question

Rookie-4191 avatar image
0 Votes"
Rookie-4191 asked Crystal-MSFT edited

Trouble creating Local admin users via Intune

We are trying to create a local admin user other than the auto pilot user in Intune. The way we have setup is our auto pilot user (Domain user account) is an admin user and then we are using CSP to create another local admin user. We are using hybrid mode enrollment.

We have a Device configuration profile with OMA URI as follows:

  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/admin1/Password

    Data Type: String

    Value: ***

  • OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/admin1/LocalUserGroup: 2

    Data Type: Integer

    Value: 2

Assignment : User Group

When it Works:

So far based on testing it works when the profile is assigned to the Dynamic device group which is created to perform auto pilot on intune machines for which the device hash is already imported, but in this process it fails to make the auto pilot user as an admin

When it doesn't work:

When the configuration profile is applied to user group, it fails to create the user, but then the auto pilot user is created properly with admin rights.

Variations tried:

Making the localadmin user as a non admin by changing the integer value to 1 and then first tried with dynamic device group assigned, which failed and also the user group which also failed.

Client machine Windows version: Windows 10 21H2

Would like to avoid the PowerShell script method if possible. Kindly let me know if you require any further details.

mem-intune-device-configurationsmem-intune-enrollment
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rookie-4191 avatar image Rookie-4191 ·

Update for the below section

When it doesn't work:
When the configuration profile is applied to user group, it fails to create the user, but then the auto pilot user is created properly with admin rights.

It now works, the issue was this configuration was applied after the auto pilot and domain join and hence the domain password policy where being applied to the machine.

But the process of creating multiple admin users during the process of auto pilot fails to make the auto pilot user as an admin is still the same behavior.

0 Votes 0 ·

1 Answer

Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered Crystal-MSFT edited

@Rookie-4191, For the test "Making the localadmin user as a non admin by changing the integer value to 1, and then first tried with dynamic device group assigned, which failed and also the user group which also failed.", this is failed because "./Device/Vendor/MSFT/Accounts/Users/localadmin/LocalUserGroup" only support add operation. Changing is replace operation. So it will fail. we can see more details in the following link:
https://docs.microsoft.com/en-us/windows/client-management/mdm/accounts-csp

If we want to add the user into local administrators group, we can choose LocalUsersAndGroups CSP instead. Here is a link with more details for the reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups

For the Autopilot admin and configuration profile to create local admin conflict issue, I will do test in my environment to see if I have the same issue. This needs some time. if there's any update, I will update here.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 8
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rookie-4191 avatar image Rookie-4191 ·

Thanks @Crystal-MSFT for the response , can Localusersandgroups be used to add a local users, the link only shows examples for adding AzureAD users to local groups.

0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT Rookie-4191 ·

@arjunasvr-2308, Thanks for the reply. Localusersandgroups CSP can be used to add loc al user as well. Here is an example I test in my environment for the reference:

Add local user "crystal" into local administrators group.
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: String
Value:
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U"/>
<add member = "crystal"/>
</accessgroup>
</GroupConfiguration>
188118-image.png

Hope it can help.





0 Votes 0 ·
image.png (17.0 KiB)
arjunasvr-2308 avatar image arjunasvr-2308 Crystal-MSFT ·

Is this also possible for Android devices? Can you give us a step by step instruction or a instruction video?

0 Votes 0 ·
Show more comments
Rookie-4191 avatar image Rookie-4191 Crystal-MSFT ·

I was able to get it work with the original OMA URI mentioned, it was due to the password complexity since the user was created after domain join with domain policies applied. I will try the above method as well.

0 Votes 0 ·
Show more comments