Introduction
First off, if you are still pondering the age old question “Should my users be local admin or not” I’m gonna help you right here: No, No, a Thousand Times No [Insert Darth Vader yelling “Nooooooooooooooo“]. The only good reason I can think of for letting your users be local administrators is if you have too much money & time on your hands and could use a ransomware or two this year to slow down production. I’m not gonna spend more time on it here but if you want more input Sami Laiho has some really great posts and talks about the subject that really removes all doubt. So now that we’ve resolved the question on local admin or not, the next questions comes to how we go about doing this in Intune/Endpoint Manager. Intune provides a great way of doing so using Autopilot, but since autopilot is easier said than done for a lot of people & situations there might be a lot of devices with users ending up as local admin
Note: This is for Azure AD Only / Cloud Only Devices
P.S There will be some discussions on LAPS / One time passwords at the last chapter
Solution
So let’s head on to the how’s about removing local admin rights, and it’s really not magical or revolutionary. So as some of you may have noted Intune does provide a profile that allows you to modify the local admin group, but it’s not super easy to get around to understand and since I’ve noted some people get errors even when creating the profile and others get tons of errors in the Intune Portal
The reason for the policy generating errors or generally not yielding the results people wants has been varying, but one of the most common one’s has to do with the OS language being different on different machines, and to this my colleague came up with a simple and brilliant solution
So the goal of today is to create a policy that removes any user from the local administrator group that works on all devices without generating any errors (in as few steps as possible), and to do this we’re going to do this without scripts only using Intune profiles
What we need
- An Azure AD joined device
- To view the contents of the local administrator group
- 2 Intune Profiles
- 1 profile that dictates the contents of the local administrator group
- 1 profile that renames the local administrator account
Thats it! Only a few steps to get this to work
Azure AD joined device
Okey, to start this off we’re gonna take a look at the contents of the local administrators group on an Azure AD joined device. You can access the local administrators group with the shortcut lusrmgr.msc
Make sure you have local administrative access to the device
- Hit the Windows Button and search for lusrmgr.msc, right click Run as administrator
- Open Groups
- Open Administrators group (Different name in depending on OS language)
When we open the group its gonna look like this:
There’s going to be the local administrators account, the User Account that is current local administrator and 2 long SID’s
First off, the local administrator account needs to be there, we cannot remove it from the Administrators group but as this is an Intune / Azure AD joined device its disabled by default and has no password
Then we have the User Account that has enrolled the device, which if its not an Autopilot device will automatically become local administrator
Then we have the 2 longs SID’s that will be on all Azure AD joined devices per default,
One of them is the Azure AD Role group for “Global Administrator” and the other one is the Azure AD Role group for “Local device administrators”. So if we want Global administrators and the group for Local device administrators to continue to work, we need to keep them in the local administrators group
We can view the users in the local device administrators role group in Azure AD
- Open Azure AD
- Navigate to the Devices blade
- Navigate to Device settings
- Click on Manage Additional local administrators on all Azure AD joined devices at the bottom of the page
Depending of if you used this Group up until now or not this maybe empty or populated with the correct administrators for your devices
So if we wanna keep both of these groups as local administrators we can just copy them from our Azure AD joined device. But to find out which is which we will need to resort to our lord and savior; PowerShell
Before we open PowerShell make sure to add at least one User to the Additional local administrators on all Azure AD joined devices page, if not it won’t show up
- Open PowerShell
- Make sure you have the Module AzureAD installed
- If you need to install the PowerShell module make sure PowerShell is started as Administrator
- Type Install-Module AzureAD
- Accept the install
- Type Connect-AzureAD
- Sign in with an account with privilege’s to read the AzureAD Directory
- Type Get-AzureADDirectoryRole (More information on the command and on the module can be found on the Microsoft Docs)
Now we’re going to convert those object ID’s to SID’s using a awesome function that Oliver Kieselbach made a while back.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
Function Convert-AzureAdObjectIdToSid { <# .SYNOPSIS Convert an Azure AD Object ID to SID .DESCRIPTION Converts an Azure AD Object ID to a SID. Author: Oliver Kieselbach (oliverkieselbach.com) The script is provided "AS IS" with no warranties. .PARAMETER ObjectID The Object ID to convert #> param([String] $ObjectId) $bytes = [Guid]::Parse($ObjectId).ToByteArray() $array = New-Object 'UInt32[]' 4 [Buffer]::BlockCopy($bytes, 0, $array, 0, 16) $sid = "S-1-12-1-$array".Replace(' ', '-') return $sid } $objectId = "INSERT OJBECT ID FROM AZURE HERE" $SID = Convert-AzureAdObjectIdToSid -ObjectId $objectId Write-Output $SID |
- Copy the code to a PowerShell ISE Window (or ISE or IDE of your choice)
- Edit the Object ID on Line 26 to the Object ID returned in the previous steps for Azure AD Joined Device Local Administrator and Global Administrator (one at the time)
- Run the Script and the same SID’s we saw in the local administrators group should be returned!
Intune Profiles
Now that we have all the information from the local administrators group, let’s head on to Intune to create our 2 profiles
As I mentioned before, we’re gonna try to get this done without errors and with multiple language support. So one of our issues we’re gonna run into later is when we create the profile that dictates the content of the local administrator group, we’re gonna need to know the name of the local administrators account, because as mentioned windows requires the local admin account to be in the local admin group. So first off we’re gonna create a policy that renames the local admin account so its the same on all devices
In Intune:
- Navigate to Devices
- Navigate to Windows
- Navigate to Configuration profiles
- Chose Create profile
- Platform: Windows 10 and later Profile Type: Settings catalog
- Chose a Fitting name for your profile, I chose “Rename Local Administrator Account” but it doesn’t matter
- Chose Add Settings
- Search for Local Policies Security Options
- Chose Local Policies Security Options
- When the list appears chose Accounts Rename Administrator Account
- Then rename it to whatever you want it called, I chose “Administrator” but it doesn’t matter
- Chose Next
- Assign it
Okey, now we have a the same name of the local administrator on all devices, lets move on to creating the Users and Groups profile
In Intune:
- Navigate to Endpoint Security
- Navigate to Account protection
- Chose Create profile
- Platform: Windows 10 and later Profile Type: Local user group membership
- Chose a Fitting name for your profile, I chose “Local Administrator Group Membership” but it doesn’t matter
- For Local Group: Select Administrators
- Then for Group and user action we have 3 alternatives, before we move on lets explain them
- Add (Update) – Choosing this option will just add whatever user you chose to the group you chose, simple
- Remove (Update) – This will remove the users you chose, but you have to specify exactly which one, so we cant use this to remove our users from local administrator
- Add (Replace) – This will remove all users in the group you specify and add the users / groups you specify
- Chose Add (Replace) as we already have our full list of users/groups we want, and what we are trying trying to achieve is to make sure nothing else is in the Local Administrators group this fits us perfectly
- User selection type: Manual
- Click Add users
- Add the 2 SID’s we extracted earlier and the username of the Local Administrators account we decided on in the previous profile
- Chose OK then Next
- Assign it
Done!
I recommend assigning it to a test device and making sure that you end up with your local admin account, the group SID’s but no end user.
Further
As always I would love if anyone comes up with ways to improve this. So further on this idea is just the general thought on how to handle Local Administrators and there is lots of content on this. Unfortunately there is no LAPS solution for Intune as we speak, but there currently is a Community Cloud Laps that is awesome with a really fast and cool implementation developed by Nickolaj. Also I recommend people to not be lazy or sleep on this, with Intune we have so much opportunity to deploy the applications/configuration the user needs and therefor the need for the user to be local admin really shouldn’t be there at all.
The feedback I’ve gotten on what I’ve written so far has been really amazing Thank you. I would be ever so grateful for feedback, comments or ideas how to improve upon this further
Thanks for reading
Hello everyone,
I’ve set my policy to Remove the user who joined the device in Azure AD from the admin group so that they don’t have local admin permissions and in Intune I see the policy status as OK, even when I go to view the admin group in my devices, I no longer see the user I deleted with my policy, i.e. the user who enrolled the device should no longer have local admin permissions, is that correct? However, it still has the permissions and they are only changed when I log out or restart the device. Is this normal behavior? Will it only work after reboot or logout?
Hi Antonio!
Yes, what your describing is expected behavior.
The actual permissions for a user is granted on logon, so they will have to log in & out once for it to take effect!
Kind Regards, Viktor
I tried the same thing – but the user is still in the local admin group. Intune says the policy was correctly applied.
Update – if I select individual users – the policy works immediately – and the user in question is removed from the admin group. But if I create a security group and put the SAME USERS into that group – and apply the policy to the group instead of individual users, the policy does indeed get applied, but doesn’t actually do anything.
So, in my experience, I can remove individual users, but I can’t use security groups (which would be a better way to manage this process).
BTW – the reason for this was some incorrect auto-pilot configurations. The first login became a local admin because autopilot didn’t work.
Ive just been playing with this. the reason you are seeing this is because it’s trying to remove the object you have set. So if that is an individual user it wil remove the user, if it is a security group it will try to remove the security group (Not the list of users in the group).
Is there a way to have this as a recurring change. i.e. if anyone new is added to the Local Admins group, then they are removed? It appears from my testing, that this is only runs once.
Follow up – in my earlier comments – I wasn’t following your instructions to the letter. It appears that the behavior I experienced was as designed. The Account Protection policy feature will remove specified users or specified named groups – but it will not remove the users who are named in a group. Thus, your method of basically killing the local admin group and recreating it with the SIDs of who you want is the elegant method of making sure the only local admins are the ones you dictate. Microsoft would be wise to point to this article as the solution to what I’ll bet is a common problem.
Outstanding instructions. Thank you for mapping this out start to finish. Worked like a charm.
Hi, Policy have been successfully applied. I can see no longer end user in the administrator group. I can see two SID and Administrator. End user account have been removed but still user has admin access. They can run cmd or powershell as administrator
Policy have been successfully applied. End user account have been removed from administrators group. Now I can see two SIDs and Administrator but user still have admin access. They can open cmd and PowerShell as administrator.
How can I fix this one ? I have tried signing out and signing in back but still user has admin access.
The change now is I cannot install or uninstall any applications but it doesn’t give me a prompt saying need a administrator access and option to put admin username and password.
Is it how suppose to be ?
If you have applied Intune Security Baselines for Windows, there is a setting that blocks the prompt for elevated credentials. This setting is ‘on’ by default.
Go to: ‘Endpoint Security>Security Baselines>Security Baseline for Windows 10 and Later’, then select the baseline you created.
Go to ‘Properties’, then ‘Edit’ configuration settings. Find the ‘Local Policies Security Options’ category and adjust the ‘Standard user elevation prompt behavior’ value to either ‘Prompt for credentials on the secure desktop’ or ‘Prompt for Credentials’
I have just tried this. I get a 65000 error code, type 2 error. All were removed, local admin remains. All others removed, but my global admins have not been added
I would like to thank Victor for this tutorial.
It finally resolved my device admin management issue. I followed the instructions to the letter and the user was successfully removed from admin and only the account i wanted are now on there.
I don’t have Intune Security Baselines for Windows configured so the user gets prompted for elevated credentials without fault.
Thanks Again.