Manage the local administrators group with Microsoft Intune – Azure AD joined Windows 10 devices

This is the fourth blog post about managing local users and local rights on Windows 10 devices with Microsoft Intune. In this blog post I show how we can manage the local administrators group on a Azure Azure AD joined Windows 10 device.
The configuration is almost equal to how we manage the local administrators group on a Hybrid Azure AD (AAD) joined Windows 10 device. The difference is found in the already present members of the local Administrators group, on AAD joined devices, the Global Administrator and Device Administrator (roles) are the default members of the local Administrator group.

So these roles could also be used to provide local administrator rights on the AAD joined devices. But the rights of the Global admin role could be a little too much for this. And these rights are provided to all AAD joined devices, where it might be required to limit the number of devices where an (admin) user is administrator. You might want to provide to local IT of a country administrator rights only to the devices of that country.

Like in the previous posts we need to use a Configuration Service Provider (CSP) policy and a Custom configuration profile to get the job done. And as with managing the Hybrid AAD joined devices, we need to use the RestrictedGroups CSP.

All information for this CSP policy is found on Microsoft docs here.

Some notes to take into account; this policy overwrites the default members of the Administrators group. By default the Global Administrator and Device Administrator (roles) are member of the local Administrators group. If you only want to add a group to the Administrators group and not want to remove the default groups, don`t forget to add the Global Administrator and Device Administrator to your policy. And add the local Administrator account to the policy, otherwise it fails.
As these roles are added to the local Administrator group by SID, take note of these before you overwrite these.

Configure the Custom Configuration profile

  • Choose Windows 10 and later as Platform
  • Choose Custom as Profile type
  • Click Create
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Click the Settings tab
  • Click Add

In the value field we set which group membership we like to manage and define the group members.
<accessgroup desc> contains the local group SID or group name.
<member name> contains the group members to add to the local group.

In the example, I add the default members of the group to the policy; the local Administrator account, the Global Administrator and Device Administrator (with the SID). And I add one extra AAD user account in the form of AzureAD\UPN.

Enter below information to the Row;
Name: RestrictedGroups – ConfigureGroupMembership
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
Data Type:

<accessgroup desc = "Administrators">
<member name = "Administrator" />
<member name = "S-1-12-1-2934938113-1096209395-2588194479-178906382" />
<member name = "S-1-12-1-766653809-1274192161-2093628596-1982031183" />
<member name = "AzureAD\" />

Click OK (twice) and click Create.

Assign the profile to a security group and your ready for testing.

The end result

The end result is the default members are still member of the local Administrators group. The extra Azure AD account is added to the local Administrators group.

That`s is for this post. Thank you for reading!

If you`d like to know how an Azure AD group can be added to the local administrators group, read this follow-up post.


  1. thank You for the file, i would like to ask you something about this:
    where it says “Assign the profile to a security group and you’re ready for testing.“, do I add “Device” security group or user group to that profile?

  2. How do I write the value for value box to indent lines like “member name” as shown in the screenshot?

  3. I tried this, and i am getting a ‘Remediation failed’ error when i assign to my Windows 10 device. End result is that user still does not have admin rights. I am running version 1903… what version is this compatible with? I see that the follow-up article (group assignment) is only version 2004..

  4. I did post in Manage the local administrators group with Microsoft Intune – Hybrid AAD joined Windows 10 devices.This CSP Policy is OS language dependent.
    It works fine with english operative system.
    I´ve been 3 days working on it and it did only worked when I used the spanish name of administrators group and local administrator user
    Administradores and Administrador.
    404 event id

Leave a Reply

Your email address will not be published.