Today a short blog post regarding configuring User Rights, like Allow Local Log on, in an Intune Settings Catalog profile. Using the Settings Catalog and the several settings under User Rights is pretty straightforward as long as you use Administrators or Users. And maybe it is also straightforward for you when using a SID, but I assume it’s not otherwise you wouldn’t be reading this post 🙂
During implementing User Rights settings like Allow Local Log on, we first configured this setting with Administrators and Users as just adding a SID to the policy didn’t allow the users to log on to Windows. This did work fine as long as our device was installed with an English OS. As soon as we applied the profile to, for example, a Dutch device, it wouldn’t allow users to sign in to the Windows machines anymore. It seems Users isn’t translated to Gebruikers (the Dutch word for Users).
So we still wanted to use the well-known SIDs instead of Administrators and Users. After adding the SIDs in all sorts of ways to the profile which didn’t work at all, I decided to open a support case at Microsoft.
After switching between several support engineers and almost filing a DCR on the recommendation of a support engineer (as they told us a SID wasn’t supported), we finally came in touch with another engineer who asked us the use this in the profile, as this is also what you would use when using the custom OMA-URI/ CSP:
<![CDATA[*S-1-5-32-544]]>And when using two SIDs:
<![CDATA[*S-1-5-32-544*S-1-5-32-545]]>At least it did work fine, but reporting in the Intune portal showed an error.
In the end, we found out, we should just add an asterisk * sign prior to the SID.
That’s actually exactly what we need to add when using CDATA with the OMA-URI. Unbelievable I didn’t come up with trying this earlier myself!
By using an asterisk prior to the SID it is applied fine, as we can see in the registry.
And the setting is reported as Succeeded in the Intune portal.
so it is actually also pretty easy to configure a SID for the User Rights settings in a Settings Catalog profile, as long as you know you need to add an asterisk prior to the SID.
I hope this prevents you from spending a lot of time to get this configured 🙂
8 Comments
Hi, we want to add the guest account GUEST S-1-5-21–501 for one of the options, how do we add this SID considering it has between it or will it translate it automatically?
it has machine between the SID GUEST S-1-5-21-machine-501
Saved me a headache. Thanks 🙂
What if you want to clear the assignment completely? Any confirmation that providing a blank value doesn’t error out or even works?
Does this now also works for AzureAD Group SIDs ? i remember it was only working for dedicated AzureAD User Objects in Custom OMA URIs
I’ve tested with AAD Group SIDs but no luck 🙁 Microsoft really needs better documentation for this setting, everything always seems to point to their CSP settings which obviously won’t work
How do we enforce Blank values?
I have tried everything for UserRights in Blank values.
Currently the only way to enforce blank values is using full XML config.
https://techcommunity.microsoft.com/t5/microsoft-intune/enforcing-blank-value-in-settings-catalog-local-security/m-p/3844268
Thank You so much!