Create a Local Admin using Intune and Powershell

Photo of author
Jatin Makhija
9

In my last blog post, I demonstrated creating a local admin account through Intune. This involved creating a local user account and adding it to the local Administrator’s group via a custom device configuration profile.

In this blog post, we’ll explore a different way of setting up a local admin account with Intune. This time, we won’t be using OMA-URI settings. Instead, we’ll use Devices > Scripts and Remediations to create a local user account.

After that, we’ll add this user account to the Administrators group using the Local User Group Membership option found under Endpoint Security > Account Protection

We’ll be using PowerShell scripts to create a local user account. You can create the account without a password, but you can tweak the script to add one. Alternatively, you can explore the OMA-URI approach if that aligns better with your requirements.

I’ve created two Remediation scripts. The first one Detects whether a specified local user account already exists. A second (remediation script) script will create a local user account for you if it’s not found. You can change the name of the local user account in the script.

Create a local admin account on macOS using Intune

Step-by-step guide
Delete a local user account using Intune
If you’re interested in learning how to delete a local user account using Intune, you can refer to my other blog post: How To Delete A Local User Account Using Intune

Step 1 – Create a Script Package

To create a script package, follow the below steps:

  • Sign in to the Intune admin center.
  • Go to Devices > Scripts and Remediations.
  • Click on + Create under the Remediations tab.

Basics

Provide a Name, Description, and Publisher Information. For example:

  • Name – Create cloudinfra101 local user account
  • Description – Provide a useful description.
  • Publisher – Jatin Makhija

Settings

  • Create a detection script using the Powershell code below. Save it as DetectLocaluser.ps1.

DetectLocaluser.ps1

$userName = "cloudinfra101"
$Userexist = (Get-LocalUser).Name -Contains $userName
if ($userexist) { 
  Write-Host "$userName exist" 
  Exit 0
} 
Else {
  Write-Host "$userName does not Exists"
  Exit 1
}
  • Create a remediation script using the Powershell code below. Save it as RemediateLocalUser.ps1.

RemediateLocalUser.ps1

$userName = "cloudinfra101"
$userexist = (Get-LocalUser).Name -Contains $userName
if($userexist -eq $false) {
  try{ 
     New-LocalUser -Name $username -Description "Cloudinfra101 local user account" -NoPassword
     Exit 0
   }   
  Catch {
     Write-error $_
     Exit 1
   }
}
  • Detection script file – Browse to the Detection script Detectlocaluser.ps1
  • Remediation script file – Browse to Remediation script file RemediateLocalUser.ps1
  • Run this script using the logged-on credentials – No
  • Enforce script signature check – No
  • Run script in 64-bit Powershell – Yes
Create a Script Package
Create a Script Package

Assignments

Click Add groups and select the Entra security group containing Windows 10/11 test devices. Once testing proves successful, you can expand the deployment by including additional devices in the group.

Review + Create

Review the deployment and click on Create to start the deployment process.

Step 2 – Add Local user account to the Administrators group

We’ve created a script package for deploying our new local user account named cloudinfra101. We also want to add it to the Local Administrators group. Let’s check the steps:

  • Sign in to the Intune admin center.
  • Go to Endpoint Security > Account Protection.
  • Click on + Create Policy.
  • Select Platform as Windows 10 and Later.
  • Select Profile as a Local user group membership.
  • Click on Create.
Add Local user account to the Administrators group
Add Local user account to the Administrator’s group

Basics

Provide a Name and Description of the profile.

Configuration settings

  • Local group: Administrators
  • Group and user action: Add (Update)
  • User selection type: Manual
  • Selected Users/groups: Click the Add user(s) link and provide the cloudinfra101 local user account name.
Add Local user account to the Administrators group
Add Local user account to the Administrator’s group

We have provided cloudinfra101 to be added to local administrator group. You can add multiple local users into local Administrators group as well. Make sure that the local user account exists on the device and is a valid name. If a local user account name is invalid, it will simply be ignored.

Note
Add Local user account to the Administrators group
Add Local user account to the Administrator’s group

Assignments

Click Add groups and select the Entra security group containing Windows 10/11 test devices. Once testing proves successful, you can expand the deployment by including additional devices in the group.

Review + Create

Review the policy once and then click on Create. Once your policy is created, you can view your policy under Endpoint security > Account protection.

Add Local user account to the Administrators group
Add Local user account to the Administrators group

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

End-user Experience

Now, let’s look at the policy’s results after it has been applied successfully.

  • Click on Start > search for Computer Management
  • Then go to Local Users and Groups > Users
  • Check if the cloudinfra101 local user account has been created
End-user Experience
End-user Experience
  • Go to the Groups folder and double-click on the Administrators group to check if the cloudinfra101 local user account has been added.
End-user Experience
End-user Experience

Conclusion

I trust this post has been beneficial in guiding you through establishing a local administrator account with Intune. In contrast to the previous method, we took a unique approach this time. You can opt for the method that suits you best when creating a local admin account.

9 thoughts on “Create a Local Admin using Intune and Powershell”

  1. What is the syntax for modifying this to add the password?

    I have not defined any password for the local user also as I have used -Nopassword parameter with New-LocalUser cmdlet. You can modify the script to add password for the local user account if you want.

    Reply

  2. Hi RW, To add the password. You can use below code:

    $Password = provide password here
    $params = @{
    Name = ‘User03’
    Password = $Password
    FullName = ‘Third User’
    Description = ‘Description of this account.’
    }
    New-LocalUser @params

    You can use this blog post as well if you want to create a local user account with password using intune: https://cloudinfra.net/how-to-create-a-local-admin-account-using-intune/

    For more info, please refer to: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/new-localuser?view=powershell-5.1

    Reply

  3. I have tried to use this script for an Intune LAPS rollout, the account is created and Inune’s LAPS provides the password however on logon the profile failed on creation with the following event, “User profile cannot be loaded with Event ID 1509”.

    Manually creating an account allowing LAPs to replace the password works fine,

    Any Ideas?

    Reply

  4. We’ve noticed that the local user account will not be added to a computer unless there is nobody is logged in. Is this normal behavior? Is there a workaround for it?

    Reply

  5. Hello Jatin,

    I’ve noticed on several devices that the add user remediation doesn’t appear to work when any user is logged in at the time the script is executed. Is that normal behavior? If not, is there a workaround for it?

    Reply

  6. Thank you for this great article, it has been of great help to me. A question:

    To this type of users, created locally with Intune,
    Is it possible to block the user from changing their password?

    Thanks in advance.

    Reply

  7. This script is not safe enough in corporate environment if you are using this for creation of local admin accounts before the LAPS kicks in – empty password is the risk. If there is a problem with the LAPS process that should kick in later, you will have an organization of people walking around the world with empty admin passwords.

    For this occasion i suggest you use:

    function Get-RandomPassword {
    param (
    [Parameter(Mandatory)]
    [int] $length,
    [int] $amountOfNonAlphanumeric = 1
    )
    Add-Type -AssemblyName ‘System.Web’
    return [System.Web.Security.Membership]::GeneratePassword($length, $amountOfNonAlphanumeric)
    }

    $userName = “lapsadmin”
    $userexist = (Get-LocalUser).Name -Contains $userName
    $password = Get-RandomPassword -Length 30

    if($userexist -eq $false) {
    try{
    New-LocalUser -Name $username -Description “LAPS backup admin account” -Password $password
    Exit 0
    }
    Catch {
    Write-error $_
    Exit 1
    }
    }

    Reply

  8. Use the script above but with :
    $password = Get-RandomPassword -Length 30 | ConvertTo-SecureString -AsPlainText -Force

    Reply

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.