I found that when I got aggressive and removed all local admins (and what I though were orphaned SIDS) from a workstation, I broke this function and saw what you see
To fix:
- On a newly Azure joined PC, get the local admins with this $administrators = @(
([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') |
% { $.GetType().InvokeMember('AdsPath','GetProperty',$null,$($),$null) }
) -match '^WinNT';
- then, write-host $administrators to find the SIDs to re-add. If it starts with S-1-12-1, it's a Azure group!
- then, run Add-LocalGroupMember -group "administrators" -member "S-1-12-1-xxxx"
In my case, running via my RMM tool in the System context fixed this.