In this post I will show you how to add user or groups to local admin in Intune. The machine could be a domain joined or without domain.
To manage a Windows device, you need to be a member of the local administrators group. Read this article to know more about managing local administrators on Azure AD joined devices.
Many people assume when you add a user in the first time with Autopilot, user becomes local admin. This happens if you leave the Profile Autopilot settings by default as Administrator.
But if you configure the OOBE profile to Standard, there will be no local admin, even local administrator is disabled. Furthermore there is no option that allows you to change it.
Add User or Groups to Local Admin in Intune
We will now look at the steps to add user or groups to local admin in Intune. First lets create a new text file and rename it add_localadmin.ps1.
You can edit this file either with PowerShell ISE or Notepad++. Paste the following command inside the file
Net localgroup administrators "AzureAD\yourgroups@domain.xx" /add
Replace “AzureAd\xxxx” with email account of your groups or user.
Tip – Don’t use the PowerShell command add-Localgroup because it creates an error, and doesn’t work on remote computer.
After you have made the changes, save your ps1 script. Return to Intune portal. In the portal, create a new script.
Add a Powershell script. Specify script name and add a description.
Import the add_localadmin.ps1 script. Leave the other settings to default.
Select groups that you wish to assign your script. Don’t forget the script will be assigned to computer groups, or by default select all devices. Click Next.
Finally review the settings and click Create.
Take a look at the script and ensure the Assigned value is set to Yes.
After you have applied the script, wait for few minutes or manually trigger the sync.
The script has done the changes. We see the users are now part of local administrator group. Do not forget to logoff and logon to see the results.
The net localgroup /add command doesn’t work 100% of the time with Azure AD; we tried using it and got the error, “there is no such global user or group: user@domain” – and others have reported the issue as well.
Hello Prajwal,
thanks for your great website, which I follow since the early sccm days!
One question: I have all my autopilot devices rolled out with the user account type “standard” in the OOBE.
How can I get now all the primary users each to have local admin rights on their very device afterwards?
Set the user to administrator in the deployment profile. The first user logging into Windows will be an administrative user.
I don’t know how to make every user an administrative user besides perhaps using the Powershell command Prajwal has given on this page and then adding all the users who need to be administrators. This would be a clumsy way to do it though.
There is no Email account for Azure AD group. How do we add that group?
Did you figured that out? 🙂
If referencing a Microsoft 365 group, does this just add the specific logged on user to the Administrators group or does it add everyone in the 365 group to the Administrators group. I need to add the logged on user only to his or her specific machine.
Can you remove this user from the local administrator group just as easily as by removing the computer from the group?
Probably yes. Ill check that
Okay, I checked that and unfortunately its not possible, by removing Users from the group they remain with local admin rights. I’m searching for a solution, but isn’t that easy..
Suggest you add an Azure AD group instead, that way you can manage the membership by editing the group – better than assigning individual users.
Hey Denis,
What do I write if I want to add an Azure AD group?
Net localgroup administrators “AzureAD\yourgroups@domain.xx” /add ?
Hello Denis,
Did you find any answer of this?