Posted in : Azure, Intune, Microsoft, Powershell By Tobias Sandberg Translate with Google ⟶
4 years ago
Do you have issues when trying to add an account as local admin on your Azure AD Joined device? Maybe you have specific requirements regarding which accounts should be admins on your client machines and the Azure AD solution (additional local administrators on Azure AD joined devices) is not enough to satisfy your needs.
There are a couple of alternatives out there, for example the use of RestrictedGroups policy (minimum version 1803) where you can define which users should be members of your local groups via a policy. Unfortunately, this is not a great solution if you want to set different users for each computer.
So how do we solve this?
Update 2020-12-22:
From Window 10, version 2004, we are now able to use Azure AD groups for administrator privileges on Azure AD joined devices with the RestrictedGroups policy. This it a bit more flexible then doing it with separate users so it could be a good solution for you if your clients are up-to-date and supports it. Please not that in Windows 10 20H2 update, Microsoft recommends using the Local Users and Groups policy instead of the Restricted Groups policy. Read more about it here.
We developed a Powershell script that will help you automate this process. It can add multiple users to different local groups on your Azure AD Joined devices. It’s based on the Add-LocalGroupMember command which gives you the opportunity to add users from multiple sources (including Azure AD). Just copy the script, make it fit your environment, verify functionality, upload it in the Powershell script section in the Intune portal and deploy it to the users/devices of your choice.
<#
.SYNOPSIS
This script will add Azure AD users to local groups on you Azure AD Joined device. It can add multiple users to different groups.
.DESCRIPTION
The script is looking for the logged on user and if it detects that a user it logged on, it will do the following:
- Get the UPN for the user based on the parameters defined (this must be changed to reflect you environment and requierments)
- Add users to predefined local groups on the client (which can be whatever group you define)
- The groups and users defined in this scripts are the following
> Standard account: Administrators
> Client account: Administrators, Backup Operators
The groups are gathered by their SID number so it will reflect the actual names of the groups if you have different languages on your clients.
Source: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
.NOTES
Author: Tobias Sandberg
Date published: 2019-04-17
Current version: 1.0
.LINK
Välkommen till Xenit
.EXAMPLE
Configure-LocalAdmin.ps1
#>
[CmdletBinding()]
Param(
[string]$domainName = "DOMAIN\",
[string]$domainUPNSuffix = "@domain.local",
[string]$clientAccount = "client.",
[string]$localAdministratorGroupSID = "S-1-5-32-544",
[string]$localBackupOperatorsGroupSID = "S-1-5-32-551"
)
Begin{
# Get localgroups
$localAdministratorGroup = (Get-LocalGroup -SID $localAdministratorGroupSID).Name
$localBackupOperatorsGroup = (Get-LocalGroup -SID $localBackupOperatorsGroupSID).Name
# Determine current logged on username
$UserName = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty UserName
$UserName = "$($UserName)$($domainUPNSuffix)"
# Creating a variable with the client account name
$clientUserName = $UserName.Replace($domainName,"$($domainName)$($clientAccount)")
}
Process
{
if(!(Get-LocalGroupMember -Name $localAdministratorGroup | Where-Object {$_.Name -eq $userName})){
# Add user to local group
Add-LocalGroupMember -Group $localAdministratorGroup -Member "$($UserName)"
}
else{
Write-Host "$($UserName) is already member of the group $($localAdministratorGroup)"
}
if(!(Get-LocalGroupMember -Name $localAdministratorGroup | Where-Object {$_.Name -eq $clientUserName})){
# Adding client account to local Administrators group
Add-LocalGroupMember -Group $localAdministratorGroup -Member "$($clientUserName)"
}
else{
Write-Host "$($clientUserName) is already member of the group $($localAdministratorsGroup)"
}
if(!(Get-LocalGroupMember -Name $localBackupOperatorsGroup | Where-Object {$_.Name -eq $clientUserName})){
# Adding client account to local Backup Operators group
Add-LocalGroupMember -Group $localBackupOperatorsGroup -Member "$($clientUserName)"
}
else{
Write-Host "$($clientUserName) is already member of the group $($localBackupOperatorsGroup)"
}
}
End{
}
The script is highly adoptable and can be changed in a lot of ways to fit your environment. So feel free to use it as you want.
If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.
Tags : add-localgroujpmember, Add-LocalGroupMember, admin users, administrators, Azure, Azure admins, azure local admins, AzureAD, AzureADJoined, get-localgroup, localadmin, localadministrators, Modern management, modernmanagement, PowerShell, powershellscript, users on devices, Windows 10 version 2004, Windows 10 version 20H2, Windows 2004, Windows 20H2
Personlig rådgivning
Vi erbjuder personlig rådgivning med författaren för 1400 SEK per timme. Anmäl ditt intresse i här så återkommer vi så snart vi kan.
Add comment