To manage a Windows device, you need to be a member of the local administrators group. As part of the Azure Active Directory (Azure AD) join process, Azure AD updates the membership of this group on a device. You can customize the membership update to satisfy your business requirements. A membership update is, for example, helpful if you want to enable your helpdesk staff to do tasks requiring administrator rights on a device.

Add user on local admin group on bulk machines

This article explains how the local administrators membership update works and how you can customize it during an Azure AD Join. The content of this article doesn't apply to hybrid Azure AD joined devices.

By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been only assigned the device administrator role to manage a device.

The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device.

Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the Local Users and Groups MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.

Azure AD groups deployed to a device with this policy don't apply to remote desktop connections. To control remote desktop permissions for Azure AD joined devices, you need to add the individual user's SID to the appropriate group.

Windows sign-in with Azure AD supports evaluation of up to 20 groups for administrator rights. We recommend having no more than 20 Azure AD groups on each device to ensure that administrator rights are correctly assigned. This limitation also applies to nested groups.

By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. If you want to prevent regular users from becoming local administrators, you have the following options:

In addition to using the Azure AD join process, you can also manually elevate a regular user to become a local administrator on one specific device. This step requires you to already be a member of the local administrators group.

You do not want your users to log into computers and perform daily work with administrator rights. Exploiting administrator rights is a primary method attackers use to spread and gain control of systems inside and organization.

Scenario 1: A user is logged in to their computer with administrator rights, this person is fooled into opening an email that contains a malicious attachment. This attachment contains executable code and is executed on the computer. Because the user is logged in with administrator rights this malicious code has full rights to the computer, it could install a keylogger, sniffer, run ransomware and encrypt all the files, install remote control software, and so on. Not good.

Scenario 2: Someone..maybe a helpdesk tech created a local user on multiple computers with the same password and added it to the local administrator group. If an attacker cracked this password the attacker then has administrator access to all the machines that this account is created on. The attacker could then move laterally from system to system dropping malicious files, stealing data, and so on.

Using group policy I can not only remove these accounts but I can control what user accounts or groups are members of this group. If someone tried to manually add a user to this group the group policy would override it.

You can see from the screenshot that the unwanted accounts have been removed from the administrator group. The GPO removed the robert.allen account, admin2, and the fig account from the group. It then added the domain admins group, the IT_Wrk_Admin group, and the local administrator account.

Great information but I have a question. When you delete all member users and then add the local administrator account back in, what is the password for the administrator? Does it remain the same that it was prior to being deleted by putting a check in the box to delete all members?

Hi Robert i have a question i have set this policie so now each local computer has an local account without admin right. A few dans later I would like to set admin right to the local account for 2 workstation. Is it possible to do it ?Thanks you by advance for your help

I dont know why, but instead of add admin group to group Administrators (built in) it create another group with that name and add admin groups here. I cant find why. GPO is applied. But doesnt work. Any idea?

We use this for years now and in our group policies we removed the local admin from the administrators group too. That said, we found that still the local administrator is a member of the administrators group on every system!

Individual administrators can be added by using variables in the GPO and matching groups in AD. So for example %DomainName%\%computername%_admins in the GPO. Only thing you should keep in mind is that this could be abused of course and so assign to the lowest OU possible.

Finally you can stack up several policies from highest to lowest OU. For example the first GPO on domain level removes all members, the second on highest OU level adds the DomainName\Workstation_admins, the third adds the DomainName\US_Sales_admins on the US Sales OU and on the Washington Sales OU the fourth GPO adds the mentioned %DomainName%\%computername%_admins to the local administrators group then on all computers for those a corresponding AD group exists.

Hi RobertI removed some days ago all admin rights on all local acounts(I checked delete all member users and I delete all members group). For the moment only specific AD users member of a group named LocalAdmin are Admins.

By default, the local Administrators group on Windows machines only contains the Domain Admins group and the local Administrator account. This is not really a good configuration because it means that anyone who is allowed to manage a Windows client machine has all rights in the Active Directory domain. Thus, it is better to create a domain group for all local administrators, which you add to a local Administrators group. Then, you add all users who are allowed to manage your Windows desktops to this domain group.

The local Administrators group should be reserved for local admins, help desk personnel, etc. However, in some cases, you might want to temporarily grant an end user administrator privileges on his machine so he can install a driver or an application. I know this is not really best practice, but, in my experience, overworked admins often opt for this solution if an important user keeps nagging. This is where the procedures described below come in.

If you are logged in to an Active Directory domain, and if you have sufficient privileges to manage the remote machine, the connection should be established without the need to provide credentials. You can then navigate to Local Users and Groups and add the user to the Administrators group.

The first three lines are just for prompting you to input the domain, computer, and user names. In line 4, the script creates the reference object for the local Administrators group of the remote computer using the [ADSI] type adapter. Line 5 creates the corresponding reference to the user, and the last line adds the user to the Administrators group.

Since Microsoft disabled the GPO for setting local users in the Local Security Policy, this has proven a bit more difficult. I have had great success with powershell, but this only works for an existing local user or an existing domain user.

Since Get-localgroupmember -Group "administrators" returns only local users, there are no domain users or groups in your local administrators group. You have to run your script as administrator or you'll see the "Access denied" error.

it is works with Get-LocalGroupMember -Group "Administrators" , and has result out put as below, but there are lots of accounts in"AP\AdminGrouptest" , then how to now who are they? how to get the detail ? I just need to remove some users in this group, not all user

Bydefault, on Windows 10 devices which are Azure AD joined, the user performingthe join is added to the Local Administrator group. Besides the user and thelocal administrator (which is disabled by default), two other SIDs are addedwithout any friendly name which explain who they are. So where are those SIDscoming from?

Whensearching through the documentation (Howto manage the local administrators group on Azure AD joined devices) youwill read that these 2 SIDs represent the Azure AD Global Administrator and theDevice Administrator roles.

Sobasically this is really handy, you can add a user in the Azure AD role andtherefore the user becomes a local administrator on the Azure AD joineddevices. These a global settings, meaning that if you receive the deviceadministrator role, you will be a local administrator on all Azure AD joineddevices for your tenant.

There arealso some challenges with the Device Administrator group, mainly because whenyou add a user to this role (either via the Azure AD settings or by activatingthe role using PIM) the change is not effective immediately on the Windows 10client. The reason for this has to do with the PRT, which stands for PrimaryRefresh Token.

Basicallythis means that after a user is added to the Device admins group it can take upto 4 hours for this to be active, and vice versa (when user is removed fromDevice admins it stays local admin for up to 4 hours). 2ff7e9595c