Down Left Arrow Logo
Logo

Adding a Local Administrator

In this section we'll go over adding a user to the Local Administrators Group on Intune Joined Windows systems. Later we'll use LAPS to manage the password for this user.


Create a Profile | Use LAPS

Create an Account

First, lets create the script required to perform this action:

# Enter a unique name for the $userName Variable #> $userName = "***" $Userexist = (Get-LocalUser).Name -Contains $userName if ($userexist) { Write-Host "$userName exist" Exit 0 } Else { Write-Host "$userName does not Exists" Exit 1 }

Use this code - Don't forget to change the *** to a username of your liking - and save it as a ps1 file. You will need the name of this account for the LAPS portion of this tutorial

Next, you'll need to be logged into the Intune Portal with credentials required to perform this action.
Select Devices then select Scripts, then Select Add and then finally Windows 10 and Later

Intune Device Script Settings

Give your script a unique name that properly describes its action. On the Script Settings tab, Upload the ps1 file we made previously to the Script Location, then match your settings to the image below:

Script Settings

The next tab will be to assign the script to the appropriate group., then Review and Add the script and we're all set! This will add a local user to the computer.

Note: This does not create a password for the user. In later steps, we'll use LAPS to manage the password for this user. You can read more about LAPS here:
https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Next, we'll ensure the user is part of the Administrators group.

Create a Profile to Add the User

Ensure you're connected to https://endpoint.microsoft.com with the appropriate credentials to complete this task. The navigate to:
Endpoint Security then under Manage on the left, select Account Protection
From there we'll be selecting Create Policy
Ensure your settings are as follows:

Create Profile Settings

Platform: Windows 10 and Later
Profile: Local User Group Membership
- Don't get ahead of yourself here. We need to add the account as an Administrator before adding LAPS to manage the account.

The next step will ask you to provide a name for your new policy, and a description if you wish. The next window is the important one.

Local Users and Groups setting

Local Group: Administrators - This is the Local Group our user will be added to
Group and User Action: Add (Update) - We're adding the user. We can set this to Remove or Replace if needed later.
User Selection: Manual - This will ask us for the Username, the Domain\Username or the SID of the user. We can use the name of the user we created in Step 1

You can tab through the Tags settings as they are not required. Ensure you assign this policy to the correct Device or user then carry on. Feel free to read and understand the next few settings and determine if you wish to change anything. In this case, we can simply create our new Policy once we've assigned it correctly.

Congratulations! You now has a user, that is part of the Local Administrators Group! But hold on, we still don't have a password for this user. This is very imporant. Next, we'll cover configuring LAPS to manage the password for this user.

Use LAPS for Password Management

Before we get too far ahead of ourselves, ensure you have the following setting enabled by logging in to https://portal.azure.com Select Microsoft Entra ID then Devices then Device Settings

Enable LAPS in Microsoft Entra ID

As with the previous step, ensure you're connected to https://endpoint.microsoft.com with the appropriate credentials to complete this task. The navigate to:
Endpoint Security then under Manage on the left, select Account Protection
From there we'll be selecting Create Policy
Ensure your settings are as follows:

Create LAPS Profile Settings

Platform: Windows 10 and Later
Profile: Local admin password solution (Windows LAPS) (preview)
- This allows LAPS to manage the password for our select account.

The next step will ask you to provide a name for your new policy, and a description if you wish. Next we'll get into the specifics of this profile.

Detailed LAPS Settings

You have a lot of options here. All of these are subjective to your wants and needs. Let's break them down:

  1. Backup Directory: This is how you'll backup (and access) the password, or where the password is stored.
    • Disabled: I'm not sure why you'd select this if you've come this far. Password isn't backed up
    • Backup the password to Azure AD Only:
    • Backyp the password to Active Directory Only:
    • Not configured:
  2. Password Age Days: This is how old (in days) the password can be until it's changed. If you don't configure this setting, it'll default to 30 days.
  3. Administrator Account Name: This is the account we setup in the previous step
  4. Password Complexity: I always go with, the more complex the better when it comes to your Administrator password. If you don't configure this setting it will default to Large letters + small letters + numbers + special characters.
  5. Password Length:The minium here is 8 characters, maxium 64, and the default is 14
  6. Post Authentication Action: What happens after the Administrator account Password Age Days (#2) has expired.
    • Reset password upon expiry of the grace period, the managed account password will be reset:
    • Reset the password and logoff the managed account: upon exxpiry of the grace period, the managed account will be reset and any any interactive logon sessions using the managed account will be terminated
    • Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted
    • Not configured
  7. Post Authentication Reset Delay: The amount of time in hours after an authentication before performing Post Authentication Actions (#6) The default here is 24 hours. Minimum setting is 0.

You can tab through the Tags settings as they are not required. Ensure you assign this policy to the correct Device or user then carry on.

You can assign this policy by going to intune.microsoft.com > Endpoint Security > Account Protection

Feel free to read and understand the next few settings and determine if you wish to change anything. In this case, we can simply create our new Policy once we've assigned it correctly.

Here's where you find this amazing password. In your endpoint portal, go to Devices > Windows Choose your Windows System, then Local Admin Password. If you dont see anyhting here, you may not have assigned the policy correctly.