Forum Discussion
Local administrator priviliges not working after adding security group to local admin group
We have a couple of notebooks and added both of them to a Azure tenant. They are both belonging to a group which has a policy configured to set "RestrictedGroups – ConfigureGroupMembership" (like in ...
Hi.. Thanks for your feedback. Answering your questions.
* What happens when you manually sync the device or restart the intune mgt extension on the device itself
I have restarted the device several times, started the sync from Intune and also from Work / School functionality from Windows itself. Restarting the service on this device is something I couldn't because I was not a admin. (Didn't do this either with the account of my colleague, this I could have tried).
* nothing in the intune mgt log or normal event logs?
No, I couldn't find anything inside the log. The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin.
* Alternatives like dedicated local admin
We thought about this as well, to make one specific user local administrator. But we are not in favor of sharing passwords. A role makes a user "Administrator" for all devices joined to this tenant. But because there are multiple organizations and a user should only become "admin" for one organization, we can't use this. A paided option, we didn't look into, perhaps that could be a alternative, but we ourselfs would like to be able to manage the devices without overkill.
* What happens when you manually sync the device or restart the intune mgt extension on the device itself
I have restarted the device several times, started the sync from Intune and also from Work / School functionality from Windows itself. Restarting the service on this device is something I couldn't because I was not a admin. (Didn't do this either with the account of my colleague, this I could have tried).
* nothing in the intune mgt log or normal event logs?
No, I couldn't find anything inside the log. The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin.
* Alternatives like dedicated local admin
We thought about this as well, to make one specific user local administrator. But we are not in favor of sharing passwords. A role makes a user "Administrator" for all devices joined to this tenant. But because there are multiple organizations and a user should only become "admin" for one organization, we can't use this. A paided option, we didn't look into, perhaps that could be a alternative, but we ourselfs would like to be able to manage the devices without overkill.
"The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin."
It almost sounds like some sticking old security settings? What happens when you change something to that policy after it has been run succesfull (after removing the profile, logging back in)
Mmm that sounds pretty much lik
It almost sounds like some sticking old security settings? What happens when you change something to that policy after it has been run succesfull (after removing the profile, logging back in)
Mmm that sounds pretty much lik
- When I can reproduce it, I will check what will happen then. But for now the fix for us was to remove the user profile. Thanks already for your help.