Add the primary user of a device to local administrators group with PowerShell and no CSP
In this post we will how to add, on each Intune enrolled devices, the primary user of the device in the local admin group.
Context
- You want that all primary users are local admin of their own device
- You want an automate way to do this
- You want to remve first other members of the group except Administrator
Prerequiste
In this example we will use the Graph API.
We will use an Azure application for the graph module authentification.
We will see in the next post how to create this application.
Of course, you can also connect with credentials.
Get the script
Click on the picture below to get the script
How does it work ?
The script is called, Add_PrimaryUser_asAdmin_without_Remove.ps1
The script works as below:
1. Install the module Microsoft.Graph.Intune
2. Connect to Graph through the Azure app
3. Get the current device informtions
4. Get the device ID
5. Build the query to get the primary user
6. Get the primary user of the device
7. Convert the primary user object ID to an SID
8. Add this SID in the group Administratos
Going further
The script is called, Add_PrimaryUser_asAdmin_with_Remove.ps1
Now let's add our third point and remove existing members of the Administrators group except Administrator.
We will use the same step previous step except until 8.
We will then proceed as below:
9. Get the admin account name (the name may change depending of the OS language)
10. Get local admin group informations
11. Get existing member of the group
12. Remove all members except Administrator
13. Add the primary user SID to local admin group
Implement it in Intune
Now we have our script we need to run it automatically through Intune.
For that you can imagine different ways:
- Simple PowerShell scripts
- Win32 application
- Proactive Remediation (we will see that in next post)
1 commentaire
This appears that it could be helpful in the future. Thanks.
I was wondering if you have a means to restrict logins to the primary user.
We need an automated way of blocking all other logins except
Primary usr
and Administrators.
Enregistrer un commentaire