In this post I will show you how to add user or groups to local admin in Intune. The machine could be a domain joined or without domain.

To manage a Windows device, you need to be a member of the local administrators group. Read this article to know more about managing local administrators on Azure AD joined devices.

Many people assume when you add a user in the first time with Autopilot, user becomes local admin. This happens if you leave the Profile Autopilot settings by default as Administrator.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC
Autopilot Standard User
Autopilot Standard User

But if you configure the OOBE profile to Standard, there will be no local admin, even local administrator is disabled. Furthermore there is no option that allows you to change it.

Add User or Groups to Local Admin in Intune

We will now look at the steps to add user or groups to local admin in Intune. First lets create a new text file and rename it add_localadmin.ps1.

You can edit this file either with PowerShell ISE or Notepad++. Paste the following command inside the file

Net localgroup administrators "AzureAD\yourgroups@domain.xx" /add

Replace “AzureAd\xxxx” with email account of your groups or user.

Tip – Don’t use the PowerShell command add-Localgroup because it creates an error, and doesn’t work on remote computer.

Intune Add User or Groups to Local Admin
Intune Add User or Groups to Local Admin

After you have made the changes, save your ps1 script. Return to Intune portal. In the portal, create a new script.

Create Script in Intune Portal
Create Script in Intune Portal

Add a Powershell script. Specify script name and add a description.

Add PowerShell Script
Add PowerShell Script

Import the add_localadmin.ps1 script. Leave the other settings to default.

Configure Script Settings
Configure Script Settings

Select groups that you wish to assign your script. Don’t forget the script will be assigned to computer groups, or by default select all devices. Click Next.

Script Assignments
Script Assignments

Finally review the settings and click Create.

Intune Add User or Groups to Local Admin
Intune Add User or Groups to Local Admin

Take a look at the script and ensure the Assigned value is set to Yes.

Verify the Assigned Field
Verify the Assigned Field

After you have applied the script, wait for few minutes or manually trigger the sync.

Trigger Intune Sync
Trigger Intune Sync

The script has done the changes. We see the users are now part of local administrator group. Do not forget to logoff and logon to see the results.

Add users to local admin
Add users to local admin

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Forums Telegram Contact Me

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a strong focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.