Forum Discussion
Local administrator priviliges not working after adding security group to local admin group
We have a couple of notebooks and added both of them to a Azure tenant. They are both belonging to a group which has a policy configured to set "RestrictedGroups – ConfigureGroupMembership" (like in ...
🙂 Good afternoon.. Normally I am expecting the question reversed... How to make sure my end user doesnt get local admin privileges.
But looking back at your question, it was fixed after removing the user profile (and deleting the registry hive for that user?)
Wouldnt it be better to use the local users and groups option?
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
Like I am also describing in this blog
https://call4cloud.nl/2021/04/dude-wheres-my-admin/
Also there are better option available to elevate yourself to admin, when needed.. Like i am also mentioning in the blog above.
But looking back at your question, it was fixed after removing the user profile (and deleting the registry hive for that user?)
Wouldnt it be better to use the local users and groups option?
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
Like I am also describing in this blog
https://call4cloud.nl/2021/04/dude-wheres-my-admin/
Also there are better option available to elevate yourself to admin, when needed.. Like i am also mentioning in the blog above.
Thanks Rudy for your feedback. We are working in a big tenant which contains multiple organizations. We manage a couple of organizations within this tenant and would like to set a resetricted group of users who can execute local-admin applications.
So we have created a "localadmin" security group in Azure. We have created a profile which uses the settings you wrote in "Restricted Groups" to only allow this group to be able to run local admin functions.
This is working pretty well, but we noticed that after setting this. The user who was already logged on to the system, didn't get the access, while new users logging on to the device are getting local admin priviliges (when they are part of the group).
After removing my user profile from the device and login again, I gained administrator priviliges. So looked to be some caching or something. So because it can happen more often that a employee is becoming IT contact and involves to local-admin for a group of devices. We don't want to delete his profile to make sure he becomes admin on his local device.
So what could cause this and is there a way to enforce a refresh of detection for "local admin" priviliges?
So we have created a "localadmin" security group in Azure. We have created a profile which uses the settings you wrote in "Restricted Groups" to only allow this group to be able to run local admin functions.
This is working pretty well, but we noticed that after setting this. The user who was already logged on to the system, didn't get the access, while new users logging on to the device are getting local admin priviliges (when they are part of the group).
After removing my user profile from the device and login again, I gained administrator priviliges. So looked to be some caching or something. So because it can happen more often that a employee is becoming IT contact and involves to local-admin for a group of devices. We don't want to delete his profile to make sure he becomes admin on his local device.
So what could cause this and is there a way to enforce a refresh of detection for "local admin" priviliges?
- Hi
What happens when you manually sync the device or restart the intune mgt extension on the device itself? nothing in the intune mgt log or normal event logs? Did you also try to open the local users and groups to take a look how the local administrators group looks like
Normally the policy csp refresh time i 8 hours. But I am not 100% sure this policy is also "refreshing"
In my experience there are better options... maybe making sure you have dedicated local admin on each device with laps configured. Or take a look at the Azure AD joined device local admin role... Or maybe go for a paid solution like admin by request,- Hi.. Thanks for your feedback. Answering your questions.
* What happens when you manually sync the device or restart the intune mgt extension on the device itself
I have restarted the device several times, started the sync from Intune and also from Work / School functionality from Windows itself. Restarting the service on this device is something I couldn't because I was not a admin. (Didn't do this either with the account of my colleague, this I could have tried).
* nothing in the intune mgt log or normal event logs?
No, I couldn't find anything inside the log. The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin.
* Alternatives like dedicated local admin
We thought about this as well, to make one specific user local administrator. But we are not in favor of sharing passwords. A role makes a user "Administrator" for all devices joined to this tenant. But because there are multiple organizations and a user should only become "admin" for one organization, we can't use this. A paided option, we didn't look into, perhaps that could be a alternative, but we ourselfs would like to be able to manage the devices without overkill.- "The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin."
It almost sounds like some sticking old security settings? What happens when you change something to that policy after it has been run succesfull (after removing the profile, logging back in)
Mmm that sounds pretty much lik