Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Local administrator priviliges not working after adding security group to local admin group

Occasional Contributor

We have a couple of notebooks and added both of them to a Azure tenant. They are both belonging to a group which has a policy configured to set "RestrictedGroups – ConfigureGroupMembership" (like in https://www.inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft...).

 

We are expierencing a strange problem, because I have registerd one device and a colleage antoher laptop with his account. I registered my laptop before configuring this policy and he did it after configuring this policy.

 

Now he can logon to both laptops and use "Run as Administrator". But for me I can only use "Run as Administrator" on his device (I logged on the first time there after the policy has set) but on my device its not receiving the "Administrator" role, while my colleague is inside the same group and he is "Administrator" on my device.

 

Is there some caching or something we have to refresh/update?

7 Replies
After removing my profile from Windows and login again, I did get the administrator priviliges.. We still would like to know how to fix this without removing the profile, because when promoting a existing user to Admin, we don't want to remove the entire profile.
:) Good afternoon.. Normally I am expecting the question reversed... How to make sure my end user doesnt get local admin privileges.

But looking back at your question, it was fixed after removing the user profile (and deleting the registry hive for that user?)

Wouldnt it be better to use the local users and groups option?

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups
Like I am also describing in this blog

https://call4cloud.nl/2021/04/dude-wheres-my-admin/

Also there are better option available to elevate yourself to admin, when needed.. Like i am also mentioning in the blog above.
Thanks Rudy for your feedback. We are working in a big tenant which contains multiple organizations. We manage a couple of organizations within this tenant and would like to set a resetricted group of users who can execute local-admin applications.

So we have created a "localadmin" security group in Azure. We have created a profile which uses the settings you wrote in "Restricted Groups" to only allow this group to be able to run local admin functions.

This is working pretty well, but we noticed that after setting this. The user who was already logged on to the system, didn't get the access, while new users logging on to the device are getting local admin priviliges (when they are part of the group).

After removing my user profile from the device and login again, I gained administrator priviliges. So looked to be some caching or something. So because it can happen more often that a employee is becoming IT contact and involves to local-admin for a group of devices. We don't want to delete his profile to make sure he becomes admin on his local device.

So what could cause this and is there a way to enforce a refresh of detection for "local admin" priviliges?
Hi

What happens when you manually sync the device or restart the intune mgt extension on the device itself? nothing in the intune mgt log or normal event logs? Did you also try to open the local users and groups to take a look how the local administrators group looks like
Normally the policy csp refresh time i 8 hours. But I am not 100% sure this policy is also "refreshing"

In my experience there are better options... maybe making sure you have dedicated local admin on each device with laps configured. Or take a look at the Azure AD joined device local admin role... Or maybe go for a paid solution like admin by request,
Hi.. Thanks for your feedback. Answering your questions.

* What happens when you manually sync the device or restart the intune mgt extension on the device itself
I have restarted the device several times, started the sync from Intune and also from Work / School functionality from Windows itself. Restarting the service on this device is something I couldn't because I was not a admin. (Didn't do this either with the account of my colleague, this I could have tried).

* nothing in the intune mgt log or normal event logs?
No, I couldn't find anything inside the log. The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin.

* Alternatives like dedicated local admin
We thought about this as well, to make one specific user local administrator. But we are not in favor of sharing passwords. A role makes a user "Administrator" for all devices joined to this tenant. But because there are multiple organizations and a user should only become "admin" for one organization, we can't use this. A paided option, we didn't look into, perhaps that could be a alternative, but we ourselfs would like to be able to manage the devices without overkill.
"The sync looked to work fine, because the security group was added to the local "Administrators" group. So that worked fine, this also made it possible for my colleague to logon as administrator. But still didn't make me admin."

It almost sounds like some sticking old security settings? What happens when you change something to that policy after it has been run succesfull (after removing the profile, logging back in)
Mmm that sounds pretty much lik
When I can reproduce it, I will check what will happen then. But for now the fix for us was to remove the user profile. Thanks already for your help.