Forum Discussion
fbatuns
Aug 09, 2024Brass Contributor
"User Rights" Policy not working properly
During our process of migrating GPOs to Intune Policy i noticed some odd Behaviour of Intune.
We want to set specific User Rights (in GPO it was called User Right Assingments) for specific Groups, Users and BulitIn-Groups. We are setting this policy through the Windows 10 (and later) Security Baseline.
When Using SIDs for BuiltIn-Groups like *S-1-5-32-544 it seems to work perfectly. But there are several other things that are not Working.
- I'm not able to set any kind of own Group to this Policy, neither OnPrem-AD-Groups nor Entra-ID-Groups. I tried with DOMAIN\Group-Name with Classical SID and with Object-GUID. The Group just won't appear on the Client and the event Log is throwing an Error 821 "Security Identifier is invalid"
- I'm not able to set a specific User Right to NULL so no User has the Right. If i leavte the field empty and save the Policy it automatically switches to Not Configured and is doing nothing. NULL, 0 or Security Identifier S-1-0-0 are not working either.
- When i checked if the Policy is properly applied through GPEDIT.msc i noticed, that the policies are not locked down like when setting the Policy via GPO. So a User with Administrative Rights can easily change the Assingments until the next Intune Policy Sync (which is not too often)
Wondering if somebody was able to set the User Rights proberly (also Using own Groups not Just Well-Known-SIDs) or if somebody else is facing the same issues.
- DRich22Brass ContributorGood luck with this one, it's been a pain point for sure. I believe the only way you can get this semi-functional is to have a policy / script create a local group on the endpoint for which the user can be added to, and then create a user rights assignment policy that adds the local group. Certainly not ideal.
- fbatunsBrass ContributorHi,
thanks for the reply. Thats too bad to hear, but I'm glad that im not the only one facing issues with this. Hmm well, i think we will stick to the GPO for now an re-evaluate the importance of this setting on Non-Domain-Joined (EntraID only) Devices.