Removing local admin from users and adding "Users" group to "Allow log on locally"
Hello, For security reasons we want to remove local admin rights for our users on their work laptops, I have found a way to do this using LAPS. The issue I am experiencing is that for some reason "Users" is not a working local group and it's not added to "Allow log on locally" by default. I added "Gebruikers" (the local users group in Dutch) to the security baseline which sets groups that are allowed to log on locally, this works but the issue is that this policy applies after the LAPS policy so if users get a new laptop and it gets locked they can't log back in and I have to manually change the Group Policy setting with an admin account. I was thinking maybe a remediation script could solve this if it checks for the right Group Policy and adds the device to a specific group for LAPS but I have no idea where to begin. Any tips would be appreciated! Best regards, Nick
LAPS Creation using Intune
Hi All I am trying to get Intune to create a Local Admin Account and I am using the method of adding OMA-URI Settings but for some reason the account is created but it's not adding to the administrator local group on the machine. Under OMA-URI the following settings was added ./Device/Vendor/MSFT/Accounts/Users/apexadmin/LocalUserGroup Would anyone know its not adding to the local admin group on the machine?
Intunes LAPS
Hello, We are in the process of deploying Intune. For the Windows LAPS part, out of 90 workstations we only have 8 that have integrated it correctly and are visible in Intune and Azure, the others have ID 10024 for some, and ID 10013 with error 0x80070002 for others. It is activated in Entra, the intune profile deleted and recreated just in case, but I can't find the problem. Would you have an idea? Thank you very much.
LAPS Rotate pass on Intune
Hello, can you explain how this possibility works ? "OMA-URI setting to Rotate Local Admin Password Another method for rotating the local admin password is by using the OMA-URI setting “Actions/ResetPassword.” This approach allows you to immediately change the password of the managed local admin account without having to wait for the “Password age days” value to expire, providing." - Where should I insert this line ? - at what time it is triggered ? - can i enable and disable at any time ? I want every hour or every 2 hours the chosen laptop group, should receive the new rotated password. Thanks a lot
