Add User or Groups to Local Admin in Intune

In this post I will show you how to add user or groups to local admin in Intune. The machine could be a domain joined or without domain.

To manage a Windows device, you need to be a member of the local administrators group. Read this article to know more about managing local administrators on Azure AD joined devices.

Many people assume when you add a user in the first time with Autopilot, user becomes local admin. This happens if you leave the Profile Autopilot settings by default as Administrator.

Autopilot Standard User
Autopilot Standard User

But if you configure the OOBE profile to Standard, there will be no local admin, even local administrator is disabled. Furthermore there is no option that allows you to change it.

Add User or Groups to Local Admin in Intune

We will now look at the steps to add user or groups to local admin in Intune. First lets create a new text file and rename it add_localadmin.ps1.

You can edit this file either with PowerShell ISE or Notepad++. Paste the following command inside the file

Net localgroup administrators "AzureAD\yourgroups@domain.xx" /add

Replace “AzureAd\xxxx” with email account of your groups or user.

Tip – Don’t use the PowerShell command add-Localgroup because it creates an error, and doesn’t work on remote computer.

Intune Add User or Groups to Local Admin
Intune Add User or Groups to Local Admin

After you have made the changes, save your ps1 script. Return to Intune portal. In the portal, create a new script.

Create Script in Intune Portal
Create Script in Intune Portal

Add a Powershell script. Specify script name and add a description.

Add PowerShell Script
Add PowerShell Script

Import the add_localadmin.ps1 script. Leave the other settings to default.

Configure Script Settings
Configure Script Settings

Select groups that you wish to assign your script. Don’t forget the script will be assigned to computer groups, or by default select all devices. Click Next.

Script Assignments
Script Assignments

Finally review the settings and click Create.

Intune Add User or Groups to Local Admin
Intune Add User or Groups to Local Admin

Take a look at the script and ensure the Assigned value is set to Yes.

Verify the Assigned Field
Verify the Assigned Field

After you have applied the script, wait for few minutes or manually trigger the sync.

Trigger Intune Sync
Trigger Intune Sync

The script has done the changes. We see the users are now part of local administrator group. Do not forget to logoff and logon to see the results.

Add users to local admin
Add users to local admin

Leave a Reply

Your email address will not be published. Required fields are marked *

12 Comments

  1. Avatar photo Nathaniel Banks says:

    The net localgroup /add command doesn’t work 100% of the time with Azure AD; we tried using it and got the error, “there is no such global user or group: user@domain” – and others have reported the issue as well.

  2. Avatar photo Markus Kugler says:

    Hello Prajwal,
    thanks for your great website, which I follow since the early sccm days!

    One question: I have all my autopilot devices rolled out with the user account type “standard” in the OOBE.
    How can I get now all the primary users each to have local admin rights on their very device afterwards?

    1. Avatar photo Karl Degraa says:

      Set the user to administrator in the deployment profile. The first user logging into Windows will be an administrative user.

      I don’t know how to make every user an administrative user besides perhaps using the Powershell command Prajwal has given on this page and then adding all the users who need to be administrators. This would be a clumsy way to do it though.

  3. There is no Email account for Azure AD group. How do we add that group?

    1. Did you figured that out? 🙂

  4. If referencing a Microsoft 365 group, does this just add the specific logged on user to the Administrators group or does it add everyone in the 365 group to the Administrators group. I need to add the logged on user only to his or her specific machine.

  5. Can you remove this user from the local administrator group just as easily as by removing the computer from the group?

    1. Probably yes. Ill check that

      1. Okay, I checked that and unfortunately its not possible, by removing Users from the group they remain with local admin rights. I’m searching for a solution, but isn’t that easy..

        1. Suggest you add an Azure AD group instead, that way you can manage the membership by editing the group – better than assigning individual users.

          1. Hey Denis,

            What do I write if I want to add an Azure AD group?

            Net localgroup administrators “AzureAD\yourgroups@domain.xx” /add ?

            1. Hello Denis,

              Did you find any answer of this?