Admin Privilage for All users with Autopilot

Copper Contributor

Hi Guys,

There's a requirement from on of our clients to grant Admin privilege to all users who logs into their devices. I understand this is achievable via Autopilot.

My question is what would be the best solution for the users who has already logged into the devices? How can the requirement can be achieved via Autopilot or any other method? Would appreciate any help.

Cheers!

12 Replies
Can you create a group which contains all users and push them as local admin to the machines? cfr https://www.inthecloud247.com/manage-the-local-administrators-group-with-microsoft-intune-hybrid-ad-...

Or else, you should create a Powershell script which adds the current user

The solution I described on the article your referencing to only does work for Hybrid AAD joined devices.
I haven`t been successful with the same on AAD joined devices. Don`t know what situation you have @sheiksaad ?

It's almost the same of hybrid or AAD => https://www.scconfigmgr.com/2018/08/30/configure-restricted-groups-with-intune-policy-csp/

 

EDIT: Only for individual users

@Thijs Lecomte Yes, with user accounts.
With AAD Groups, it doesn`t work.

I have used the screenshot attached for small size company in the past, not ideal solution because it hits all the devices, but achieves your objective until the support of adding group to Local Admin with Intune.

 

Moe

Hey Thijs!
I had this in my mind at first but the problem is these are Azure AD joined devices.
Hey Peter!
Yes correct, these are Azure AAD joined devices.
The scenario is actually a school with a significant number of students and staff and I don't see adding the individual users as an option.

Plus assume that we add the existing users - the process has to be manual for the existing users too isn't it?

Appreciate your responses so far!
Hey Moe,

I checked this out, thanks for that!

Like I said above the number of users are pretty high to add as an Admin for all the Azure Ad devices. Would love if there was an option to add as a Dynamic Security group here.

@sheiksaad If I read the documentation; https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups#restricte...
"The member SID can be a user account or a group in AD, Azure AD, or on the local machine."

A group in AAD. But it doesn`t work for me. I opened a support call for this, I want it to work either with a AAD group.

@Peter Klapwijk Hey Peter, Thanks for the link.

 

In that case, do you reckon a Powershell script can used to add - let's a Dynamic Security group where all the students reside in under additional local administrators for Azure Ad joined devices?

 

Appreciate the response.

 

Cheers!

 

 

@sheiksaad seems to work fine on the new Windows 10 2004 release. During my first testing on that OS I thought the results where varying, but didn't realise one of the machines failed the upgrade and was running 1909.

On 2004 version it does work in my environment on multiple devices!

Have a look at this article https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft...

 

Let me know if it does work in your environment.