locked
Azure AD user in Windows 10 - local admin problem RRS feed

  • Question

  • Hi

    We have Office 365 Business Essentials and Premium licenses, we do not have AAD Premium, EMS, Intune licenses.

    If I login to a new PC using some users (not O365 admin user account) O365 credentials, this user becomes a local admin in that PC.

    But if I use some other user's O365 credentials (not O365 admin user account) to login to that same PC, this second user that log's in to the same PC is not a local admin.

    Also, I can't find anywhere on that PC to change this.

    How do I control which (O365) user account is local admin and which is not?

    Wednesday, March 7, 2018 1:54 PM

Answers

  • I was able to set the secondary login account as admin account. Login using this secondary account, go to Control Panel/User Accounts/User Accounts/Change your account type and use O365 admin account or the first account used to login to PC to go past UAC. This way you can upgrade user account as local admin.


    Based on this link

    https://community.spiceworks.com/topic/1580701-azure-ad-users-given-local-admin-permissions

    it is not good idea to downgrade the first (O365)account used to login to PC as standard user. 

    Prefer to use O365 admin account or some other O365 account used as local admin account when login the first time to PC and add the actual user account to PC after this. This way normal users do not have local admin permissions and you dont have to downgrade user account permissions.

    • Marked as answer by IKFI Saturday, March 17, 2018 2:42 PM
    Saturday, March 17, 2018 2:42 PM

All replies

  • The account used to perform the Azure AD Join during the Out of box experience is added to the local admins group. AAD Premium allows admins to specify a Device Admins group which can also be added to the local admin group. The user using the device can be removed from local admin group manually. Refer: Azure AD users given local admin permissions

    ---------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    • Proposed as answer by Ajay Kadam Wednesday, March 7, 2018 5:13 PM
    Wednesday, March 7, 2018 5:13 PM
  • I was able to set the secondary login account as admin account. Login using this secondary account, go to Control Panel/User Accounts/User Accounts/Change your account type and use O365 admin account or the first account used to login to PC to go past UAC. This way you can upgrade user account as local admin.


    Based on this link

    https://community.spiceworks.com/topic/1580701-azure-ad-users-given-local-admin-permissions

    it is not good idea to downgrade the first (O365)account used to login to PC as standard user. 

    Prefer to use O365 admin account or some other O365 account used as local admin account when login the first time to PC and add the actual user account to PC after this. This way normal users do not have local admin permissions and you dont have to downgrade user account permissions.

    • Marked as answer by IKFI Saturday, March 17, 2018 2:42 PM
    Saturday, March 17, 2018 2:42 PM
  • @IKFI, thanks for sharing the workaround with us. This will be helpful to other community members who may come across this issue.

    Thursday, March 29, 2018 5:13 PM
  • For now you can try Windows Autopilot that prevents user account used to set up the device from getting local admin permissions. If this doesn't work create a dedicated account and use that for your first logon, every subsequent user that logs on will be a regular user.

    Suggest you to leave a comment and up vote for this feature @https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34877155-azuread-join-give-user-admin-access-needs-to-rest 

    -----------------------------------------------------------------------------------------------------------------------------------
    If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here 

    Friday, August 10, 2018 8:02 PM