May 04 2022 01:33 PM
Hi,
I'm looking for a way to manage local administrators on the Windows Endpoint devices. These devices are currently in a hybrid joined configuration.
We have a hand full of users that use VPN and a majority the don't, they consume online services.
The original plan was to use AD groups one per machine and then where required assign user the user to the group for the target machine. In reality this only works reliable for users who are on site as the VPN causes issue with the user membership not being updated. The vpn is not running until after login. and obviously users who do not use the vpn will never be able to have the group added.
I have been looking to see if I can use groups in AAD, but I'm not seeing any clear examples except for managing groups of machines.
I have found that it can be done via policy, but I have my doubt about how good it may be to have hundreds of policies for this purpose.
Has anyone else had experience solving this or similar, and can make suggestions ?
Thanks
May 09 2022 01:53 AM
Hi @clubbing80s
did you already look at an always on vpn based on device authentication?
Another option is setup an autopilot profile and make the user local admin during enrollment.
And you can also create a PowerShell script that makes your user a local admin
kind regards,
rene
May 10 2022 04:54 PM
May 10 2022 10:11 PM
Hi @clubbing80s ,
I am not a PowerShell expert but did you already try this method to get the logged in users? This scripts will create for every logged in user a firewall rule for teams.
Source : https://docs.microsoft.com/en-us/microsoftteams/client-firewall-script
If the below code is working you can change the script and replace the firewall rule to local admin.
$users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
if ($null -ne $users) {
foreach ($user in $users) {
$progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
if (Test-Path $progPath) {
if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
$ruleName = "Teams.exe for user $($user.Name)"
"UDP", "TCP" | ForEach-Object { New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Domain -Program $progPath -Action Allow -Protocol $_ }
Clear-Variable ruleName
}
}
Clear-Variable progPath
}
}
Another option is to implement autopilot earlier. This is the easiest method in my opinion.
Kind regards,
rene