How to add the Domain Admins group to local administrators in Microsoft InTune:
For some obvious reasons we wanted the domain admins and a special IT group to have local admin permissions on the laptops/desktops. Off course you can do the same for other groups as well.
Start a powershell and type the following command to get the SID for the Domain Admins group
Get-ADGroup -Identity "Domain Admins"
This command should give you an output similar to this
Now that we have the SID for the Domain Admins group we can use this information in InTune. For this we have to open the endpoint manager, go to devices, Windows and configuration profiles
Next create a new profile and choose for Windows 10 as platform and custom for profile. In the next step you can make up a name that makes it easy to find again and a description of what this profile does. Second step is to put you configuration in your profile and that would look like this:
Name and description are for you to choose again, but the OMA-URI must be the following:
./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
And this is the text that goes in the "Value" field. You only need to change the SID to the one you got with powershell. If you want to add a second group, you can just add an extra line with member name followed by the SID, like in the picture.
<groupmembership>
<accessgroup desc = "Administrators">
<member name = "Administrator" />
<member name = "S-1-5-21-3854696796-2659450143-2006602419-512" />
</accessgroup>
</groupmembership>
Follow the rest of the steps to create the profile, like assigning it to a group of computers and then your done.
Comments
Post a Comment