AzureAD Domain Join – Add user to local adminstrator group

 

There is a issue on Azure AD Domain joined machines if you want to add AzureAD users to a local group. Lets say you want to enable a user to log on remote to a AzureAD joined machine or you want to add users to the local administrators group. The GUI doesn’t support this at all because you are not able to check for users in the cloud. 

The first thing we need to do is to make the user in question to actually first log on to a machine locally to get the SID onto the machine it self.This is required to make this work.

If you go into the UI you will see this:

AADJoinUser001

There is no active local users on the machine as this machine was AAD Joined during OOBE

AADJoinUser002
If you go to Groups and open the local administrators group you will see that the user that joined the machine to AAD is added as a local administrator.

If you try to add users from AAD to the local group you will quickly find that it is not possible at all. There is no way to browse AAD for users or to add users and as we dont have any local users at all you cannot add users to the Administrators group. But luckily there is a very easy way to fix this manually.

Open CMD as administrator and run the command:
net localgroup administrators  <DomainName>\<UserName> /add

AADJoinUser005

If you don’t have AAD Connect synchronization and are running cloud only your domain is AzureAd\ and user string AzureAd\Username 

If we now open the GUI again we can see that the users exists in the local Administrators group:

AADJoinUser006

This can also be used to add users to other groups as Remote Desktop Users to enable remote connection to the PC.

I got a tip from @hosebei on twitter that you should be aware of localized group names. If this is not working,  you can get the localized Administrators group name by running this powershell command:

get-wmiobject win32_group -Filter “SID=’S-1-5-32-544′ AND LocalAccount=True”

 

 

 

 

2 thoughts on “AzureAD Domain Join – Add user to local adminstrator group

  1. I am having the same issue as you had originally.
    Background: A one-to-one program for our school, MDM, etc all revolving around AAD (we do have AAD connect in place). I need the students and teachers to be able to administer their own machines but I still cant get the local admin user script to work. I continually get “there is no such global user or group: mydomain\username”

    Maybe I have the domain name wrong? From where in AAD is that figured?

    Any help would be greatly appreciated. I am stumped and on a very tight implementation schedule.

    Like

    • First step is to make the teacher / student to actually log on to the device once. Before you do that the machine don’t know about the user. The next step is to verify that your domain name and user name are correct. The easiest way to do this is to start CMD as the student/teacher and run the command whoami. This will give you both username and domain ( domainname\username)
      Collect this information and run the commands with elevated privileges on the machine.
      The username normally are not the same as the email address. Email can be first name.lastname@domainname, but the username is then normally domain\firstnamelastname
      Let me know if this helped or if I can help you more.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s