Managing Local Administrators on endoints using Intune

Copper Contributor

Hello, I need to frequently add and remove users from Administrators group on specific computers.
I'm creating a policy (under Account Protection) which adds users to this group and I'm assigning this policy to computers using a group which contains this computer.


For some reason it doesn't work constantly, sometimes it adds the users to the group and sometimes nothing happens.

Any ideas? Thanks!

5 Replies
Hi @Acme_Deepcred,

I am a little bit curious about the use case for frequently adding and removing users from the administrators group? :)

However, what do you experience when changing it? Also, what action do you use in your account protection policy?

Hey, thanks for your answer.
The usage is simply giving employees local admin permissions on a computer for a limited time when they need it.

I'm not sure what you mean by 'action', I choose 'Local user group membership' under 'profile' when creating the policy.
Sometimes it works just perfect, and the user is added the local 'Administrators' group and sometimes nothing happens (even after doing a sync)

Have you looked at Endpoint Privilege Management (EPM)?
It could help you with this and would be a lot easier for you as an IT administrator to maintain.
If the device is Entra joined, you can try adding the "Microsoft Entra Joined Device Local Administrator" role to the user. MS updated this role to have expiration date option which is nice so you do not have to remember to remove it. I think this only works if the device is assigned to the same user.
Thanks! Can I use it to grant local admin to a specific user on a specific computer? (I have multiple users working and sharing multiple computers each)