Thanks for the video! Can you guys do an S04E02+1/2 and show the best way to set it up so that when InTune users who aren't signing into an AutoPilot machine are taken out of the Administrators group, and put into the Standard Users group? Currently when users are signing into devices via InTune they are set as Administrators, using AutoPilot allows you to choose the target group for the users, but I'm guessing we could use the instructions from this episode to just use replace to take the users out of the Admin group? Not sure how we'd add the individual user back to the normal user group though?
So I am starting to enable this in my HAADJ environment and I would say its working quite well. A couple questions. 1. Do you guys know how long it takes the policy to figure out if there are changes made to the Administrators group. (i.e. - If I add a random user or remove a policy-added member to the Administrators group, how long before the policy corrects?) 2. I am assuming this only works in a HAADJ environment if a device is connected to the domain directly or through VPN?
1. Not sure. It doesn’t take long but we haven’t measured it. Let us know what you find out. 2. Works for AADJ too. Just need to user the AAD account or group or role SID instead of account names. The docs cover this scenario.
@@IntuneTraining I am seeing a pretty long time for the removal if I add an additional user. It synced yesterday at 11a CST. I am hoping it removes the user as added this morning at least.
Thanks for that good teaching! But, howcan we set a restricted list of users that can log into the pc? I want to limit users logon to a few users, not all. Thanks in advance 🙂
Great videos guys. One question. If I need to unjoin a PC from Azure AD and the local administrator is disabled, how do I login when the PC restarts and only comes up with the local user login prompt?
Great video! I was wondering if you add an azure ad group on local admins group and leverage on privileged identity management (PIM) for managing, controlling and auditing access for local admin users. What happens with local caching and offline access?
You can, looks like we may do a video on that soon - several people have asked about it. Offline/caching wouldn’t work most likely, but then again, it wouldn’t work without pim offline either unless you already had cached admin creds.
@@IntuneTraining that would be a very interesting test. Create a group where group membership is controlled with pim. Add the group to local admin group. Add a user to the group through pim. Login with the user to the pc - should grant you admin access. Revoke membership of the user from the group. What will happen to admin privileges of the user - either online or offline.
@@sip03ds We just recently went through trying to use pim with a group that was given the Azure AD local Admin Role. its not as seamless as one would hope. It may take quite a while for the account that is just given rights into the group via pim to be see as a local admin. did some research then and they seemed to think it had to do with the azure token given to the machine. some people tried to refresh that token. unfortunatly this wasn't a viable option for us. in our testing you would have to wait hours for it to take affect. I did see somewhere that MS was working on getting a Cloud version of LAPS going.
Is there a way to change the maximum password age for a local computer user who is not part of active directory or active directory? For instance, my work computer environment utilizes local user accounts that are not administrator account. I am not sure how to get in tune to override the default 42 day maximum password, expiration age. I’ve tried using the settings available, but it appears that this only works with accounts that are linked to Measure or active directory. Am I missing something? Thank you in advance.
I have been looking everywhere and have found very limited help on a need of mine. Sorry if this is way off topic. In our azure ad domain a user can sign into any azure joined computer and I am looking for a way to restrict a specific user to a specific machine(s) like Active Directory used to be able to. How is this acheived in Azure AD/Intune? My research so far has not found any full successful result. Thx and cheers
Haven't tested this yet but I have a gut feeling that renamed local admin accounts (Administrator -> LocalAdmin etc.) and language localized admin accounts (like 'Järjestelmänvalvoja' in Finnish) are about to fail somehow. Or is it that I just need to know the displayname of my SID-500 user and work with that? Can't use the local admin SID as it's different on each computer.
Once again, great coverage guys. One question. Do you know if pim is working if added to an admin group nowadays. Tested this a while ago and this works not very well regarding syncing. (Took too long)
Ben mentioned that he had done that with some clients previously and they had the same issue. PIM perms took too long to make it to the client for it to be useful. But I plan to test it at some point in the future in my env. -Adam
Kinda lost....So if I just choose to add a group via the Add (update), it will still remove the two AAD groups that get added in by default. I still need to add the two GUIDs for those default groups in order to keep them in there, even though I chose the Add(update)?
Add (Update) won't remove anything. It will just add. Add (Replace) will remove everything then add the new accounts/groups. See Example 2 here docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups#what-happens-if-i-accidentally-remove-the-built-in-administrator-sid-from-the-administrators-group
We actually had this conversation immediately following the video as well. I have yet to test this out, but we've heard from Ben that he previously did this and had issues with how long it took PIM to kick for the client side to actually elevate. Maybe we will revisit this once we get some more real-world testing. -Adam
So I went ahead and tried this and none of it worked. Could there be something I am missing? I followed the whole video step by step with adding the correct SID's to the Add Replace via Manual (Including the Administrator account) and it did not work. Now I went ahead and added 3 sids (Global Administrator, Azure AD Local Device Administrator, and Helpdesk Administrator roles) it seemed none of them worked. Could there be something else misisng?
@@IntuneTraining Yup! Sorted it out. I pulled off the wrong ID's from AAD instead of using the Graph Explorer tool. Once I was there I confirmed everything and we are GOOD TO GO!
great video and the troubleshooting part is impressive
GREAT topic, format, discussions, loved it, thanks!
Looking younger than ever you young youngers! Great video :)
THANK YOU!!!! you actually guide your viewers through soft, unlike so videos that rush the whole tNice tutorialng or talk too fast.
Getting odd looks in the airport, screaming at my laptop to elevate your powershell!!!
Steve unrecognisable without the beard
Thanks for the video!
Can you guys do an S04E02+1/2 and show the best way to set it up so that when InTune users who aren't signing into an AutoPilot machine are taken out of the Administrators group, and put into the Standard Users group?
Currently when users are signing into devices via InTune they are set as Administrators, using AutoPilot allows you to choose the target group for the users, but I'm guessing we could use the instructions from this episode to just use replace to take the users out of the Admin group?
Not sure how we'd add the individual user back to the normal user group though?
curious about this scenario as well. love the channel. amazing. and thank you
Please explain how you make a filter with devices of a certain user (where he is primary user). You mention that in the video..
Steve was talking out of his arse. That’s not possible. We had several people ask the same thing. Sorry to get your hopes up.
Was coming here to ask the same question :(
So I am starting to enable this in my HAADJ environment and I would say its working quite well. A couple questions.
1. Do you guys know how long it takes the policy to figure out if there are changes made to the Administrators group. (i.e. - If I add a random user or remove a policy-added member to the Administrators group, how long before the policy corrects?)
2. I am assuming this only works in a HAADJ environment if a device is connected to the domain directly or through VPN?
1. Not sure. It doesn’t take long but we haven’t measured it. Let us know what you find out.
2. Works for AADJ too. Just need to user the AAD account or group or role SID instead of account names. The docs cover this scenario.
@@IntuneTraining I am seeing a pretty long time for the removal if I add an additional user. It synced yesterday at 11a CST. I am hoping it removes the user as added this morning at least.
Thanks for that good teaching! But, howcan we set a restricted list of users that can log into the pc? I want to limit users logon to a few users, not all. Thanks in advance 🙂
Great videos guys. One question. If I need to unjoin a PC from Azure AD and the local administrator is disabled, how do I login when the PC restarts and only comes up with the local user login prompt?
Hello!
I would like to know if these problems have already been corrected in 2024?
Not sure which specific problems you refer to. However local group management works but just takes good planning.
Great video! I was wondering if you add an azure ad group on local admins group and leverage on privileged identity management (PIM) for managing, controlling and auditing access for local admin users. What happens with local caching and offline access?
You can, looks like we may do a video on that soon - several people have asked about it. Offline/caching wouldn’t work most likely, but then again, it wouldn’t work without pim offline either unless you already had cached admin creds.
@@IntuneTraining that would be a very interesting test. Create a group where group membership is controlled with pim. Add the group to local admin group. Add a user to the group through pim. Login with the user to the pc - should grant you admin access. Revoke membership of the user from the group. What will happen to admin privileges of the user - either online or offline.
@@sip03ds We just recently went through trying to use pim with a group that was given the Azure AD local Admin Role. its not as seamless as one would hope. It may take quite a while for the account that is just given rights into the group via pim to be see as a local admin. did some research then and they seemed to think it had to do with the azure token given to the machine. some people tried to refresh that token. unfortunatly this wasn't a viable option for us. in our testing you would have to wait hours for it to take affect.
I did see somewhere that MS was working on getting a Cloud version of LAPS going.
Is there a way to change the maximum password age for a local computer user who is not part of active directory or active directory? For instance, my work computer environment utilizes local user accounts that are not administrator account. I am not sure how to get in tune to override the default 42 day maximum password, expiration age. I’ve tried using the settings available, but it appears that this only works with accounts that are linked to Measure or active directory. Am I missing something? Thank you in advance.
I have been looking everywhere and have found very limited help on a need of mine. Sorry if this is way off topic. In our azure ad domain a user can sign into any azure joined computer and I am looking for a way to restrict a specific user to a specific machine(s) like Active Directory used to be able to. How is this acheived in Azure AD/Intune? My research so far has not found any full successful result. Thx and cheers
Have you seen this? www.inthecloud247.com/assign-deny-local-log-on-user-right-to-an-azure-ad-group-by-using-microsoft-intune/
@@IntuneTraining Thank you, This looks very promising and I have read some of his other posts before, just not this one! Very good stuff.
This is AD in the cloud policy Intune is gpo on prem that is the only difference
Haven't tested this yet but I have a gut feeling that renamed local admin accounts (Administrator -> LocalAdmin etc.) and language localized admin accounts (like 'Järjestelmänvalvoja' in Finnish) are about to fail somehow. Or is it that I just need to know the displayname of my SID-500 user and work with that? Can't use the local admin SID as it's different on each computer.
We are using the renamed Account in our Intune policy and it works fine. Not sure what happens with localization.
I can confirm the language problem is finally solved few weeks ago.
Once again, great coverage guys.
One question. Do you know if pim is working if added to an admin group nowadays. Tested this a while ago and this works not very well regarding syncing. (Took too long)
Ben mentioned that he had done that with some clients previously and they had the same issue. PIM perms took too long to make it to the client for it to be useful. But I plan to test it at some point in the future in my env.
-Adam
Kinda lost....So if I just choose to add a group via the Add (update), it will still remove the two AAD groups that get added in by default. I still need to add the two GUIDs for those default groups in order to keep them in there, even though I chose the Add(update)?
Add (Update) won't remove anything. It will just add. Add (Replace) will remove everything then add the new accounts/groups. See Example 2 here docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups#what-happens-if-i-accidentally-remove-the-built-in-administrator-sid-from-the-administrators-group
Would this work with PIM if you use a group with the Azure AD Joined Local Device Admin role applied?
So long as the user has the role assigned via PIM at authentication on the client computer it *should* work
We actually had this conversation immediately following the video as well. I have yet to test this out, but we've heard from Ben that he previously did this and had issues with how long it took PIM to kick for the client side to actually elevate. Maybe we will revisit this once we get some more real-world testing.
-Adam
Asked the same question, sorry havent seen was already asked here.
Sherry came up with this years ago
Tbh when it comes to AD I think there was a lot of misconception
Adam ftw
And WHAM! Well you're drunk now!
soft interface support.
So I went ahead and tried this and none of it worked. Could there be something I am missing? I followed the whole video step by step with adding the correct SID's to the Add Replace via Manual (Including the Administrator account) and it did not work. Now I went ahead and added 3 sids (Global Administrator, Azure AD Local Device Administrator, and Helpdesk Administrator roles) it seemed none of them worked. Could there be something else misisng?
The event logs will tell you why they didn’t work - we covered how to look for the events in the video. What errors do you have?
@@IntuneTraining Yup! Sorted it out. I pulled off the wrong ID's from AAD instead of using the Graph Explorer tool. Once I was there I confirmed everything and we are GOOD TO GO!
I'm so confused guys :D
Resource vs security
Adderall