Add the primary user of a device to local administrators group with PowerShell and no CSP

1 A+ A-

In this post we will how to add, on each Intune enrolled devices, the primary user of the device in the local admin group.


- You want that all primary users are local admin of their own device

- You want an automate way to do this

- You want to remve first other members of the group except Administrator


In this example we will use the Graph API.

We will use an Azure application for the graph module authentification.

We will see in the next post how to create this application.

Of course, you can also connect with credentials.

Get the script

Click on the picture below to get the script

There are two scripts:
- Add_PrimaryUser_asAdmin_with_Remove.ps1
- Add_PrimaryUser_asAdmin_without_Remove.ps1

The first one will remove existing user from local admin group and add the primary user of the device
The second will add the primary user of the device to local admin group

How does it work ?

The script is called, Add_PrimaryUser_asAdmin_without_Remove.ps1

The script works as below:

1. Install the module Microsoft.Graph.Intune

2. Connect to Graph through the Azure app

3. Get the current device informtions

4. Get the device ID

5. Build the query to get the primary user

6. Get the primary user of the device

7. Convert the primary user object ID to an SID

8. Add this SID in the group Administratos

Going further

The script is called, Add_PrimaryUser_asAdmin_with_Remove.ps1

Now let's add our third point and remove existing members of the Administrators group except Administrator.

We will use the same step previous step except until 8.

We will then proceed as below:

9. Get the admin account name (the name may change depending of the OS language)

10. Get local admin group informations

11. Get existing member of the group

12. Remove all members except Administrator 

13. Add the primary user SID to local admin group

Implement it in Intune

Now we have our script we need to run it automatically through Intune.

For that you can imagine different ways:

- Simple PowerShell scripts

- Win32 application

- Proactive Remediation (we will see that in next post)

Microsoft Endpoint manager 3083607477703696123

Enregistrer un commentaire

1 commentaire

Unknown a dit…

This appears that it could be helpful in the future. Thanks.

I was wondering if you have a means to restrict logins to the primary user.

We need an automated way of blocking all other logins except
Primary usr
and Administrators.

Accueil item



Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French