Forum Discussion
Restrict user account
Dear all,
Can I check with you guys, when we use the user account to enrol a new laptop/desktop, the system will auto put the user account into the 'Administrator group' Thus, the user will get the admin privilege.
In this case, is there have a way something like self creates a restricted configuration profile in Intune, to restrict the user self install software or run cmd as admin?
Will be grateful for any help you can provide.
Thank you. 😃
4 Replies
- Hi,
I'll suggest to use Autopilot to enroll new devices, in which you can define a profile that will make the enrolling user a standard user and not an admin.
for existing devices you can create a Policy CSP - LocalUsersAndGroups in Intune to modify the members on the local administrators group (Starting from Windows 10, version 20H2)
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
hope this helps.Thank you for your kind suggestion. I will try later. Thanks!
- You will need applocker, but when using applocker you will need to make sure the user doesn't has admin permission... Also there is no security when being local admin 🙂
SO https://call4cloud.nl/2021/04/dude-wheres-my-admin/ --> admin
And Applocker
https://call4cloud.nl/2020/06/applocker-a-la-minute/I hope you are doing fine. I will try. Thanks!
