I have issues with Local vs Global Admin Rights on my PC, I need guidance how to sort out please.

Question

I have Global Admin rights on my MS account, but not Local rights.

I therefore cannot update/manage apps on my laptop, and I am struggling to change the settings for this.

My local user account, whilst seemingly me, does is not labelled 'administrator'; my laptop appears as a listed active device. The user account seems to have the AzureAD title in there as well?

Seems a simple issue, but I'm stuck in a rut with this.

Answer 1

Hello Dave,

Thank you for posting question on Microsoft Windows Forum!

Based on the issue description. Well! The reason this happens is probably of that Global Admin rights are a cloud-level permission (Entra ID), while Local Admin rights are a device-level permission. Being a Global Admin does not always automatically inject you into the local "Administrators" group, especially if the device was "Registered" rather than "Joined" or if MDM policies are active.

To check the "Join" Status by opening Command Prompt. Type dsregcmd /status and look for AzureAdJoined : YES. If it says NO, you are only "Registered," and you will not get admin rights automatically.

If you can manage Entra (Azure AD) or you are allowed to change tenant device settings. Sign in to the Microsoft Entra admin center (Entra ID / Azure AD). Entra ID → Devices → Device settings → Manage Additional local administrators on all Microsoft Entra joined devices → Add assignments → add your user (or a group) or assign the “Microsoft Entra Joined Device Local Administrator” role to a group/account. Save. Wait a few minutes and on the device sign out/sign in (or run a sync). The user should be added to the local Administrators group. For more information https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin

If your organization uses Microsoft Intune or Endpoint Manager to control local admins. You can consult this article for more information https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-policy

Hope the above information is helpful! If it is. Free feel to hit "Accepted" for benefitting others in community having the same issue too.

Answer 2

To resolve the issues with local and global admin rights on your PC, you can follow these steps:

1. Check User Account Type: Ensure that your local user account is set as an administrator. Since you mentioned it is not labeled 'administrator', you may need to change this setting.
2. Use Microsoft Intune Admin Center: If your organization uses Microsoft Intune, you can manage user settings from the Intune admin center. Sign in to the Microsoft Intune admin center, navigate to Devices > Windows 365 > User Settings, and check if you can edit the settings to grant local admin rights.
3. Contact Global Admin: Since you have global admin rights on your Microsoft account, ensure that you are logged in with the correct account. If your local account is tied to Azure AD, you may need to ask your organization's global admin to assign local admin rights to your user account.
4. Local User Management: You can also manage local users and groups using the Local Users and Groups tool. If you have access, you can add your account to the local administrators group. This can typically be done through the Computer Management console.
5. Reset Password or Permissions: If you are unable to change settings, you may need to reset your password or permissions. You can contact the Microsoft 365 Data Protection team for assistance if you are locked out of your account or need help with permissions.

By following these steps, you should be able to sort out the local vs global admin rights issue on your laptop.