Manage Local Users and Groups with Microsoft Intune

With the upcoming release of Windows 10 20H2, we get a new Policy CSP to manage Local Users and Groups with Microsoft Intune: LocalUsersAndGroups.

With this new setting, we are able to add members to a local group, which was not possible with the old RestrictedGroups policy. With that policy, we did an overwrite (replace) of the current group members.
With the new policy, we can define a group action: Update or Restrict. Restrict will replace group membership as the old policy did.

Here’s an example of the policy definition XML for group configuration:

<GroupConfiguration>
    <accessgroup desc = "">
        <group action = ""/> 
            <add member = ""/>
            <remove member = ""/>
    </accessgroup>
</GroupConfiguration>

Explanation from the documentation:

<accessgroup desc>: Specifies the name or SID of the local group to configure. If you specify a SID, the LookupAccountSid API is used to translate the SID to a valid group name. If you specify a name, the LookupAccountName API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.

<group action>: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:

<add member>: Specifies the SID or name of the member to configure.

<remove member>: Specifies the SID or name of the member to remove from the specified group.

As stated in the documentation starting from this Windows 10 build, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy.

Below I will show some examples of how the setting can be used and what the end result is.

Manage the Administrators group of an AAD joined device

The setting can be used on Azure AD joined and Hybrid AAD joined devices. For adding or removing Azure AD groups using this policy, we must use the group SID.

The SID of an Azure AD group can be easily found using the Graph Explorer. Query the group using the Object ID of the Group:
https://graph.microsoft.com/v1.0/groupsObjectID

And it will show you the SID in the output.

To remove or add an Azure AD user account we can use the username, but we need to put AzureAD\ before the username; AzureAD\peter.klapwijk@inthecloud247.com for example.

In below example I use the Group action U (update) to add an user account and a group to the local Administrators group and don`t overwrite the existing members.

This setting needs to be deployed to our devices using a Custom configuration profile with Microsoft Intune. Let`s create one.

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click Next
  • Click Add to add a new Row.

Enter below information to the Row where you can choose your own name and optionally can enter a description.
Name: LocalUsersAndGroups – Administrators
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:

<GroupConfiguration>
	<accessgroup desc = "Administrators">
		<group action = "U"/>
			<add  member = "AzureAD\demo.user04@peterklapwijk.com"/>
			<add  member = "S-1-12-1-3293531080-1078674397-111521436-3834162110"/>
			<remove member = ""/>
	</accessgroup>
</GroupConfiguration>
  • Click Save
  • Click Next
  • Finish the creation wizard

Manage the Administrators group of a Hybrid AAD joined device

In the example for a Hybrid Azure AD joined device I show how to add a user account and an AD group by using the group name. And I`ll remove the local user account ‘Peter’ from the group.

Create a custom configuration profile like shown in the previous example.

Add a new Row.

Name: LocalUsersAndGroups – Administrators
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:

<GroupConfiguration>
	<accessgroup desc = "Administrators">
		<group action = "U"/>
			<add  member = "peterklapwijk\local.user02"/>
			<add  member = "peterklapwijk\AD_Local_AdminsUS"/>
			<remove member = "Peter"/>
	</accessgroup>
</GroupConfiguration>

Click Save and finish the setup wizard.

Below is an example in which the action Restrict (replace) is used. As it`s not possible to remove the Administrator account from the local Administrators group, that account is also added in the setting. If you don`t specify the Administrator account to be added, the profile will fail.

Add a new Row.

Name: LocalUsersAndGroups – Administrators
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:

<GroupConfiguration>
	<accessgroup desc = "Administrators">
		<group action = "R"/>
			<add  member = "Administrator"/>			
			<add  member = "peterklapwijk\local.user01"/>
			<add  member = "peterklapwijk\AD_Local_AdminsNL"/>
	</accessgroup>
</GroupConfiguration>

I assume you will be able to create the profile of your needs with these examples, let`s have a look at the end result.

The end-result

First we have a look at the Azure AD domain joined device.

As you can see the user account from Demo User04 and the group (SID ending with 2110) are both added to the local Administrators group. The already existing members are still a member.
These existing members are the local Administrator account and the Global Admin and Device Administrator groups with their SIDs.

Switching to the Hybrid Azure AD joined device before the profile is applied we see two local user accounts as member of the group.

After applying the profile, the local user account ‘Peter’ is removed and the user account and group are added.

In the last example I used the remove action. We see the previously added user account and group are replaced with the new user and group.

One remark; like with the RestrictedGroups policy, when working with groups it might need some time (to sync?) before the assigned rights are in place.

Thank you for reading and if you have any questions, leave a comment below




7 Comments

  1. Hello Peter, thanks for your great article !
    Just want to let you a quick feedback. I tested this in a brand new Hybrid environment. My devices are enrolled and other Intune policy are working correctly.
    Unfortunately for this one I get the status “-2016281112 (Remediation failed)” with the error code 0x87d1fde8 and the group isn’t showing up.
    I tested with the SID of the synced group or with the local version”domain\name of the group”
    Did everything this morning, still not working after hours and multiple sync and reboot and patience.

    It’s not a big deal I can manage to add it manually for this customer.

    Here is my string:

  2. any idea which CIM namespace is used? I tried to enumerate but couldn’t find it.
    I’m working on a script which executes this with dynamic content using the Intune endpoint analytics remediations actions

  3. Thanks for the article, I’ve read it and the new LocalUsersAndGroups documentation closely, but despite it’s name, there doesn’t seem to be able to use this policy to actually add a local user?

    I to now I’ve been using:
    ./Device/Vendor/MSFT/Accounts/Users/Admin/Password
    ./Device/Vendor/MSFT/Accounts/Users/Admin/LocalUserGroup

    Azure Intune does apply the policies successfully, the user is created and applied to Administrators, however it generates an error anyway.

    • This new policy indeed doesn`t allow you to create a new user.
      With the Accounts policy you describe I was never able to resolve the issue even as the user was created successfully.

      • Thank you! It is always comforting to experience people also following the documentation to the letter and yet MS software is doing something different.

        A separate article came up during my research explaining just how bad it was to add a Static account to all computers with the same password.

        My counter to that article would be: So how do you log into a user’ computer as Administrator, when there’s no Internet access.

        I’m sure their response would be ‘so get Internet Access’ but there’s been plenty of incidences, since the release of Win 10, when the network stack is not working for unknown reasons that do not resolve with a restart, and I need to force new drivers or otherwise reset winsock or similar to re-gain network access.

        I think I’ll keep my old fashioned static admin account for now!

  4. Hi Peter / Sanch,

    I’m getting the exactly the same result as Sanch on a brand new install of 20H2. Did you manage to resolve this?

    Regards
    David

Leave a Reply

Your email address will not be published.


*