Creating a Local Admin Account for LAPS to Pull

Ian Meier 15 Reputation points

I've been tinkering with a device deployment that follows the principle of least privilege. I have created a Windows 11 VM that is managed by Intune, Windows Autopilot is deploying the image, and I've also added the LAPS configuration profile. I did define a Local Admin account that LAPS would manage the password for, but when it came time to set up the local administrator account, the method I attempted to do, failed. My original thought was to run a script from Intune to deploy the user name. Examining it, it appears that the permission needed is Local Administrator to run the script.

The script as written is:

New-LocalUser -Name "User Name" -Password (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Description "Local Administrator Account" | Add-LocalGroupMember -Group "Administrators"

Am I missing anything to run the script properly? Configuration is below:

User's image

Or is there a more straight forward way to insert the local admin for LAPS to manage?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,456 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 8,840 Reputation points Microsoft Vendor

    @Siripurapu Sanjeev Kumar, Thanks for posting in Q&A.

    According to your description, I know that the LAPS failed to manage Local admin account’s password.

    Please first check the managed account whether exists on the targeted device, if no, please run the script you mentioned to create the account.

    User's image

    If the account is already existing, then there’s no need to run the script, please check Operation log which locate in Event Viewer > Applications and Services logs > Microsoft > Windows > LAPS on the target device and provide the related error message.

    Thanks for your kind understanding.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Pavel yannara Mirochnitchenko 11,961 Reputation points MVP

    Enable Powershell 64 bit and also test your script manually. I have similar solution, but doing with 2 lines, first create and then add to admin group. Also, deploy the creation script to devices.

  3. Ian Meier 15 Reputation points

    Hi Folks. Sorry for the delay been a little hectic, and didn't have time to test. Reviewing other guides on solving this problem, I had created two custom Configuration profiles. The first, creates the account and an initial password.

    OMA-URI ./Device/Vendor/MSFT/Accounts/Users/%username%/Password

    Data Type: String

    Value: <Your secure password goes here>

    The second, assigns the newly created user to the local administrator group.

    OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/%username%/LocalUserGroup

    Data type: Integer

    Value: 2

    Hope this helps others in struggling with this issue as well.