![\"\"](\"https:\/\/usercontent.one\/wp\/www.smthwentright.com\/wp-content\/uploads\/2022\/07\/intune_errors.png?media=1646692602\")
<\/a>The reason for the policy generating errors or generally not yielding the results people wants has been varying, but one of the most common one\u2019s has to do with the OS language being different on different machines, and to this my colleague came up with a simple and brilliant solution<\/p>\n\n\n\n
So the goal of today is to create a policy that removes any user from the local administrator group that works on all devices without generating any errors (in as few steps as possible), and to do this we\u2019re going to do this without scripts only using Intune profiles<\/p>\n\n\n\n
What we need<\/h4>\n\n\n\n- An Azure AD joined device
- To view the contents of the local administrator group<\/li><\/ul><\/li>
- 2 Intune Profiles
- 1 profile that dictates the contents of the local administrator group<\/li>
- 1 profile that renames the local administrator account<\/li><\/ul><\/li><\/ul>\n\n\n\n
Thats it! Only a few steps to get this to work<\/p>\n\n\n\n
Azure AD joined device<\/h4>\n\n\n\n
Okey, to start this off we\u2019re gonna take a look at the contents of the local administrators group on an Azure AD joined device. You can access the local administrators group with the shortcut lusrmgr.msc<\/strong><\/p>\n\n\n\nMake sure you have local administrative access to the device<\/p>\n\n\n\n
- Hit the Windows Button and search for lusrmgr.msc<\/strong>, right click Run as administrator<\/strong><\/li>
- Open Groups<\/strong><\/li>
- Open Administrators <\/strong>group (Different name in depending on OS language)<\/li><\/ol>\n\n\n\n
When we open the group its gonna look like this:<\/p>\n\n\n\n![\"\"](\"https:\/\/usercontent.one\/wp\/www.smthwentright.com\/wp-content\/uploads\/2022\/07\/Local-Admin-Group.png?media=1646692602\")
<\/a>Contents of the local administrators group<\/figcaption><\/figure>\n\n\n\nThere\u2019s going to be the local administrators account, the User Account that is current local administrator and 2 long SID\u2019s<\/p>\n\n\n\n
First off, the local administrator account needs to be there, we cannot remove it from the Administrators group but as this is an Intune \/ Azure AD joined device its disabled by default and has no password<\/p>\n\n\n\n
Then we have the User Account that has enrolled the device, which if its not an Autopilot device will automatically become local administrator<\/p>\n\n\n\n
Then we have the 2 longs SID\u2019s that will be on all Azure AD joined devices per default,<\/p>\n\n\n\n
One of them is the Azure AD Role group for \u201cGlobal Administrator\u201d and the other one is the Azure AD Role group for \u201cLocal device administrators\u201d. So if we want Global administrators and the group for Local device administrators to continue to work, we need to keep them in the local administrators group<\/p>\n\n\n\n
We can view the users in the local device administrators role group in Azure AD<\/p>\n\n\n\n
- Open Azure AD<\/strong><\/li>
- Navigate to the Devices <\/strong>blade<\/li>
- Navigate to Device settings<\/strong><\/li>
- Click on Manage Additional local administrators on all Azure AD joined devices<\/strong> at the bottom of the page<\/li><\/ol>\n\n\n\n
![\"\"](\"https:\/\/usercontent.one\/wp\/www.smthwentright.com\/wp-content\/uploads\/2022\/07\/Manage-additional-local-administrators-1-1024x624.png?media=1646692602\")
<\/a>How to view the role for local administrators<\/figcaption><\/figure>\n\n\n\nDepending of if you used this Group up until now or not this maybe empty or populated with the correct administrators for your devices<\/p>\n\n\n\n
So if we wanna keep both of these groups as local administrators we can just copy them from our Azure AD joined device. But to find out which is which we will need to resort to our lord and savior; PowerShell<\/p>\n\n\n\n
Before we open PowerShell make sure to add at least one User to the Additional local administrators on all Azure AD joined devices<\/strong> page, if not it won\u2019t show up<\/p>\n\n\n\n- Open PowerShell<\/li>
- Make sure you have the Module AzureAD installed
- If you need to install the PowerShell module make sure PowerShell is started as Administrator<\/li>
- Type Install-Module AzureAD<\/strong><\/li>
- Accept the install<\/li><\/ol><\/li>
- Type Connect-AzureAD<\/strong><\/li>
- Sign in with an account with privilege\u2019s to read the AzureAD Directory<\/li>
- Type Get-AzureADDirectoryRole<\/strong> (More information on the command and on the module can be found on the Microsoft Docs<\/a>)<\/li><\/ol>\n\n\n\n
![\"\"](\"https:\/\/usercontent.one\/wp\/www.smthwentright.com\/wp-content\/uploads\/2022\/07\/Get-AzureADRoles.png?media=1646692602\")
<\/a>Azure AD Roles with Objective ID column returned<\/figcaption><\/figure>\n\n\n\nNow we\u2019re going to convert those object ID\u2019s to SID\u2019s using a awesome function that Oliver Kieselbach<\/a> made a while back.<\/p>\n\n\n\nAutomation Account Script<\/p>\n\n\n\n
- To view the contents of the local administrator group<\/li><\/ul><\/li>
- 2 Intune Profiles
- 1 profile that dictates the contents of the local administrator group<\/li>
- 1 profile that renames the local administrator account<\/li><\/ul><\/li><\/ul>\n\n\n\n
Thats it! Only a few steps to get this to work<\/p>\n\n\n\n
Azure AD joined device<\/h4>\n\n\n\n
Okey, to start this off we\u2019re gonna take a look at the contents of the local administrators group on an Azure AD joined device. You can access the local administrators group with the shortcut lusrmgr.msc<\/strong><\/p>\n\n\n\n
Make sure you have local administrative access to the device<\/p>\n\n\n\n
- Hit the Windows Button and search for lusrmgr.msc<\/strong>, right click Run as administrator<\/strong><\/li>
- Open Groups<\/strong><\/li>
- Open Administrators <\/strong>group (Different name in depending on OS language)<\/li><\/ol>\n\n\n\n
When we open the group its gonna look like this:<\/p>\n\n\n\n
<\/a>Contents of the local administrators group<\/figcaption><\/figure>\n\n\n\n There\u2019s going to be the local administrators account, the User Account that is current local administrator and 2 long SID\u2019s<\/p>\n\n\n\n
First off, the local administrator account needs to be there, we cannot remove it from the Administrators group but as this is an Intune \/ Azure AD joined device its disabled by default and has no password<\/p>\n\n\n\n
Then we have the User Account that has enrolled the device, which if its not an Autopilot device will automatically become local administrator<\/p>\n\n\n\n
Then we have the 2 longs SID\u2019s that will be on all Azure AD joined devices per default,<\/p>\n\n\n\n
One of them is the Azure AD Role group for \u201cGlobal Administrator\u201d and the other one is the Azure AD Role group for \u201cLocal device administrators\u201d. So if we want Global administrators and the group for Local device administrators to continue to work, we need to keep them in the local administrators group<\/p>\n\n\n\n
We can view the users in the local device administrators role group in Azure AD<\/p>\n\n\n\n
- Open Azure AD<\/strong><\/li>
- Navigate to the Devices <\/strong>blade<\/li>
- Navigate to Device settings<\/strong><\/li>
- Click on Manage Additional local administrators on all Azure AD joined devices<\/strong> at the bottom of the page<\/li><\/ol>\n\n\n\n
<\/a>How to view the role for local administrators<\/figcaption><\/figure>\n\n\n\n Depending of if you used this Group up until now or not this maybe empty or populated with the correct administrators for your devices<\/p>\n\n\n\n
So if we wanna keep both of these groups as local administrators we can just copy them from our Azure AD joined device. But to find out which is which we will need to resort to our lord and savior; PowerShell<\/p>\n\n\n\n
Before we open PowerShell make sure to add at least one User to the Additional local administrators on all Azure AD joined devices<\/strong> page, if not it won\u2019t show up<\/p>\n\n\n\n
- Open PowerShell<\/li>
- Make sure you have the Module AzureAD installed
- If you need to install the PowerShell module make sure PowerShell is started as Administrator<\/li>
- Type Install-Module AzureAD<\/strong><\/li>
- Accept the install<\/li><\/ol><\/li>
- Type Connect-AzureAD<\/strong><\/li>
- Sign in with an account with privilege\u2019s to read the AzureAD Directory<\/li>
- Type Get-AzureADDirectoryRole<\/strong> (More information on the command and on the module can be found on the Microsoft Docs<\/a>)<\/li><\/ol>\n\n\n\n
<\/a>Azure AD Roles with Objective ID column returned<\/figcaption><\/figure>\n\n\n\n Now we\u2019re going to convert those object ID\u2019s to SID\u2019s using a awesome function that Oliver Kieselbach<\/a> made a while back.<\/p>\n\n\n\n
Automation Account Script<\/p>\n\n\n\n
- Navigate to the Devices <\/strong>blade<\/li>
- Open Groups<\/strong><\/li>
- Hit the Windows Button and search for lusrmgr.msc<\/strong>, right click Run as administrator<\/strong><\/li>