Create a Local Admin using Intune and Powershell

In my last blog post, I demonstrated the process of creating a local admin account through Intune. This involved creating a local user account and then adding it to the local Administrator’s group via a custom device configuration profile.

In this blog post, we’re going to explore a different way of setting up a local admin account with Intune. This time, we won’t be using OMA-URI settings. Instead, we’ll use “Devices > Remediations” (also known as Proactive Remediations) to create a local user account.

After that, we’ll add this user account to the Administrators group using the “Local User Group Membership” option found under “Endpoint Security > Account Protection

We’ll be using PowerShell scripts to create a local user account, You can create the account without a password, but if you want to add one, you can tweak the script. Alternatively, you can explore the OMA-URI approach if that aligns better with your requirements.

I’ve created two Proactive Remediation scripts. The first one is to Detect whether a specified local user account already exists. If it’s not found, a second script (remediation script) will create a local user account for you. You can change the name of the local user account in the script.

Create a local admin account on macOS using Intune

Step-by-step guide
Delete a local user account using Intune
If you’re interested in learning how to delete a local user account using Intune, you can refer to my other blog post: How To Delete A Local User Account Using Intune

Step 1 – Create a Script Package

To create a script package, follow the below steps:

Basics

Provide a Name, Description, and Publisher Information. For example:

  • Name – Create cloudinfra101 local user account
  • Description – Provide a useful description.
  • Publisher – Jatin Makhija

Settings

  • Create a Detection script using the below Powershell code. Save it as DetectLocaluser.ps1.

DetectLocaluser.ps1

$userName = "cloudinfra101"
$Userexist = (Get-LocalUser).Name -Contains $userName
if ($userexist) { 
  Write-Host "$userName exist" 
  Exit 0
} 
Else {
  Write-Host "$userName does not Exists"
  Exit 1
}
  • Create a Remediation script using the below Powershell code. Save it as RemediateLocalUser.ps1.

RemediateLocalUser.ps1

$userName = "cloudinfra101"
$userexist = (Get-LocalUser).Name -Contains $userName
if($userexist -eq $false) {
  try{ 
     New-LocalUser -Name $username -Description "Cloudinfra101 local user account" -NoPassword
     Exit 0
   }   
  Catch {
     Write-error $_
     Exit 1
   }
} 
  • Detection script file – Browse to the Detection script Detectlocaluser.ps1
  • Remediation script file – Browse to Remediation script file RemediateLocalUser.ps1
  • Run this script using the logged-on credentials – No
  • Enforce script signature check – No
  • Run script in 64-bit Powershell – Yes
Create a Script Package
Create a Script Package

Assignments

Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.

Review + Create

Review the deployment and click on Create to start the deployment process.

Step 2 – Add Local user account to the Administrators group

Now that we’ve created a script package for deploying our new local user account named “cloudinfra101,”. We also want to add it to the Local Administrators group. Let’s check the steps:

  • Sign in to Microsoft Intune admin center
  • Go to Endpoint Security > Account Protection
  • Click on + Create Policy
  • Select Platform as Windows 10 and Later
  • Select Profile as a Local user group membership
  • Click on Create
Add Local user account to the Administrators group
Add Local user account to the Administrators group

Basics

Provide a Name and Description of the profile.

Configuration settings

  • Local group: Administrators
  • Group and user action: Add (Update)
  • User selection type: Manual
  • Selected Users/groups: Click on Add user(s) link and then provide cloudinfra101 local user account name.
Add Local user account to the Administrators group
Add Local user account to the Administrators group

We have provided cloudinfra101 to be added to local administrator group. You can add multiple local users into local Administrators group as well. Make sure that the local user account exists on the device and is a valid name. If a local user account name is invalid, it will simply be ignored.

Note
Add Local user account to the Administrators group
Add Local user account to the Administrators group

Assignments

Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.

Review + Create

Review the policy once and then click on Create. Once your policy is created, you can view your policy under Endpoint security > Account protection.

Add Local user account to the Administrators group
Add Local user account to the Administrators group

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

End-user Experience

Now, let’s take a look at the results of the policy after it has been applied successfully.

  • Click on Start > search for Computer Management
  • Then go to Local Users and Groups > Users
  • Check if the cloudinfra101 local user account has been created
End-user Experience
End-user Experience
  • Go to Groups folder and then double-click on Administrators group to check if cloudinfra101 local user account has been added.
End-user Experience
End-user Experience

Conclusion

I trust this post has been beneficial in guiding you on how to establish a local administrator account with Intune. We took a unique approach this time, in contrast to the previous method. You can opt for the method that suits you best when creating a local admin account.

8 thoughts on “Create a Local Admin using Intune and Powershell”

  1. What is the syntax for modifying this to add the password?

    I have not defined any password for the local user also as I have used -Nopassword parameter with New-LocalUser cmdlet. You can modify the script to add password for the local user account if you want.

    Reply
  2. Hi RW, To add the password. You can use below code:

    $Password = provide password here
    $params = @{
    Name = ‘User03’
    Password = $Password
    FullName = ‘Third User’
    Description = ‘Description of this account.’
    }
    New-LocalUser @params

    You can use this blog post as well if you want to create a local user account with password using intune: https://cloudinfra.net/how-to-create-a-local-admin-account-using-intune/

    For more info, please refer to: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1

    Reply
  3. I have tried to use this script for an Intune LAPS rollout, the account is created and Inune’s LAPS provides the password however on logon the profile failed on creation with the following event, “User profile cannot be loaded with Event ID 1509”.

    Manually creating an account allowing LAPs to replace the password works fine,

    Any Ideas?

    Reply
  4. We’ve noticed that the local user account will not be added to a computer unless there is nobody is logged in. Is this normal behavior? Is there a workaround for it?

    Reply
  5. Hello Jatin,

    I’ve noticed on several devices that the add user remediation doesn’t appear to work when any user is logged in at the time the script is executed. Is that normal behavior? If not, is there a workaround for it?

    Reply
  6. Thank you for this great article, it has been of great help to me. A question:

    To this type of users, created locally with Intune,
    Is it possible to block the user from changing their password?

    Thanks in advance.

    Reply
  7. This script is not safe enough in corporate environment if you are using this for creation of local admin accounts before the LAPS kicks in – empty password is the risk. If there is a problem with the LAPS process that should kick in later, you will have an organization of people walking around the world with empty admin passwords.

    For this occasion i suggest you use:

    function Get-RandomPassword {
    param (
    [Parameter(Mandatory)]
    [int] $length,
    [int] $amountOfNonAlphanumeric = 1
    )
    Add-Type -AssemblyName ‘System.Web’
    return [System.Web.Security.Membership]::GeneratePassword($length, $amountOfNonAlphanumeric)
    }

    $userName = “lapsadmin”
    $userexist = (Get-LocalUser).Name -Contains $userName
    $password = Get-RandomPassword -Length 30

    if($userexist -eq $false) {
    try{
    New-LocalUser -Name $username -Description “LAPS backup admin account” -Password $password
    Exit 0
    }
    Catch {
    Write-error $_
    Exit 1
    }
    }

    Reply

Leave a Comment