This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 86%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello,
I write at once what purpose I pursue. The computer is issued to a user with administrator rights, Autopilot is used. But it is necessary that no one except this user and the administrator be a local administrator, and this user is also not an administrator on other devices.
There are several ways that might work.
First way:
I don`t know how can I get Primary user on Device side, without access to Azure AD.
I can of course calculate by the date the profile was created. If the device is explicitly assigned to the user with autopilot, then he is the first who will enter the system. If he logs in first, I can find out who it is by analize when profile was created wih the same script. But I think it's very difficult.
https://jannikreinhard.com/2021/09/24/how-to-restrict-the-login-to-dedicated-users-with-intune/
Second way:
Third way:
How else can this be implemented?
In fact, only the Primary user should be a local administrator, but there are many devices and for each to make an Account protection policy or local login settings, it's too complicated. There will be many policies, this is not the best option.
Option 1 and 2 look the same ugly.
Thank you.
Hello @Denis Pasternak !
Do you like this :
I bet you do !
GO to this link
https://jannikreinhard.com/2022/11/13/intune-device-inventory-ui/
A great solution i believe fits your case! If you cannot make it work ping for assistance
Remember this solution is custom and not supported by MS! Use it in your own risk !
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Thank you.
But how it can resolve the problem )
I did the script
6.1 The script finds entries in the registry about which user added the device to Intune.
6.2 Script, finds in the registry which SID refers to the name of this user
6.3 Script, adds this SID to the local Administrators group.
As a result, only the user to whom the device was issued will receive administrator rights, any subsequent user will have standard permissions.
And did other one.
Another way
1. Create an application.
The script to execute the request will receive a list of devices and the current owner. Find out its SID and add it to the local administrators group.
This will allows admin to change the local administrator by assigning the owner of the device from Intune admin center.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Denis Pasternak, Thanks for the information, It is very detailed and thanks for the sharing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 57.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Really interesting approach! Would you mind sharing your script? Thanks
Hello
What i can think of
Create Local Device Administrators
Create Scope Tags ( Now this is kind of overkill , cause the way you describe it you need one group for each User...)
https://learn.microsoft.com/en-us/mem/intune/fundamentals/scope-tags
Narrow down Intune Policy with Scope Tags
Another possible way is to use filters
https://learn.microsoft.com/en-us/mem/intune/fundamentals/filters
ALSO i found this
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/
Maybe this is more close to your issue ?
Tell me what you think of this , and whether any of these fits your scenario!
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Thanks, but I wrote a solution and it has been working for a long time :)
@Denis Pasternak, Thanks for posting in Q&A. Based as I know, when we assign Autopilot profile and configure the "User account type" as Administrator. The user who enrolls the device will be added into Local Administrators group. So you can ask the primary user you want to login the device during the enrollment. After the enrollment finished, other Azure AD user login will only be a standard user on the device.
https://learn.microsoft.com/en-us/mem/autopilot/profiles
Meanwhile, for Azure AD joined device, Global Administrator will be added into the local administrators as well by default.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I did the script
6.1 The script finds entries in the registry about which user added the device to Intune.
6.2 Script, finds in the registry which SID refers to the name of this user
6.3 Script, adds this SID to the local Administrators group.
As a result, only the user to whom the device was issued will receive administrator rights, any subsequent user will have standard permissions.
And did other one.
Another way
1. Create an application.
The script to execute the request will receive a list of devices and the current owner. Find out its SID and add it to the local administrators group.
This will allows admin to change the local administrator by assigning the owner of the device from Intune admin center.
@Mountain Pond Really interesting approach! Would you mind sharing your script? Thanks
Hi, sure.
but I would rework it to use invoke-restmethod instead of loading modules.
Start-Transcript C:\Windows\Temp\intune-manage-local-admins-using-graph-api.log
Set-ExecutionPolicy Bypass -Scope Process -Confirm:$false
Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
Install-Module Microsoft.Graph -Confirm:$false -ErrorAction SilentlyContinue
Import-Module Microsoft.Graph.Identity.DirectoryManagement -Verbose -ErrorAction Stop
$appid = 'AAA'
$tenantid = 'BBB'
$secret = 'CCCC'
$body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $appid
Client_Secret = $secret
}
$connection = Invoke-RestMethod `
-Uri https://login.microsoftonline.com/$tenantid/oauth2/v2.0/token `
-Method POST `
-Body $body `
-UseBasicParsing
$token = $connection.access_token
$targetParameter = (Get-Command Connect-MgGraph).Parameters['AccessToken']
if ($targetParameter.ParameterType -eq [securestring]){
Connect-MgGraph -AccessToken ($token |ConvertTo-SecureString -AsPlainText -Force)
}
else {
Connect-MgGraph -AccessToken $token
}
$AADDeviceIDs = (Get-MgDevice -Search "displayName:$env:COMPUTERNAME" -CountVariable CountVar -ConsistencyLevel eventual | Where-Object {$_.TrustType -eq 'AzureAd'}).Id
Write-Host "DeviceID: $AADDeviceID"
if ($AADDeviceIDs){
$AADDeviceOwners = @()
FOREACH ($AADDeviceID in $AADDeviceIDs){
$AADDeviceOwners += ((Get-MgDeviceRegisteredOwner -DeviceId $AADDeviceID).AdditionalProperties).userPrincipalName
Write-Host "DeviceOWNER: $AADDeviceOwner"
}
$AADDeviceOwners = $AADDeviceOwners | Sort-Object | Get-Unique
if ($AADDeviceOwners){
FOREACH ($AADDeviceOwner in $AADDeviceOwners){
$AADUserID = (Get-MgUser -Search "userPrincipalName:$AADDeviceOwner" -CountVariable CountVar -ConsistencyLevel eventual).Id
Write-Host "DeviceUSERID: $AADUserID"
$bytes = [Guid]::Parse($($AADUserID)).ToByteArray()
$array = New-Object 'UInt32[]' 4
[Buffer]::BlockCopy($bytes, 0, $array, 0, 16)
$sid = "S-1-12-1-$array".Replace(' ', '-')
Write-Host "DeviceUSERSID: $SID"
Get-LocalGroupMember -Name 'Administrators' | Where-Object {$_.PrincipalSource -eq 'AzureAD' -and $_.ObjectClass -eq 'User'} | %{Remove-LocalGroupMember -Name 'Administrators' -Member $_} -Verbose
Add-LocalGroupMember -Name 'Administrators' -Member $SID -Verbose
}
} else {
Write-Error "Device owner is not specified" -ErrorAction Stop
}
} else {
Write-Error "Could not find device by display name." -ErrorAction Stop
}
Disconnect-Graph -Verbose
Stop-Transcript