Forum Discussion
Local administrator priviliges not working after adding security group to local admin group
We have a couple of notebooks and added both of them to a Azure tenant. They are both belonging to a group which has a policy configured to set "RestrictedGroups – ConfigureGroupMembership" (like in ...
After removing my profile from Windows and login again, I did get the administrator priviliges.. We still would like to know how to fix this without removing the profile, because when promoting a existing user to Admin, we don't want to remove the entire profile.
- 🙂 Good afternoon.. Normally I am expecting the question reversed... How to make sure my end user doesnt get local admin privileges.
But looking back at your question, it was fixed after removing the user profile (and deleting the registry hive for that user?)
Wouldnt it be better to use the local users and groups option?
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
Like I am also describing in this blog
https://call4cloud.nl/2021/04/dude-wheres-my-admin/
Also there are better option available to elevate yourself to admin, when needed.. Like i am also mentioning in the blog above.- Thanks Rudy for your feedback. We are working in a big tenant which contains multiple organizations. We manage a couple of organizations within this tenant and would like to set a resetricted group of users who can execute local-admin applications.
So we have created a "localadmin" security group in Azure. We have created a profile which uses the settings you wrote in "Restricted Groups" to only allow this group to be able to run local admin functions.
This is working pretty well, but we noticed that after setting this. The user who was already logged on to the system, didn't get the access, while new users logging on to the device are getting local admin priviliges (when they are part of the group).
After removing my user profile from the device and login again, I gained administrator priviliges. So looked to be some caching or something. So because it can happen more often that a employee is becoming IT contact and involves to local-admin for a group of devices. We don't want to delete his profile to make sure he becomes admin on his local device.
So what could cause this and is there a way to enforce a refresh of detection for "local admin" priviliges?- Hi
What happens when you manually sync the device or restart the intune mgt extension on the device itself? nothing in the intune mgt log or normal event logs? Did you also try to open the local users and groups to take a look how the local administrators group looks like
Normally the policy csp refresh time i 8 hours. But I am not 100% sure this policy is also "refreshing"
In my experience there are better options... maybe making sure you have dedicated local admin on each device with laps configured. Or take a look at the Azure AD joined device local admin role... Or maybe go for a paid solution like admin by request,
