In this post I will show you how to add user or groups to local admin in Intune. The machine could be a domain joined or without domain.
To manage a Windows device, you need to be a member of the local administrators group. Read this article to know more about managing local administrators on Azure AD joined devices.
Many people assume when you add a user in the first time with Autopilot, user becomes local admin. This happens if you leave the Profile Autopilot settings by default as Administrator.
But if you configure the OOBE profile to Standard, there will be no local admin, even local administrator is disabled. Furthermore there is no option that allows you to change it.
Add User or Groups to Local Admin in Intune
We will now look at the steps to add user or groups to local admin in Intune. First lets create a new text file and rename it add_localadmin.ps1.
You can edit this file either with PowerShell ISE or Notepad++. Paste the following command inside the file
Net localgroup administrators "AzureAD\[email protected]" /add
Replace “AzureAd\xxxx” with email account of your groups or user.
Tip – Don’t use the PowerShell command add-Localgroup because it creates an error, and doesn’t work on remote computer.
After you have made the changes, save your ps1 script. Return to Intune portal. In the portal, create a new script.
Add a Powershell script. Specify script name and add a description.
Import the add_localadmin.ps1 script. Leave the other settings to default.
Select groups that you wish to assign your script. Don’t forget the script will be assigned to computer groups, or by default select all devices. Click Next.
Finally review the settings and click Create.
Take a look at the script and ensure the Assigned value is set to Yes.
After you have applied the script, wait for few minutes or manually trigger the sync.
The script has done the changes. We see the users are now part of local administrator group. Do not forget to logoff and logon to see the results.
