This step-by-step guide details how to add a local user to Admin group using Intune. We’ll utilize the local membership policy in Intune to assign administrative privileges to the Entra user by adding it to the built-in administrators group.
The Account Protection is an Endpoint Security module in the Intune admin center, and it is mainly used to protect the identity and accounts of your users and manage the built-in group memberships on devices. In our guide on setting up Windows LAPS with Intune, we used an account protection policy to create the LAPS policy.

The local user group membership policy in Intune facilitates administrators to manage built-in local groups on Windows devices. The policy settings can be used to add, remove, or replace members of local groups on Windows 11/10 devices.
The only caveat here is that local user group policy settings can be targeted to supported MDM-supported devices only. You will notice this limitation while assigning the policy settings to users/groups. Let’s get started.
Prerequisites
Listed below are some important requirements for using account protection policies in Intune:
- To apply an account protection profile, the devices must run Windows 10 or Windows 11.
- To support the local user group membership profile, devices must run Windows 10 20H2 or later, or Windows 11.
- Ensure the Windows devices are enrolled in Intune before applying this policy.
- Adding users to the local admin groups should be done with caution. As a best practice, lock it down to a set of exclusively defined members.
Step 1: Select the user account for administrator privileges
Sign in to the Microsoft Entra admin center and navigate to Identity > Users. Make a note of the username and other details before you add it to the local administrators group via Intune.
In the Local User Group membership profile, you may add a user account, multiple user accounts or even a security group from Entra ID to the policy.
For example, when you have a requirement to add multiple users to the local administrator group on Windows devices, the easy way is to add these users to a security group. Later, assign the policy to this security group in Intune.
Step 2: Add a Local User to Admin Group using Intune
In this step, we’ll create a new Account Protection policy in Intune and add a local user to the administrators group on Windows devices.
First, sign in to the Intune admin center. Go to Endpoint Security > Account Protection. Now click Create Policy and choose Windows as the platform and Local user group membership as profile. Click the Create button.

On the Basics tab, enter the name for the profile and add a brief description. The following details are specified in the below screenshot:
- Name: Add local user to administrators group
- Description: This policy adds the local user account to the built-in administrators group on Windows devices.
Click Next.

On the Configuration Settings tab, under Group Configuration, click on Add. Here are a few selections to make, and this is important.
- Local Group: Click the drop-down and select the group to which you want to add the local user account. In the below example, we have selected the ‘Administrators‘ group. The other group options include Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
- Group and user action: Click the drop-down and select Add (update). The other options include Remove (Update) and Add (Replace).
- User selection type: Here we have two options to choose from: Users/Groups or Manual. Select Users or Groups. The manual option is used when you want to manage your on-premises Active Directory users from AD to a local group for a Microsoft Entra hybrid joined device.
- Selected Users: Click Select users/groups, make your selection and add them to the Administrators group.

On the Select users/groups page, type the name of the Microsoft Entra user that you wish to add to the Administrators group. You may select a single user, multiple users or an Entra security group as well. When done, click Next.

The configurations and the selections that you’ve made are now presented on the screen. Click Next.

The default scope tag is selected for the policy. You may specify a different one. We aren’t configuring the scope tags for this policy. Click Next.

In the Assignments window, select the device groups to which you want to assign this policy. I recommend deploying the profile to a pilot device group first and then expanding it to more devices if the testing is successful. Select Next.

On the Review + Create tab, go through the local user group membership settings you’ve configured so far. Click Create to complete the creation of the profile.
A notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose.

Step 3: Update Intune Policies
If you’re testing this policy on a set of pilot devices to confirm its working, you can manually sync the policies on these devices with Intune. This will speed up things and ensure the devices will immediately obtain the latest policies, configurations, and updates from Intune. Make sure the Windows devices are online before you force them to sync with Intune.
Step 4: Monitor Account Protection Policy Assignments
After assigning the local user group membership policy to the device groups, the next step is to monitor how many of them have successfully received the policy settings.
In the Intune admin center, navigate to Endpoint Security > Account Protection. Here, select the Add a Local User to Admin Group policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices that successfully received the policy settings.
In the below screenshot, we see multiple Windows devices have received the policy settings successfully. To view the device names that have successfully received the policy settings, click on View Report.
In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.

Step 5: Verify if user account is added to Administrators Group
This is the last step where we’ll verify if the chosen user account is added to the built-in Administrators group on enrolled Windows devices that were targeted with the policy. Sign in to the Windows device and run the command “lusrmgr.msc” to open the Local Users and Groups console.
In the Local Users and Groups window, expand the groups, right-click the built-in Administrators group and select Properties. In the Administrators Properties window, verify if the user account is added.
From the below screenshot, we see that the Entra user is added to the local Administrators group on our Windows 11 device. This demonstrates that Intune administrators can use the local user group membership policy to manage local groups on Windows devices.

Read Next
- Rename Built-in Administrator Account using Intune
- Rename Administrator account using Group Policy
- Enable Guest account on Mac devices with Intune
- Create Local admin account with Intune policy
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.