How do I add users synced from AD to AAD as local administrators on Windows 10 devices with OMA-URI?

%3CLINGO-SUB%20id%3D%22lingo-sub-733678%22%20slang%3D%22en-US%22%3EHow%20do%20I%20add%20users%20synced%20from%20AD%20to%20AAD%20as%20local%20administrators%20on%20Windows%2010%20devices%20with%20OMA-URI%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733678%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20create%20a%20custom%20policy%20to%20add%20users%20as%20local%20admin%20on%20devices%20with%20the%20OMA-URI%20%22%3CSPAN%3E.%2FDevice%2FVendor%2FMSFT%2FPolicy%2FConfig%2FRestrictedGroups%2FConfigureGroupMembership%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20works%20fine%20when%20I%20specify%20Azure%20user%20accounts%20(accounts%20created%20in%20AAD%2C%20not%20synced%20from%20local%20AD).%20However%2C%20when%20I%20try%20to%20add%20users%20synced%20from%20AD%20to%20the%20policy%20it%20fails%20and%20does%20not%20add%20the%20user%20to%20local%20admin%20group%20on%20my%20Windows%2010%20computer.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anyone%20managed%20to%20do%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EThe%20syntax%20I%20use%20is%20as%20follows%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CGROUPMEMBERSHIP%3E%3CBR%20%2F%3E%3CACCESSGROUP%20desc%3D%22%26quot%3BAdministrators%26quot%3B%22%3E%3CBR%20%2F%3E%3CMEMBER%20name%3D%22%26quot%3BAdministrator%26quot%3B%22%3E%3C%2FMEMBER%3E%3CBR%20%2F%3E%3CMEMBER%20name%3D%22%26quot%3BAzureAD%5Ctest.user%40iktuninett.onmicrosoft.com%26quot%3B%2F%22%3E%3CBR%20%2F%3E%3CMEMBER%20name%3D%22%26quot%3BAzureAD%5Ctest.user2%40uninett.no%26quot%3B%2F%22%3E%3CBR%20%2F%3E%3C%2FMEMBER%3E%3CBR%20%2F%3E%3C%2FMEMBER%3E%3C%2FACCESSGROUP%3E%3C%2FGROUPMEMBERSHIP%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETest.user%20is%20a%20cloud%20only%20user%2C%20while%20test.user2%20is%20synced%20from%20local%20AD.%20Test.user%20gets%20added%20to%20the%20local%20admin%20group%20just%20fine%2C%20but%20test.user2%20is%20not%20added.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-733678%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733696%22%20slang%3D%22en-US%22%3ERe%3A%20How%20do%20I%20add%20users%20synced%20from%20AD%20to%20AAD%20as%20local%20administrators%20on%20Windows%2010%20devices%20with%20OMA-%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733696%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F365542%22%20target%3D%22_blank%22%3E%40JorgenSundet%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EAnything%20in%20event%20log%20on%20the%20client%2C%20DeviceManagement-Enterprise-Diagnostics-Provider%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EYour%20syntax%20looks%20ok%20and%20as%20you%20are%20saying%2C%20it%20works%20for%20cloud%20only.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20they%20should%20be%20added%20to%20all%20devices%2C%20have%20you%20tried%20adding%20them%20with%20%22Additional%20local%20administrators%20on%20Azure%20AD%20joined%20devices%22%20that%20you%20find%20under%20Device%20-%26gt%3B%20Device%20Settings%20in%20Azure%20AD%3F%3CBR%20%2F%3E%3CBR%20%2F%3EGlobal%20admins%20and%20device%20owner%20gets%20local%20admin%20rights%20by%20default.%3CBR%20%2F%3E%3CBR%20%2F%3EAnother%20options%20is%20by%20PowerShell%20-%26nbsp%3B%3CSPAN%3E%E2%80%9Cnet%20localgroup%20administrators%20AzureAD%5Ctestuser%40contoso.com%20%2Fadd%20%26gt%3B%20nul%202%26gt%3B%20nul%E2%80%9D%20%7C%20cmd%3CBR%20%2F%3E%3CBR%20%2F%3EJT%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

I am trying to create a custom policy to add users as local admin on devices with the OMA-URI "./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership".

 

This works fine when I specify Azure user accounts (accounts created in AAD, not synced from local AD). However, when I try to add users synced from AD to the policy it fails and does not add the user to local admin group on my Windows 10 computer.

 

Has anyone managed to do this?


The syntax I use is as follows:

 

<groupmembership>
<accessgroup desc = "Administrators">
<member name = "Administrator" />
<member name = "AzureAD\test.user@iktuninett.onmicrosoft.com"/>
<member name = "AzureAD\test.user2@uninett.no"/>
</accessgroup>
</groupmembership>

 

Test.user is a cloud only user, while test.user2 is synced from local AD. Test.user gets added to the local admin group just fine, but test.user2 is not added.

1 Reply
Highlighted

@JorgenSundet 
Anything in event log on the client, DeviceManagement-Enterprise-Diagnostics-Provider ?

Your syntax looks ok and as you are saying, it works for cloud only.

If they should be added to all devices, have you tried adding them with "Additional local administrators on Azure AD joined devices" that you find under Device -> Device Settings in Azure AD?

Global admins and device owner gets local admin rights by default.

Another options is by PowerShell - “net localgroup administrators AzureAD\testuser@contoso.com /add > nul 2> nul” | cmd

JT