Local Admin Rights

hi AhBAy2335​  This is a common scenario in hybrid environments, so you’re definitely not alone.

At a high level, the goal should be to move local admin management out of on-prem GPO and into Intune, but to do it in a very controlled way so you don’t lock anyone out.

What has worked well in production:

1.Put a safety net in place first

Before touching the GPO, make sure you already have reliable admin access on every device:

Use Intune to add an Entra ID / AAD security group to the local Administrators group (Endpoint Security → Account Protection or Settings Catalog).

Make sure LAPS is enabled so you always have a break-glass local admin.

Test on a few devices and confirm you can still elevate and troubleshoot.

The golden rule: add the new admins first, then remove Domain Users later.

2.Carefully back out the GPO

If you’re using Restricted Groups, be extra careful since it fully overwrites membership.

Update or unlink the GPO so it no longer adds Domain Users to local Administrators.

Don’t modify the Domain Users group in AD itself just stop pushing it into local admin on endpoints.

3.Roll out in small waves

Start with a pilot OU or device group, then expand gradually.

After each step, double-check:

Users can still sign in

IT can still elevate

Remote support tools still work

Hybrid-specific things to watch out for

GPO often wins over Intune on hybrid devices, so make sure the GPO is truly disabled before relying on Intune.

Watch for timing gaps where GPO removes admin rights before Intune applies them.

Expect some apps to break once users lose admin that’s usually the biggest follow-up task.

Longer term

Once you’ve transitioned:

Keep local admin control fully in Intune

Use LAPS + role-based admin groups

Avoid putting any broad user groups in local Administrators again

Lastly : Stage it, test it, add admins first, then remove Domain Users. Done this way, it’s very manageable and a big security win.