With the upcoming release of Windows 10 20H2, we get a new Policy CSP to manage Local Users and Groups with Microsoft Intune: LocalUsersAndGroups.
With this new setting, we are able to add members to a local group, which was not possible with the old RestrictedGroups policy. With that policy, we did an overwrite (replace) of the current group members.
With the new policy, we can define a group action: Update or Restrict. Restrict will replace group membership as the old policy did.
Here’s an example of the policy definition XML for group configuration:
<GroupConfiguration>
<accessgroup desc = "">
<group action = ""/>
<add member = ""/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>Explanation from the documentation:
<accessgroup desc>: Specifies the name or SID of the local group to configure. If you specify a SID, the LookupAccountSid API is used to translate the SID to a valid group name. If you specify a name, the LookupAccountName API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.
<group action>: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:
<add member>: Specifies the SID or name of the member to configure.
<remove member>: Specifies the SID or name of the member to remove from the specified group.
As stated in the documentation starting from this Windows 10 build, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy.
Below I will show some examples of how the setting can be used and what the end result is.
Manage the Administrators group of an AAD joined device
The setting can be used on Azure AD joined and Hybrid AAD joined devices. For adding or removing Azure AD groups using this policy, we must use the group SID.
The SID of an Azure AD group can be easily found using the Graph Explorer. Query the group using the Object ID of the Group:
https://graph.microsoft.com/v1.0/groups/ObjectID
And it will show you the SID in the output.
To remove or add an Azure AD user account we can use the username, but we need to put AzureAD\ before the username; AzureAD\peter.klapwijk@inthecloud247.com for example.
In below example I use the Group action U (update) to add an user account and a group to the local Administrators group and don`t overwrite the existing members.
This setting needs to be deployed to our devices using a Custom configuration profile with Microsoft Intune. Let`s create one.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- On the Configurations profiles tab click + Create profile
- Choose Windows 10 and later as Platform
- Choose Custom as Profile type
- Click Create
- Give the configuration profile a Name
- Enter a Description (optional)
- Click Next
- Click Add to add a new Row.
Enter below information to the Row where you can choose your own name and optionally can enter a description.
Name: LocalUsersAndGroups – Administrators
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "AzureAD\demo.user04@peterklapwijk.com"/>
<add member = "S-1-12-1-3293531080-1078674397-111521436-3834162110"/>
<remove member = ""/>
</accessgroup>
</GroupConfiguration>- Click Save
- Click Next
- Finish the creation wizard
Manage the Administrators group of a Hybrid AAD joined device
In the example for a Hybrid Azure AD joined device I show how to add a user account and an AD group by using the group name. And I`ll remove the local user account ‘Peter’ from the group.
Create a custom configuration profile like shown in the previous example.
Add a new Row.
Name: LocalUsersAndGroups – Administrators
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "peterklapwijk\local.user02"/>
<add member = "peterklapwijk\AD_Local_AdminsUS"/>
<remove member = "Peter"/>
</accessgroup>
</GroupConfiguration>Click Save and finish the setup wizard.
Below is an example in which the action Restrict (replace) is used. As it`s not possible to remove the Administrator account from the local Administrators group, that account is also added in the setting. If you don`t specify the Administrator account to be added, the profile will fail.
Add a new Row.
Name: LocalUsersAndGroups – Administrators
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "R"/>
<add member = "Administrator"/>
<add member = "peterklapwijk\local.user01"/>
<add member = "peterklapwijk\AD_Local_AdminsNL"/>
</accessgroup>
</GroupConfiguration>I assume you will be able to create the profile of your needs with these examples, let`s have a look at the end result.
The end-result
First we have a look at the Azure AD domain joined device.
As you can see the user account from Demo User04 and the group (SID ending with 2110) are both added to the local Administrators group. The already existing members are still a member.
These existing members are the local Administrator account and the Global Admin and Device Administrator groups with their SIDs.
Switching to the Hybrid Azure AD joined device before the profile is applied we see two local user accounts as member of the group.
After applying the profile, the local user account ‘Peter’ is removed and the user account and group are added.
In the last example I used the remove action. We see the previously added user account and group are replaced with the new user and group.
One remark; like with the RestrictedGroups policy, when working with groups it might need some time (to sync?) before the assigned rights are in place.
Thank you for reading and if you have any questions, leave a comment below
26 Comments
Hello Peter, thanks for your great article !
Just want to let you a quick feedback. I tested this in a brand new Hybrid environment. My devices are enrolled and other Intune policy are working correctly.
Unfortunately for this one I get the status “-2016281112 (Remediation failed)” with the error code 0x87d1fde8 and the group isn’t showing up.
I tested with the SID of the synced group or with the local version”domain\name of the group”
Did everything this morning, still not working after hours and multiple sync and reboot and patience.
It’s not a big deal I can manage to add it manually for this customer.
Here is my string:
Hi Sanch,
Are you using the correct minimum Windows Build?
Send me the string in a txt file via mail and I can have a look at it.
Regards,
Peter
any idea which CIM namespace is used? I tried to enumerate but couldn’t find it.
I’m working on a script which executes this with dynamic content using the Intune endpoint analytics remediations actions
Thanks for the article, I’ve read it and the new LocalUsersAndGroups documentation closely, but despite it’s name, there doesn’t seem to be able to use this policy to actually add a local user?
I to now I’ve been using:
./Device/Vendor/MSFT/Accounts/Users/Admin/Password
./Device/Vendor/MSFT/Accounts/Users/Admin/LocalUserGroup
Azure Intune does apply the policies successfully, the user is created and applied to Administrators, however it generates an error anyway.
This new policy indeed doesn`t allow you to create a new user.
With the Accounts policy you describe I was never able to resolve the issue even as the user was created successfully.
Thank you! It is always comforting to experience people also following the documentation to the letter and yet MS software is doing something different.
A separate article came up during my research explaining just how bad it was to add a Static account to all computers with the same password.
My counter to that article would be: So how do you log into a user’ computer as Administrator, when there’s no Internet access.
I’m sure their response would be ‘so get Internet Access’ but there’s been plenty of incidences, since the release of Win 10, when the network stack is not working for unknown reasons that do not resolve with a restart, and I need to force new drivers or otherwise reset winsock or similar to re-gain network access.
I think I’ll keep my old fashioned static admin account for now!
Hi Peter / Sanch,
I’m getting the exactly the same result as Sanch on a brand new install of 20H2. Did you manage to resolve this?
Regards
David
Pretty strange.
My first testing was just before the release of 20H2 on a preview build. Also setup a fresh 20H2 machine (10.0.19042.572) Works on all my machines, AAD and Hybrid AAD joined devices.
As responded to Sanch; Send me the string in a txt file via mail and I can have a look at it. Maybe there is a typo or something.
Regards,
Peter
Hi together,
thank you very much for sharing this article. Our members of the permited AzureAD groups are local admins now. But unfortunately it doesn’t work for nested groups. Do you also have experience with this? Is there anything what we can do?
Thank you and best regards
Marc
Hi Peter,
I followed the procedure you described, I manage to add a user to the group without any problem, however when I try to delete a user it doesn’t work, I had the same problem with the old tutorial : https://inthecloud247.com/add-an-azure-ad-group-to-the-local-administrators-group-with-microsoft-intune/
The user I’m trying to delete is a local machine user, idk why it doesn’t work.
Which local user are you trying to remove? You might not be allowed to remove all local admins.
Not working here either, just get a Remediation error on 20H2 Windows 10.
Using: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
And XML where i try to add the SID of a AzureAD group
Fixed it, you have to name the accessgroup desc by the actual language in use.
Could you elaborate on the actual language in use?
If your OS is in a different language that English, the ‘Administrators’ group will be named differently. Use the SID S-1-5-32-544 instead.
How can I removed all local admins like in your other tutorial before 20H2?
You still need to use the other settings for that, as that settings still does work.
Would this work to block the Global Admin group (which is automatically added to administrators group)? We want IT to only login with separate “Workstation admins” which will be member of the Device Administrator Role.
I spent ages trying but couldn’t get this to deploy the SID to the local group.“-2016281112 (Remediation failed)” However, once I changed the OMA-URI to the following it deployed without issue:
“./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure”
Hope this helps anyone having similar issues.
Windows 10 20H2
Build: 19042.867
What OMA-URI do i need to use?
./Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
or
./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Now im using the first one but im receiving the following error message:
0x87d1fde8
Remediation failed
My Environment is just standalone Azure AD, i am using this “./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure” and i can deploy out AzureAD/User and Group using the securityIdentifier property. But on the device for Group deployment, i am able to see it appearing in my computer management > Local Users and Groups > Groups > Administrators . but all the member within the group do not have the admit right when i run command prompt as administrators and it still prompt for admin credential
I have this working in the sense it is deploying and displaying the SID in the admins group on all my systems with 20H2, however none of the users in the groups are admin, nor can be run as as different user with getting the error that “the user name and password are incorrect”
the group i am trying to add is a group with many nested groups within it
additionally this main groups properties – source: Windows server AD
When i quickly create a new group within intune the properties = source: cloud
this group works just fine without issues, however it is not nested
so:
Can we use nested groups?
if so is there an issue with SID from Cloud vs Windows Server AD groups?
if not then anything else i can try?
If you get the status “-2016281112 (Remediation failed)” change the
to
This will ignore any language problems
Hello all,
Bringing this one up from the past. So i have been tasked at removing Administrator access from contractors only. Is there a way to remove all user accounts from the administrators group (except the administrator account of course) without explicitly specifying each individual account name? I can see in the example here, the xml snippet reads “remove member = Peter” which removes the account name “Peter” as expected; However is there a “wild card” of sorts i can add to the xml script to remove all domain user accounts since I would be potentially deploying this to a group of domain users all having different names? for example “remove member = DOMAIN\*”
I hope this all makes sense?
Thanks,
Aaron
Was this done? if yes then please share how it was reolved am stuck with the same problem
How can you add to multiple groups? For example add a group to Administrators but also add another domain group to Remote Desktop Users?