This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 60%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVB%3C/text%3E%3C/svg%3E)
We have an AAD joined device that was enrolled by a user who left the organization. The device was transfered to a newly hired colleague. Login in to the device with the new user's username and password was easy. No problems there. We were also able to change the device's primary user to the new colleague. The user however can't install software. A popup screen appears saying he or she doesn't have permission. What's the issue here? I read here and there that only the user who enrolled the device is local admin, but it must be possible to change that somewhere, no?
You have Local Admin role in AzureAD, you can assign some users there and they will benefit with local admin rights. It is recommend to have dedicated workstation admins for that job, and not allowing everyone or simple users to having that role.
Thanks for the quick response Pavel. I did already add the user in question to that group, but that didn't fix the issue. Or, perhaps it takes some time for the change to take effect on the devices. I tried again right after I added the user. Will test again this week and see how it goes. I know it's not good practice but for now it's just for testing purposes.
I also added myself and some colleagues of mine to the same group. We're admins doing support for this organization so it should be okay.
What I'm not fully understanding is why this is suddenly an issue. This organization is running on a Microsoft 365 environment with all Azure AD joined devices for a year and a half now. I can't imagine the users have never tried to install software in that period. As a matter of fact, when the devices were enrolled (every device was joined in Azure AD with the user who owned the device at that time) they immediately installed Office and Teams without a problem. So am I right when I conclude that the enrolled user can install software, users in the "Azure AD Joined Device Local Administrator Group" can install software, but not the primary user (if it's not the same as the user listed under "Enrolled by")?
@Vanmassenhove Ben (VNZ) Thanks for posting in our Q&A.
Based on my understanding, not all softwares needs to have admin permission to be installed. This popup screen "doesn't have permission" appears when this software needs to have admin permission.
Given this situation, it is suggested to try to add this new Azure AD user to the local admin group. And then check if this user can install the software successfully.
https://www.anoopcnair.com/manage-local-admins-using-intune-group-mgmt/
Note: Non-Microsoft link, just for the reference.
If there is anything update, feel free to let us know.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks a lot for your response. I have followed the instructions and created a policy that adds some users to the local admin group of all devices. Taken into account my reaction on the answer above (from Pavel) I now have configured two ways to add users to the local admin group. When I hear back from the colleague who reported the problem and we test again I'm not gonna know what is the actual solution, assuming the test is succesful off course. Besides, if it's unsuccesful, is there a way to roll back the Manage Local Administrators Group policy? Probably creating a new policy to delete the users again?
Can I check in computer management if the selected users were in fact added the selected groups?
I just got confirmation from the user that she is now an administrator and can install software. I checked to see if her user was in the local Administrators group (Computer Management > Local Users and Groups), which wasn't the case. Even though the report of the policy I created this morning is showing all devices as succeeded. I now have no clue what that policy actually does and I'm going to assume that adding the user to the group Azure AD Joined Device Local Administrator did solve this issue. Thanks for the help.
@Vanmassenhove Ben (VNZ) You're welcome. If you have any problem in the future, welcome to post in our Q&A forum.
Thanks and have a nice day.