Add AzureAD user to local administrator group

Question

Add AzureAD user to local administrator group

Andreas 1,331

Hi,

I want to add a AzureAD user to local administrator group of the devices that are managed with Intune.
I have been looking at "https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups"
This works, but I have a challenge.

This xml setting here is ok if I use machines that have English setup, but we also have other machines with other language settings, and then the Administrators are not called Administrators.

I can of course figure out which machines have English and not English, and create device groups for this, but this is time consuming. Is there another way to solve this ? I cannot create two OMA-URI in the same profile, but then it will conflict.

Thanks for reply

/R
Andy

Accepted answer

3 additional answers

Your answer

Answer 1

@Andreas , From your description, we find some devices are unable to apply the policy to add the Azure AD user into local administrators group. Because of the display name of administrators group is not the same on the non English devices. Agree with Jason, we can change to use group SID which is unique. For local administrators group, the SID is S-1-5-32-544. We can see more details in the following link:
https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/security-identifiers-in-windows

We can change the accessgroup value as "<accessgroup desc = "S-1-5-32-544">" to see if it is working.

Hope it can help.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Jason Sandys 31,406 Microsoft Employee Moderator

You should be able to use the well-known SID. See https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/ for lots a details including using a SID.

OO 26 Reputation points

2022-06-21T14:45:37.86+00:00

Unfortunately since this thread is more than a week old, it's outdated....

Answer 3

Andreas 1,331

Hi,

Thanks for the answer, but I don`t have any problem adding the users. The problem is the naming of the local Administrator group.
If the language is not English then the xml settings needs to change, because if fails when its looking for Administrators group.

Comments ?

/R
andy

Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2021-03-09T17:25:40.603+00:00

As noted, use the SID and not the name of the group.

Answer 4

Andreas 1,331

Hi,

Thanks guys, the SID for the group made it work.

/R
Andy

Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2021-03-10T08:28:09.553+00:00

@Andreas ,, Thanks for marking our reply as answer. I am glad that the SID for the group make it works. Congratulations! If there's anything else we can help in the future, feel free to post in our Q&A to discuss together.

Thanks for your time and have a nice day!
Edoardo Bruschini 1 Reputation point

2021-11-10T17:52:44.783+00:00

Hi Andy,
i have a similar problem: i can correctly use the SID for the Admin group. However, the issue is when i have to add the required Administrator local account into the Administrators group. This is because the name is different in other languages.

For Example:

Administrator goes in Administrators in English
Administrador goes in Administradores in Spainish

So, i can use the SID for the Admin group, but not for the different local Administrator...that basically forces me still to create different CSP for any language.
How did u solved this?
thanks!

Edo
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2021-11-10T18:40:50.327+00:00

I can't say I've tried this, but why not use the well-known SID for the local admin instead of the localized names?
Edoardo Bruschini 1 Reputation point

2021-11-11T08:28:53.453+00:00

Because unfortunately the sid for the administrator account changes on every device.
there is a fixed part, but the rest is different.
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2021-11-11T16:38:57.91+00:00

True if you use the CSP directly, but you can also use a script here.

I don't understand the request though, why are you attempting to enforce something that is the default? Do you have users that have removed the local admin from the local Administrators group?
Edoardo Bruschini 1 Reputation point

2021-11-18T09:38:45.767+00:00

yes we were (and are) using a script so far, but have the names of the localadmins showed in the Adminitrators group is not the best practice and is not so intuitive to manage as you have to modify+reload the script everytime.
MS suggest to use the "group" method so i'm just trying to adapt the situation we have in place to the new one.

Strange there is no way to manage this differently

Share via

Add AzureAD user to local administrator group

3 additional answers

Your answer