AzureAD Domain Join – Add user to local adminstrator group

 

There is a issue on Azure AD Domain joined machines if you want to add AzureAD users to a local group. Lets say you want to enable a user to log on remote to a AzureAD joined machine or you want to add users to the local administrators group. The GUI doesn’t support this at all because you are not able to check for users in the cloud. 

The first thing we need to do is to make the user in question to actually first log on to a machine locally to get the SID onto the machine it self.This is required to make this work.

If you go into the UI you will see this:

AADJoinUser001

There is no active local users on the machine as this machine was AAD Joined during OOBE

AADJoinUser002
If you go to Groups and open the local administrators group you will see that the user that joined the machine to AAD is added as a local administrator.

If you try to add users from AAD to the local group you will quickly find that it is not possible at all. There is no way to browse AAD for users or to add users and as we dont have any local users at all you cannot add users to the Administrators group. But luckily there is a very easy way to fix this manually.

Open CMD as administrator and run the command:
net localgroup administrators  <DomainName>\<UserName> /add

AADJoinUser005

If you don’t have AAD Connect synchronization and are running cloud only your domain is AzureAd\ and user string AzureAd\Username

If we now open the GUI again we can see that the users exists in the local Administrators group:

AADJoinUser006

This can also be used to add users to other groups as Remote Desktop Users to enable remote connection to the PC.

I got a tip from @hosebei on twitter that you should be aware of localized group names. If this is not working,  you can get the localized Administrators group name by running this powershell command:

Get-WmiObject Win32_Group -Filter “SID=’S-1-5-32-544′ AND LocalAccount=True”

 

 

 

 

0 thoughts on “AzureAD Domain Join – Add user to local adminstrator group

  1. I am having the same issue as you had originally.
    Background: A one-to-one program for our school, MDM, etc all revolving around AAD (we do have AAD connect in place). I need the students and teachers to be able to administer their own machines but I still cant get the local admin user script to work. I continually get “there is no such global user or group: mydomainusername”

    Maybe I have the domain name wrong? From where in AAD is that figured?

    Any help would be greatly appreciated. I am stumped and on a very tight implementation schedule.

    • First step is to make the teacher / student to actually log on to the device once. Before you do that the machine don’t know about the user. The next step is to verify that your domain name and user name are correct. The easiest way to do this is to start CMD as the student/teacher and run the command whoami. This will give you both username and domain ( domainnameusername)
      Collect this information and run the commands with elevated privileges on the machine.
      The username normally are not the same as the email address. Email can be first name.lastname@domainname, but the username is then normally domainfirstnamelastname
      Let me know if this helped or if I can help you more.

  2. I used the command
    Open CMD as administrator and run the command:
    net localgroup administrators   /add

    however it returns “Access is denied”

    I understand this is an article from a year age, however I would be very appreciated for your reply.
    This is very important for me. May I know if there is any solution to Add user to a specific local administrator group? Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *