MSEndpointMgr

Configure Restricted Groups Policy CSP with Microsoft Intune

In the on-premises world, many organizations use the RestrictedGroup Group Policy setting to place their own workstation admin groups on domain joined machines, and of course to remove other rogue local administrators.

In the modern cloud first world, I couldn’t find any UI can configure Restricted Group settings to apply the same settings. I did however find this setting; Additional local administrators on Azure AD joined devices, where we can add additional local admins, but not remove unwanted admins.  This setting is on tenant level and applied to all Azure AD joined machines.  So this is not exactly what I am looking for.

Maybe many of you are just like me, want to have more control of who is admin for Azure AD joined machines? Now there are good news and bad news.. but let’s explore the possibilities first.

Good news first

RestrictedGroups Policy CSP came with Windows 10 version 1803, we can now use Microsoft Intune configure Restricted Group settings. More details are available on the below links:
https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#a-href-idwhatsnew1803awhats-new-in-windows-10-version-1803
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups

I finally got some time test this new Policy and got it working.

This is my Administrators group before I configure Restricted Groups policy

Download the psexec tool, run psexec.exe -i -s cmd.exe, in the command prompt launched by psexec.exe, enter powershell.exe to open PowerShell.

You should get the same result by running this PowerShell command:

(Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_Policy_Result01_RestrictedGroups02").ConfigureGroupMembership

Let’s configure the settings.

  1. Create a new Custom OMA-URI policy:
    Name: RestrictedGroups (or anything you want)
    OMA-URI:  ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
    Value: (Note: This is tested in Windows 10 1803 Enterprise)

    <accessgroup desc = "Administrators">
      <member name = "Administrator" />
      <member name = "AzureAD\[email protected]" />
      <member name = "AzureAD\[email protected]" />
    </accessgroup>

    (This is tested on Windows 10 Insider 17744, RS5)

    <groupmembership>
      <accessgroup desc = "Administrators">
        <member name = "Administrator" />
        <member name = "AzureAD\[email protected]" />
        <member name = "AzureAD\[email protected]" />
      </accessgroup>
    </groupmembership>

    In this example, I added the local Administrator, and two Azure AD accounts as member of local Administrators group. If you attempt to remove the local Administrator account the policy will fail, you will also see an error output in the DeviceManagement-Enterprise-Diagnostics-Provider event log:

  2. Assign this policy to devices group.

Here is the result:

All other users are removed from local administrators group except local Administrator account, Azure AD account [email protected] and [email protected] are added.

In Microsoft Intune portal can also confirm Restricted Groups policy applied successfully.

What is the bad news?!

Sorry but I have some bad news having tested this process multiple times. The Restricted Group Policy CSP only applies ONCE, meaning if you make changes to local administrators group AFTER the policy is applied, this policy will not apply again to reset those settings. This isn’t what I had expected, and I sincerely hope Microsoft can improve it in the near future.

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

10 comments

  • What about users synchronized from AD? When I add those to the policy it fails.

  • It’s an remarkable piece of writing for all the web visitors;
    they will take advantage from it I am sure.

  • Hello,

    Thanks for this guide. Regarding your ‘bad news’, it seems I am able to update the policy in intune and the changes will take effect on machines unless I specify an account that doesn’t exist. In my case the local admin account name was actually changed on the machine but the group membership policy in intune was still set to ‘Administrator’, the policy claimed to apply successfully but never actually did anything. Changes never took effect on the target machine. If I changed the Admin account name to what it actually is, then the policy works all the way through.
    I tried using the SID for the local admin, and also tried removing the ‘Administrator’ member line all together but both those actions also resulted in a new policy not taking effect. I have to explicitly name what the local admin account is currently named, then I can add or remove all the AzureAD users as I wish.

  • Hi Zeng,
    Thank you for the introduction! I have a question, all this settings are applied for all Devices right? I can’t create an OMA-URI for just one device? Example: If i have a Notebook (Device) and add just on this Notebook multiple User Accounts as Admin i also can use this OMA-URI? I need this for Devices, they are rollout with Intune but they would be used by more Users as shared Device. When i add a second AAD User to this Device who isn’t a global administrator it don’t have admin rights. So using this notebook is very annoying for the user. Thanks for your help 🙂

    • hello Marek,
      If you need add an admin to all devices, you can use “Additional local administrators on Azure AD joined devices” from Azure Portal.
      If you want to use this restricted group Policy CSP for some devices or one device, can create a group (assign or dynamic) and add those devices as member of the group.

      Regards, Sandy

  • Hi,
    Thanks for sharing this.
    Whats about overwritting the entrys in the policy and then completly un- and re-assigne the policy to your users?

    Best regards,
    Thomas

    • Hi Thomas, if you make changes to the policy, it will overwrite the old settings, no need to un- and re-assign again. Is this what you are asking?

      Regards, Sandy

  • As far as I know you can only use it with useraccounts as you showed in the examples.
    Would be nice if we could add an Azure AD group to the local administrators group, for example a Helpdesk group.

Sponsors