Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. For more information about windows autopilot, please read https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot
I was testing windows autopilot in the lab with some specific requirements for customer. There are many videos and series of guides available on how to get windows autopilot working.
When you create an autopilot profile for OOBE, there is one setting called ‘user account type’: Choose the user's account type (Administrator or Standard user). This allows the user joining the device to be a local Administrator by adding them to the local Admin group. We don't enable the user as the default administrator on the device.
The customer does not want the users to be added to the local administrators' group as part of the windows autopilot solution, so I selected standard.
When the device complete autopilot, the user sign-in to the device successfully.
Issue:
There is a requirement to provide admin rights for few users and to meet this, we can either create a separate profile and apply to a group who are part of this or add a user to local admin using the above profile.
How do we grant local admin rights for selected users on Azure AD joined devices that are deployed with user account type as standard ?
On the AAD device,if you look at local users and groups ,administrators ,there will be administrator and few more accounts (SID’s) added there.
When you join device to Azure AD , Azure AD adds the following security principles to the local administrators group on the device:
- The Azure AD global administrator role
- The Azure AD device administrator role
- The user performing the Azure AD join
Since our autoprofile OOBE user type setting configured with standard, user account will not be added to admin group.
we can add user to local admin group using 2 methods
Method 1) Using manual method using settings
on your windows 10 device ,settings -> Accounts -> Other users.
Select Add a work or school user, enter the user's UPN (usually email address) under User account and select Administrator under Account type
The following screen is available to user if they are local admin.
In our case, user is not local admin so how do we add user to local admin user group ?
Following is the screen for non-local admin users.
Since our autopilot profile OOBE user type setting configured with standard, a user account will not be added to admin group.
we can add a user to the local admin group using 2 methods
Method 1) Using the manual method using settings
on your Windows 10 device, settings -> Accounts -> Other users.
Select Add a work or school user, enter the user's UPN (usually email address) under User account and select Administrator under Account type
The following screen is available to the user if they are a local admin.
With this method, you can add any domain user to the local admin group irrespective of their local profile created or not.
Method 2) using command prompt:
· If you are syncing users from on-prem to Azure AD using AD connect, you can use net localgroup administrators /add "eskonr\eswar.koneti"
· If your tenant users are created in Azure AD (cloud), use net localgroup administrators /add "AzureAD\UserUpn"
where azure is an on-prem domain name
eswar.koneti is a samaccount name.
open cmd as GA or DA or any other user account who has local admin rights.
type the syntax as given above
Check in Administrators properties if user is added or not.
you can ONLY use this method for users whose profile is created locally on the device.
I have tried adding another user who never logged into the device but it fails with the following error message.
‘There is no such global user or group azure\demo1’
In order for you to add demo1 to the local admin, the user must sign-in at least once.
After user sign-in, then you can add user to local administrators group.
Method 1 works for any user irrespective of their profile created or not.
You can also use Powershell script or CSP’s from intune to add users to the local admin group.
Considerations:
You cannot assign groups to the device administrator role, only individual users are allowed.
Device administrators are assigned to all Azure AD Joined devices. They can't be scoped to a specific set of devices.
When you remove users from the device administrator role, they still have the local administrator privilege on a device as long as they are signed in to it. The privilege is revoked during the next sign-in, or after 4 hours when a new primary refresh token is issued.
Hope you find this article useful.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
2 Comments
Can you not do this through Group Policy, as is done currently with on-prem devices?
Hi Joseph,
This post is only for devices that are Azure ad joined but not hybrid or on-prem domain joined devices.
If the device joined to on-prem , you can use GPO to do it or many other ways to script it and do it however with Azure/intune ,you can use powershell scripting or CSP's .
Thanks,
Eswar