In the on-premises world, many organizations use the RestrictedGroup Group Policy setting to place their own workstation admin groups on domain joined machines, and of course to remove other rogue local administrators.

In the modern cloud first world, I couldn’t find any UI can configure Restricted Group settings to apply the same settings. I did however find this setting; Additional local administrators on Azure AD joined devices, where we can add additional local admins, but not remove unwanted admins.  This setting is on tenant level and applied to all Azure AD joined machines.  So this is not exactly what I am looking for.

 

Maybe many of you are just like me, want to have more control of who is admin for Azure AD joined machines? Now there are good news and bad news.. but let’s explore the possibilities first.

Good news first

RestrictedGroups Policy CSP came with Windows 10 version 1803, we can now use Microsoft Intune configure Restricted Group settings. More details are available on the below links:
https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#a-href-idwhatsnew1803awhats-new-in-windows-10-version-1803
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups

I finally got some time test this new Policy and got it working.

This is my Administrators group before I configure Restricted Groups policy

Download the psexec tool, run psexec.exe -i -s cmd.exe, in the command prompt launched by psexec.exe, enter powershell.exe to open PowerShell.

You should get the same result by running this PowerShell command:

(Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_Policy_Result01_RestrictedGroups02").ConfigureGroupMembership

Let’s configure the settings.

  1. Create a new Custom OMA-URI policy:
    Name: RestrictedGroups (or anything you want)
    OMA-URI:  ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
    Value: (Note: This is tested in Windows 10 1803 Enterprise)

    <accessgroup desc = "Administrators">
      <member name = "Administrator" />
      <member name = "AzureAD\test01@smsboot.onmicrosoft.com" />
      <member name = "AzureAD\test02@smsboot.onmicrosoft.com" />
    </accessgroup>

    (This is tested on Windows 10 Insider 17744, RS5)

    <groupmembership>
      <accessgroup desc = "Administrators">
        <member name = "Administrator" />
        <member name = "AzureAD\test01@smsboot.onmicrosoft.com" />
        <member name = "AzureAD\test02@smsboot.onmicrosoft.com" />
      </accessgroup>
    </groupmembership>

    In this example, I added the local Administrator, and two Azure AD accounts as member of local Administrators group. If you attempt to remove the local Administrator account the policy will fail, you will also see an error output in the DeviceManagement-Enterprise-Diagnostics-Provider event log:

  2. Assign this policy to devices group.

Here is the result:

All other users are removed from local administrators group except local Administrator account, Azure AD account test01@smsboot.onmicrosoft.com and test02@smsboot.onmicrosoft.com are added.

In Microsoft Intune portal can also confirm Restricted Groups policy applied successfully.

 

What is the bad news?!

Sorry but I have some bad news having tested this process multiple times. The Restricted Group Policy CSP only applies ONCE, meaning if you make changes to local administrators group AFTER the policy is applied, this policy will not apply again to reset those settings. This isn’t what I had expected, and I sincerely hope Microsoft can improve it in the near future.

(732)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Peter
    Posted at 09:41 September 4, 2018
    Peter
    Reply
    Author

    As far as I know you can only use it with useraccounts as you showed in the examples.
    Would be nice if we could add an Azure AD group to the local administrators group, for example a Helpdesk group.

    • Zeng Yinghua
      Posted at 11:26 September 4, 2018
      Zeng Yinghua
      Reply
      Author

      Yes, cannot use Azure AD group. Would like to have this feature as well.

  • Thomas Leschik
    Posted at 12:50 September 4, 2018
    Thomas Leschik
    Reply
    Author

    Hi,
    Thanks for sharing this.
    Whats about overwritting the entrys in the policy and then completly un- and re-assigne the policy to your users?

    Best regards,
    Thomas

    • Zeng Yinghua
      Posted at 13:27 September 4, 2018
      Zeng Yinghua
      Reply
      Author

      Hi Thomas, if you make changes to the policy, it will overwrite the old settings, no need to un- and re-assign again. Is this what you are asking?

      Regards, Sandy

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.