Forum Discussion

Rob_Lam's avatar
Rob_Lam
Brass Contributor
Jul 30, 2024

LAPS Creation using Intune

Hi All

 

 

I am trying to get Intune to create a Local Admin Account and I am using the method of adding 

OMA-URI Settings but for some reason the account is created but it's not adding to the administrator local group on the machine.
 
Under OMA-URI the following settings was added
 
./Device/Vendor/MSFT/Accounts/Users/apexadmin/LocalUserGroup
 
Would anyone know its not adding to the local admin group on the machine?
 

 

  • ppel123's avatar
    ppel123
    Copper Contributor

    Hi, although I would suggest using LAPS (you could check this guide too), you could try to use the following command as already mentioned to add the user to local admins. 

     

    Add-LocalGroupMember -Group Administrators -Member apexadmin

     

    The way to go here is to either use a platform script to just create the local admin, or better a detection-remediation to check its existence and create it if not exists. 

     

    Check the below post to get an idea of how you could utilize it (it doesn't describe exactly what you are trying to achieve but could give you some guidance). If you need any help with the scripts, let me know.

    • micheleariis's avatar
      micheleariis
      Steel Contributor
      I confirm that Laps is an excellent feature now fully integrated and easy to configure on Intune
  • micheleariis's avatar
    micheleariis
    Steel Contributor
    Hi, it should be enough to add another configuration like the one below:

    Name: Add user to Local administrator group
    OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/apexadmin/LocalUserGroup
    Data type: Integer
    Value: 2
  • Ankur_B's avatar
    Ankur_B
    Iron Contributor
    Are you creating Local Admin Account for Entra Joined or Hybrid Entra Joined Devices?
    • Rob_Lam's avatar
      Rob_Lam
      Brass Contributor
      Entra Join.

      We don't have active directory
  • fbatuns's avatar
    fbatuns
    Brass Contributor

    Rob_Lam i there a reason of setting up LAPS with OMA-URI Settings? Intune integrated LAPS-Configuration in the Endpoint-Security Menu (Account Protection). We use it with Entra-ID-Joined and Hybrid Joined devices, this works very well and was straight forward.

    Just make sure, the Endpoints are on the latest Versions of Windows 10 and 11 because LAPS was not natively integrated in Windows 10/11 before April 2023.

     

    Also: Sometimes I had the issue that i was not able to see the LAPS-Password in Intune but in the Entra-ID-Device Portal, but not sure if thats still the case.

    • Rob_Lam's avatar
      Rob_Lam
      Brass Contributor
      Hi

      No there isn't any reason.
      The reason behind it was that the script didn't work so I tried OMA-URI settings.
      In both scenarios they both create the apexadmin account but does not add it to local admin group

      All our machines are running Windows 11 23H2.
      • ppel123's avatar
        ppel123
        Copper Contributor

        I find it weird that the user is not being added to the local admin group.
        What I would do is build a troubleshooting mechanism to understand at which point it fails.
        First of all if you run the script that creates the user and add it to the local admin group locally on a local machine or on demand on a test machine, does it work?

        If yes then add some logging to your script:

         

        Start-Transcript -Path "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\LocalAdminScriptLogs.txt" -Append -ErrorAction Stop
        
        try{
            # you code goes here with write hosts to depict the code flow into the log file 
            # add -ErrorAction stop to throw errors to the catch clause
        }
        catch{
            # depict the error to the log file
            Write-Error "An error occurred during detection: $_"
        }
        finally{
            Stop-Transcript
        }

         

         

        Then you could collect the logs following this guide.

Resources