SOLVED

Azure AD user in Windows 10 - local admin problem

Brass Contributor

Hi

 

We have Office 365 Business Essentials and Premium licenses, we do not have AAD Premium, EMS, Intune licenses.

 

If I login to a new PC using some users (not O365 admin user account) O365 credentials, this user becomes a local admin in that PC.

 

But if I use some other user's O365 credentials (not O365 admin user account) to login to that same PC, this second user that log's in to the same PC is not a local admin.

 

Also, I can't find anywhere on that PC to change this.

 

How do I control which (O365) user account is local admin and which is not?

11 Replies
best response confirmed by Iivo Kerminen (Brass Contributor)
Solution

Hi

 

Like I said, we do not have AAD Premium, EMS, Intune licenses. Those steps require EMS licenses or AAD Premium.

 

I was able to set the secondary login account as admin account. Login using this secondary account, go to Control Panel/User Accounts/User Accounts/Change your account type and use O365 admin account or the first account used to login to PC to go past UAC. This way you can upgrade user account as local admin.

 

Based on this link

https://community.spiceworks.com/topic/1580701-azure-ad-users-given-local-admin-permissions

it is not good idea to downgrade the first (O365)account used to login to PC as standard user. 

Prefer to use O365 admin account or some other O365 account used as local admin account when login the first time to PC and add the actual user account to PC after this. This way normal users do not have local admin permissions and you dont have to downgrade user account permissions.

@Salvatore Biscari

I have add the user as a local admin but no luck. Any ideas?

@Harry Dubois
Sorry but I didnt understand. No luck in what? What are you trying to accomplish?

The first user that signs in on Windows 10 automatically becomes a local admin. Alle users after that will be standard users, unless they are an admin in Office 365. 

 

I believe that without Azure AD Premium licenses, you cannot add extra local admins from the management panels in Office 365.

 

However, when you sign in to a Windows computer as user with Administrator privileges, you can add other users and assign the admin rights on that computer. To do this, go to the settings panel > Accounts > Other People. There you see the other users (or add them) and can change the account type from standard user to administrator. 

Problem is solved. We have added the user as local administrator in the Intune portal. Worked after 24 hours, maybe due to sync from Intune.

Did you set this at AAD -> Devices -> Device Settings -> Additional local administrators...

 

Be aware that this added user account is now local admin in all pc's.

Yes, but not directly. We waited for a day or so and then it worked.

@Harry Dubois 

 

I'm having similar experience with the delay between adding a user in Azure Device Settings (local Admin) and the time it actually reflects on the other end.

According to MS, privilege updates can only work if:

 

- user is signed off

- after 4h when a new Primary Refresh Token is issued.

 

I can definitely tell that it takes way longer than 4h. My test user has currently local admin rights (assigned a few weeks ago) and it works as expected. However, I've removed these privileges approx 15h ago and the users appears to have still admin rights.

 

It is perhaps better practice, but I'm seriously questioning how practical this feature is if it takes so long update?

 

 @Iivo Kerminen 

YOOOO! This article helped me out a lot! I am a one-man show with 30+ employees and we just changed our domain. I had to create another account under the new domain, log out of the user with the old domain, and log in with the user with the new domain but had no local admin access. Just coming across this led me in the right direction. BIG UPS! 

1 best response

Accepted Solutions
best response confirmed by Iivo Kerminen (Brass Contributor)
Solution

Hi

 

Like I said, we do not have AAD Premium, EMS, Intune licenses. Those steps require EMS licenses or AAD Premium.

 

I was able to set the secondary login account as admin account. Login using this secondary account, go to Control Panel/User Accounts/User Accounts/Change your account type and use O365 admin account or the first account used to login to PC to go past UAC. This way you can upgrade user account as local admin.

 

Based on this link

https://community.spiceworks.com/topic/1580701-azure-ad-users-given-local-admin-permissions

it is not good idea to downgrade the first (O365)account used to login to PC as standard user. 

Prefer to use O365 admin account or some other O365 account used as local admin account when login the first time to PC and add the actual user account to PC after this. This way normal users do not have local admin permissions and you dont have to downgrade user account permissions.

View solution in original post