Forum Discussion

Antony1108's avatar
Antony1108
Copper Contributor
May 01, 2024

Conflict status after having 2 Local user group membership Policy

Hello, 

I have an issue with applying two "Local User Group Membership" policies on a PC. The Intune policy report shows a conflict between having two  "Local User Group Membership" policies despite having different configurations. For example, one is a Global Policy, which applies an admin privilege to all PCs, and the other one is more specific to a certain group, and it is just about giving remote access to the PCs on this group. So, my question is, why does Intune mark these two policies as a conflict of each other? If it is not possible to have two "Local User Group Membership" policies applying to the PC. Is there a way to have a global policy for admin users on the PC and one more private policy for remote user access using "Local User Group Membership"?

  • Artturi's avatar
    Artturi
    Copper Contributor
    I have the same issue using OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsers
    The OMA-URI is conflicting since it is already used once by another policy. It seems like the suggestion is to create one policy and then using AD/Entra groups to deal with the access rights. I was looking for another solution since I did not feel like applying a small needs group for all devices.

    I haven't tested this but i think the config would need to look something like this:
    <GroupConfiguration>
    <accessgroup desc = "Local User group 1">
    <group action = "U"/>
    <add member = "Domain\Group1"/>
    </accessgroup>
    <accessgroup desc = "Local User group 2">
    <group action = "U"/>
    <add member = "Domain\Group2"/>
    </accessgroup>
    </GroupConfiguration>
  • NicklasOlsen's avatar
    NicklasOlsen
    Iron Contributor
    Hi Antony,

    I have to understand it correctly.
    You have two separate policies created in Intune, that are conflicting?

    Can we see the configuration of the policies?
    • RobinWulz's avatar
      RobinWulz
      Copper Contributor
      I'm not OP but I have the same issue;
      I have two policies, one to set the Local Administrators and the other one to set the local Remote Desktop Users. Both are set to "Add (Update)". But none of the both policies apply to the devices they are targeted to but instead report they are in conflict. The both policies do not target the same local group and both are set to Add/Update (not replace). Any hint why they are conflicting?
      • NicklasOlsen's avatar
        NicklasOlsen
        Iron Contributor
        I assume it's targeted to the same set of devices? 🙂
  • KateH85's avatar
    KateH85
    Copper Contributor

    Antony1108 
    Maybe MS has fixed the bug as of 10/10/2024, but Update and Replace has worked for us.
    Combining groups into the same policy.
     - Update for Administrators

     - Replace for Remote Dekstop Users

    • itwaman's avatar
      itwaman
      Copper Contributor

      What doesn't work for us, is to target same device, same group with different policies, even using the "add/update" option, it generates conflict

      • Newt_Othis's avatar
        Newt_Othis
        Copper Contributor

        Yeah - we're seeing the same thing too. Separate policies for different local groups targeting the same device results in a conflict.

Resources