Home

How do I add users synced from AD to AAD as local administrators on Windows 10 devices with OMA-URI?

%3CLINGO-SUB%20id%3D%22lingo-sub-733678%22%20slang%3D%22en-US%22%3EHow%20do%20I%20add%20users%20synced%20from%20AD%20to%20AAD%20as%20local%20administrators%20on%20Windows%2010%20devices%20with%20OMA-URI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733678%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20create%20a%20custom%20policy%20to%20add%20users%20as%20local%20admin%20on%20devices%20with%20the%20OMA-URI%20%22%3CSPAN%3E.%2FDevice%2FVendor%2FMSFT%2FPolicy%2FConfig%2FRestrictedGroups%2FConfigureGroupMembership%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20works%20fine%20when%20I%20specify%20Azure%20user%20accounts%20(accounts%20created%20in%20AAD%2C%20not%20synced%20from%20local%20AD).%20However%2C%20when%20I%20try%20to%20add%20users%20synced%20from%20AD%20to%20the%20policy%20it%20fails%20and%20does%20not%20add%20the%20user%20to%20local%20admin%20group%20on%20my%20Windows%2010%20computer.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anyone%20managed%20to%20do%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EThe%20syntax%20I%20use%20is%20as%20follows%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CGROUPMEMBERSHIP%3E%3CBR%20%2F%3E%3CACCESSGROUP%20desc%3D%22%26quot%3BAdministrators%26quot%3B%22%3E%3CBR%20%2F%3E%3CMEMBER%20name%3D%22%26quot%3BAdministrator%26quot%3B%22%3E%3C%2FMEMBER%3E%3CBR%20%2F%3E%3CMEMBER%20name%3D%22%26quot%3BAzureAD%5Ctest.user%40iktuninett.onmicrosoft.com%26quot%3B%2F%22%3E%3CBR%20%2F%3E%3CMEMBER%20name%3D%22%26quot%3BAzureAD%5Ctest.user2%40uninett.no%26quot%3B%2F%22%3E%3CBR%20%2F%3E%3C%2FMEMBER%3E%3CBR%20%2F%3E%3C%2FMEMBER%3E%3C%2FACCESSGROUP%3E%3C%2FGROUPMEMBERSHIP%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETest.user%20is%20a%20cloud%20only%20user%2C%20while%20test.user2%20is%20synced%20from%20local%20AD.%20Test.user%20gets%20added%20to%20the%20local%20admin%20group%20just%20fine%2C%20but%20test.user2%20is%20not%20added.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-733678%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733696%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20I%20add%20users%20synced%20from%20AD%20to%20AAD%20as%20local%20administrators%20on%20Windows%2010%20devices%20with%20OMA-%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733696%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365542%22%20target%3D%22_blank%22%3E%40JorgenSundet%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EAnything%20in%20event%20log%20on%20the%20client%2C%20DeviceManagement-Enterprise-Diagnostics-Provider%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EYour%20syntax%20looks%20ok%20and%20as%20you%20are%20saying%2C%20it%20works%20for%20cloud%20only.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20they%20should%20be%20added%20to%20all%20devices%2C%20have%20you%20tried%20adding%20them%20with%20%22Additional%20local%20administrators%20on%20Azure%20AD%20joined%20devices%22%20that%20you%20find%20under%20Device%20-%26gt%3B%20Device%20Settings%20in%20Azure%20AD%3F%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%20and%20device%20owner%20gets%20local%20admin%20rights%20by%20default.%3CBR%20%2F%3E%3CBR%20%2F%3EAnother%20options%20is%20by%20PowerShell%20-%26nbsp%3B%3CSPAN%3E%E2%80%9Cnet%20localgroup%20administrators%20AzureAD%5Ctestuser%40contoso.com%20%2Fadd%20%26gt%3B%20nul%202%26gt%3B%20nul%E2%80%9D%20%7C%20cmd%3CBR%20%2F%3E%3CBR%20%2F%3EJT%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
JorgenSundet
New Contributor

Hi,

 

I am trying to create a custom policy to add users as local admin on devices with the OMA-URI "./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership".

 

This works fine when I specify Azure user accounts (accounts created in AAD, not synced from local AD). However, when I try to add users synced from AD to the policy it fails and does not add the user to local admin group on my Windows 10 computer.

 

Has anyone managed to do this?


The syntax I use is as follows:

 

<groupmembership>
<accessgroup desc = "Administrators">
<member name = "Administrator" />
<member name = "AzureAD\test.user@iktuninett.onmicrosoft.com"/>
<member name = "AzureAD\test.user2@uninett.no"/>
</accessgroup>
</groupmembership>

 

Test.user is a cloud only user, while test.user2 is synced from local AD. Test.user gets added to the local admin group just fine, but test.user2 is not added.

1 Reply

@JorgenSundet 
Anything in event log on the client, DeviceManagement-Enterprise-Diagnostics-Provider ?

Your syntax looks ok and as you are saying, it works for cloud only.

If they should be added to all devices, have you tried adding them with "Additional local administrators on Azure AD joined devices" that you find under Device -> Device Settings in Azure AD?

Global admins and device owner gets local admin rights by default.

Another options is by PowerShell - “net localgroup administrators AzureAD\testuser@contoso.com /add > nul 2> nul” | cmd

JT

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies