Removing local administrators in a local domain is a fairly easy task, and you have several ways of achieving this goal. What if you only use AzureAD and don’t have an On-Premise AD, or your clients are all cloud only in a hybrid enviroment?
We had a scenario where we needed to remove users administrator rights on their local computers. Removing all users from the local Administrators group. We added a AzureAD account, using Azure AD, that would serve as a local administrator account. You find this setting under Azure Active Directory -> Devices -> Device Settings -> Additional local administrator on Azure AD joined devices. This only requires Azure AD Premium, and not any Intune licenses.
So of we went and started to create the Custom Windows 10 configuration profile needed to complete the task.
Name: Whatever you want to call it
Description: Remove all accounts…
Platform: Windows 10 and later
Profile type: Custom
OMA-URI Settings
Name: RestrictedGroup (can be anything)
Description: Restrict users…
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
Data Type: String
Value:
|
1 2 3 4 5 6 |
<groupmembership> <accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "AzureAD\pcadmin@stellarlab.net" /> </accessgroup> </groupmembership> |
You can use SID, as below. This feature works from Windows 10 2004
This negates all language specific customizations, as the SID is uniqe.
|
1 2 3 4 5 6 |
<groupmembership> <accessgroup desc = "S-1-5-32-544"> <member name = "Administrator" /> <member name = "AzureAD\pcadmin@stellarlab.net" /> </accessgroup> </groupmembership> |
You can find more information regarding the RestrictGroup setting here
After we created the policy it didn’t seem to work, no users were removed from the local computers administrators group. After a while troubleshooting, it was found that you need to include the local administrator user account in the string value.
Another ting that we discovered was that you need to use the regional language of the group so that the restrictions is set correctly (prior to Windows 10 2004). If your computer is installed with Spanish or Norwegian, the Administrators group would be named differently. From version 2004 you can use SID in the accessgroup desc (example is above). This makes it alot easier to use, as you can have one policy for all computers regardles of installed language.
You can find the different SID’s for account and groups here: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems