Viewer will show the applied configuration and its results (as shown
below on the left in Figure 3). That contains the XML configuration that’s
automatically created by using the new profile. The members of the local
administrators group will show the newly added members (as shown below on the
right in Figure 3).

Figure 3: Experiencing the configuration result

Important: At the moment of writing, there are still issues with using this new
profile on non-English Windows devices. For the latest status of that, keep an
eye on this Microsoft blog post.

Note: The other members of the local administrators group are the built-in
administrator, the primary user and the SIDs that are representing the Global
administrator role and the Device administrator role.

MORE INFORMATION

For more information about managing local administrators on Windows devices,
refer to the following docs.

* Policy CSP – LocalUsersAndGroups – Windows Client Management | Microsoft Docs
* Manage account protection settings with endpoint security policies in
Microsoft Intune | Microsoft Docs
* How to manage local administrators on Azure AD joined devices | Microsoft
Docs

SHARE THIS:

* Click to share on Twitter (Opens in new window)
* Click to share on Facebook (Opens in new window)
* Click to share on LinkedIn (Opens in new window)
* Click to share on Reddit (Opens in new window)
*

MANAGING LOCAL ADMINISTRATORS VIA WINDOWS 10 MDM

This week is all about managing local administrators via Windows 10 MDM by using
restricted groups. There has been many requests for a post like this after I
wrote this post about creating local user accounts. And I have to admit that
this post has been on my backlog for…

March 30, 2020

In "MDM"

EASIER MANAGING LOCAL ADMINISTRATORS VIA WINDOWS 10 MDM ON WINDOWS 10 20H2 AND
LATER

This week back to the Windows platform. This week is again about managing local
administrators on Windows 10 devices. Even in a modern world, there can still be
a need for managing the local administrators on a Windows 10 devices and often
that still requires more flexibility than provided with…

December 14, 2020

In "MDM"

MANAGING LOCAL POLICIES SECURITY OPTIONS FOR ACCOUNTS VIA WINDOWS 10 MDM

This blog post uses the LocalPoliciesSecurityOptions area of the Policy
configuration service provider (CSP) to manage local policies security options
on Windows 10 devices. This area was added in Windows 10, version 1709, which is
currently available as Insider Preview build. This week a blog post about
managing local policies…

September 11, 2017

In "ConfigMgr"

Categories Local user group membership policy, MDM, Microsoft Endpoint Manager,
Microsoft Intune, Windows 10, Windows 11 Tags Local user group membership
profile, MDM, Microsoft Endpoint Manager, Microsoft Intune, Windows 10, Windows
11
Retiring non-compliant devices with Azure Logic Apps and Adaptive Cards for
Teams
Getting started with the Windows Update for Business deployment service

24 THOUGHTS ON “EVEN EASIER MANAGING LOCAL ADMINISTRATORS”

1. Marcin
February 8, 2022 at 00:10

Hi Peter,
as always great article. Have you got during the test an issue with
assigning the group to any role?

On one of my test tenants, I try to assign the group to local
administrators and get error: “Please review policy.” and under the group
information “The field for Selected user(s) is required. “. I test the
scenario where I have only Intune role without any additional roles like
GA, Security Admin etc. It’s like the wizard doesn’t select the group what
I want to add

Reply
* Peter van der Woude
February 14, 2022 at 21:19

Hi Marcin,
I personally didn’t have that issue, but I’ve read on the article
mentioned earlier that others are seeing that issue.
Regards, Peter

2. Gerry Murphy
February 8, 2022 at 13:34

Peter,

Great article with super detail, does this have the same effect as using
Device Settings ‘manage additional local administrators’ but with more
granular control and should I disable the Device Settings config after
applying this policy.

Thanks – Gerry

Reply
* Peter van der Woude
February 14, 2022 at 21:23

Hi Gerry,
That setting basically configures device administrators role that applies
to all devices. This configuration can be a bit more granular, and can
also configure more than just administrators.
Regards, Peter

3. Ricoooo
February 14, 2022 at 13:19

Dear Peter,

Thanks for this create article. But its not working when you select a group
in step 5 Selected users/groups.
When i select a group i get the following message:
Please review policy. The field for Selected user(s) is required.

If i only add some users than its works.

Could you let me know if this i not working yet?

Thank you.

Greetings,
Rico

Reply
* Peter van der Woude
February 14, 2022 at 21:37

Hi Ricoooo,
See my earlier comment. Haven’t seen it myself, but I’ve read it on the
earlier mentioned article.
Regards, Peter

4. Marcel Moerings
February 25, 2022 at 13:02

If you want the user to only be member of the local administrators group on
their own device (so not on any other device that gets the policy) how
would you do that? With a classic GPO we added the account INTERACTIVE to
the Administrators group. Is that still an option for Intune Manage devices
(no Hybrid Join, just a Azure AD join)?

Reply
* Peter van der Woude
February 28, 2022 at 21:36

Hi Marcel,
That would require some custom scripting. Using the INTERACTIVE user is
not really a solution, as it would apply to every user that is logged
on..
Regards, Peter

5. Userman999
March 16, 2022 at 00:59

Hi Peter, thanks for the great post, very informative! One question, how do
I use this functionality remove the current user from the Administrators
group so they get converted to standard users? I have some systems
configured before we rolled out autopilot that we need to modify. Thanks!

Reply
* Peter van der Woude
March 21, 2022 at 21:02

Hi Userman999,
You could just replace the current members with a new set of members.
Regards, Peter

Reply
* ikki
May 31, 2022 at 14:22

Hi Peter,

I would like to change primary users to standard user and make our IT’s
as local admins/admin to prevent our user to install softwares.

So which option do you have to select, remove (update) or select add
(replace)?

Thanks,

Reply
* Peter van der Woude
June 6, 2022 at 20:27

Hi ikki,
In that case I would probably use Add (Replace), to simply replace
anything that was configured.
Regards, Peter

6. Ido Yavin
March 24, 2022 at 14:23

Hej Peter, thank you for this article. I tried it but I kept on getting an
error “No mapping between account names and security IDs was done” actually
i got 3 different errors i the log that looks very much like described in
this blog:
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/

All my devices are registered i only in AAD (no hybrid) and I was trying to
add an AAD group to the local administrators group.
I think that the reason for the error was because I am using a ‘Danish
talking’ system… ‘Administrators’ are called ‘administratorer’ in danish… I
tried therefor to use the OMA-URI version (thank you for that article as
well! ) where I used the SID of the administrators group instead, and it
worked. I think though that there has been a little error in your article:
https://www.petervanderwoude.nl/post/easier-managing-local-administrators-via-windows-10-mdm-on-windows-10-20h2-and-later/
You mentioned the string:
./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure and it didn’t
work for me. Kept getting errors. I changed it to:
./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure – and i
worked.

Besides, when i tried to use the policy described here (under account
protection). I got other problems when i tried to add the groups. kept on
getting errors in the graphic interface… I think this policy is not working
as i should… Something is wrong with it I am afraid..

best regards, Ido Yavin

Reply
* Peter van der Woude
March 28, 2022 at 20:34

Thank you for the information Ido. It’s indeed correct that some methods
don’t handle different languages that well yet..
Regards, Peter

7. Kevin Bishop
April 8, 2022 at 22:46

Any reason the groups populate as the SID and not the resolved name. Mine
is applying the policy, the SID shows up, but it still seems like it didn’t
give that group admin rights. I’m still troubleshooting but was wondering
if you had thoughts.

Reply
* Peter van der Woude
April 11, 2022 at 20:18

Hi Kevin,
The permissions are not immediately applicable in all scenarios. For
example a user that is already logged on, and is added to the group,
won’t immediately recieve local admin permissions.
Regards, Peter

8. Teun
April 13, 2022 at 15:53

Is the issue with non-english devices already resolved?

Reply
* Peter van der Woude
April 18, 2022 at 20:31

Hi Teun,
I haven’t recently tried that. What are your latest results?
Regards, Peter

9. Thomas
June 10, 2022 at 03:46

Hey Peter,

Does the policy update after it’s applied? For instance, we would like to
use a Azure group to allow LocalAdmin access temporarily, then removing the
users when they no longer need access. (Not elegant, certainly, but for
lack of a better solution, that’s what we have.) Would the endpoint policy
update on the next check-in and remove their permissions?

Reply
* Peter van der Woude
June 13, 2022 at 20:16

Hi Thomas,
My experience with using an Azure AD group is very wonky. This policy
will only configure the Azure AD group as a member of the local
administrators. An update of that policy will not help with the
permissions of the users of that group.
Regards, Peter

10. Antonio
September 10, 2022 at 04:48

Hello everyone,

I’ve set my policy to Remove the user who joined the device in Azure AD
from the admin group so that they don’t have local admin permissions and in
Intune I see the policy status as OK, even when I go to view the admin
group in my devices, I no longer see the user I deleted with my policy,
i.e. the user who enrolled the device should no longer have local admin
permissions, is that correct? However, it still has the permissions and
they are only changed when I log out or restart the device. Is this normal
behavior? Will it only work after reboot or logout?

Reply
* Peter van der Woude
September 12, 2022 at 22:04

Hi Antonio,
There indeed might be a delay in the permissions getting effective.
Regards, Peter

11. Richmond
November 21, 2022 at 11:42

Does this settings take precedence if I am on Azure Hybrid Join and my MDM
is WorkSpace ONE? We are having issue removing administrator with WS1 and
want to remove users who are local admin on their machines at the moment?

Will this sold our problem?

Reply
* Peter van der Woude
November 21, 2022 at 21:27

Hi Richmond,
That’s hard for me to judge, as I don’t know much about WS1. I do know
that this setting is based on a CSP, which means that you can also
address that by using another MDM (like WS1). Besides that, I can also
imagine that an on-premise GPO would overwrite that information.
Regards, Peter

www.petervanderwoude.nl Open in urlscan Pro 2001:678:76c:3760::31 Public Scan