In the on-premises world, many organizations use the RestrictedGroup Group Policy setting to place their own workstation admin groups on domain joined machines, and of course to remove other rogue local administrators.

In the modern cloud first world, I couldn’t find any UI can configure Restricted Group settings to apply the same settings. I did however find this setting; Additional local administrators on Azure AD joined devices, where we can add additional local admins, but not remove unwanted admins.  This setting is on tenant level and applied to all Azure AD joined machines.  So this is not exactly what I am looking for.

 

Maybe many of you are just like me, want to have more control of who is admin for Azure AD joined machines? Now there are good news and bad news.. but let’s explore the possibilities first.

Good news first

RestrictedGroups Policy CSP came with Windows 10 version 1803, we can now use Microsoft Intune configure Restricted Group settings. More details are available on the below links:
https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#a-href-idwhatsnew1803awhats-new-in-windows-10-version-1803
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups

I finally got some time test this new Policy and got it working.

This is my Administrators group before I configure Restricted Groups policy

Download the psexec tool, run psexec.exe -i -s cmd.exe, in the command prompt launched by psexec.exe, enter powershell.exe to open PowerShell.

You should get the same result by running this PowerShell command:

(Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_Policy_Result01_RestrictedGroups02").ConfigureGroupMembership

Let’s configure the settings.

  1. Create a new Custom OMA-URI policy:
    Name: RestrictedGroups (or anything you want)
    OMA-URI:  ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
    Value: (Note: This is tested in Windows 10 1803 Enterprise)

    <accessgroup desc = "Administrators">
      <member name = "Administrator" />
      <member name = "AzureAD\test01@smsboot.onmicrosoft.com" />
      <member name = "AzureAD\test02@smsboot.onmicrosoft.com" />
    </accessgroup>

    (This is tested on Windows 10 Insider 17744, RS5)

    <groupmembership>
      <accessgroup desc = "Administrators">
        <member name = "Administrator" />
        <member name = "AzureAD\test01@smsboot.onmicrosoft.com" />
        <member name = "AzureAD\test02@smsboot.onmicrosoft.com" />
      </accessgroup>
    </groupmembership>

    In this example, I added the local Administrator, and two Azure AD accounts as member of local Administrators group. If you attempt to remove the local Administrator account the policy will fail, you will also see an error output in the DeviceManagement-Enterprise-Diagnostics-Provider event log:

  2. Assign this policy to devices group.

Here is the result:

All other users are removed from local administrators group except local Administrator account, Azure AD account test01@smsboot.onmicrosoft.com and test02@smsboot.onmicrosoft.com are added.

In Microsoft Intune portal can also confirm Restricted Groups policy applied successfully.

 

What is the bad news?!

Sorry but I have some bad news having tested this process multiple times. The Restricted Group Policy CSP only applies ONCE, meaning if you make changes to local administrators group AFTER the policy is applied, this policy will not apply again to reset those settings. This isn’t what I had expected, and I sincerely hope Microsoft can improve it in the near future.

(1417)

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.

comments
  • Peter
    Posted at 09:41 September 4, 2018
    Peter
    Reply
    Author

    As far as I know you can only use it with useraccounts as you showed in the examples.
    Would be nice if we could add an Azure AD group to the local administrators group, for example a Helpdesk group.

    • Zeng Yinghua
      Posted at 11:26 September 4, 2018
      Zeng Yinghua
      Reply
      Author

      Yes, cannot use Azure AD group. Would like to have this feature as well.

  • Thomas Leschik
    Posted at 12:50 September 4, 2018
    Thomas Leschik
    Reply
    Author

    Hi,
    Thanks for sharing this.
    Whats about overwritting the entrys in the policy and then completly un- and re-assigne the policy to your users?

    Best regards,
    Thomas

    • Zeng Yinghua
      Posted at 13:27 September 4, 2018
      Zeng Yinghua
      Reply
      Author

      Hi Thomas, if you make changes to the policy, it will overwrite the old settings, no need to un- and re-assign again. Is this what you are asking?

      Regards, Sandy

  • Marek
    Posted at 13:27 September 25, 2018
    Marek
    Reply
    Author

    Hi Zeng,
    Thank you for the introduction! I have a question, all this settings are applied for all Devices right? I can’t create an OMA-URI for just one device? Example: If i have a Notebook (Device) and add just on this Notebook multiple User Accounts as Admin i also can use this OMA-URI? I need this for Devices, they are rollout with Intune but they would be used by more Users as shared Device. When i add a second AAD User to this Device who isn’t a global administrator it don’t have admin rights. So using this notebook is very annoying for the user. Thanks for your help 🙂

    • Zeng Yinghua
      Posted at 19:52 September 25, 2018
      Zeng Yinghua
      Reply
      Author

      hello Marek,
      If you need add an admin to all devices, you can use “Additional local administrators on Azure AD joined devices” from Azure Portal.
      If you want to use this restricted group Policy CSP for some devices or one device, can create a group (assign or dynamic) and add those devices as member of the group.

      Regards, Sandy

  • Michael M.
    Posted at 00:03 November 9, 2018
    Michael M.
    Reply
    Author

    Hello,

    Thanks for this guide. Regarding your ‘bad news’, it seems I am able to update the policy in intune and the changes will take effect on machines unless I specify an account that doesn’t exist. In my case the local admin account name was actually changed on the machine but the group membership policy in intune was still set to ‘Administrator’, the policy claimed to apply successfully but never actually did anything. Changes never took effect on the target machine. If I changed the Admin account name to what it actually is, then the policy works all the way through.
    I tried using the SID for the local admin, and also tried removing the ‘Administrator’ member line all together but both those actions also resulted in a new policy not taking effect. I have to explicitly name what the local admin account is currently named, then I can add or remove all the AzureAD users as I wish.

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.