Windows – Local Admin

I had a real struggle finding a suitable solution to provide local admin access to a select group of users so they could be a local admin on their own machines.

(Update 03/Feb/2022 – There is a new update in Intune / MEM that helps support some of this, but I still dont think it will help us at scale).

We already had LAPS, but struggled to delegate individual device LAPS passwords to individual users. We had a local admin group for IT Admin staff, making members of the group local admin – but that was applied to everyone; So all members of the group were local admin on all devices.

The Solution….

1. Group Policy (You’ll need to configure this first).
2. Powershell Script (You’ll need to run this second and add your own config).

Group Policy…

GPOs support variables such as %ComputerName%, so create a (Computer) GPO to add DOMAIN\grpLocalAdmin-%ComputerName% to the local Administrators group of your target workstations.

You can scope this to all machines if you wish, or you just target it at the AD group of computers created later.

Powershell Script

The next part is the powershell. You can run this manually for testing, but ideally this will need to be run periodically (I’d suggest daily or twice daily depending on the rate of change). It will:-

  • Check an AD Group for a list of users who should be local admins.
  • Check with Intune / Azure AD where that user is the device owner.
    • this means you can freshstart / rebuild / re-issue devices and they’ll get local admin to their new device.
  • Create a Domain security group for each computer (that the group policy looks at).
  • Add the user, to their specific security group.
  • Adds the computers into relevant group (you can target the GPO at this group – or at everyone).
  • Clean-Up after its self e.g. if you remove someone from a group, it’ll remove them from the group, and remove the computer from the group.

Download the Script from here:-

glued2/local-admin: Local Admin – Powershell Scripts (github.com)

Steps:

  1. Create the access to Azure AD.
    1. The script will need a certificate to connect to Azure AD, you’ll also need your AppID.
    2. You’ll need to identify your Tenant ID.
  2. Identity the OU Structure you’re going to use