Posted inUncategorized

Intune and Local Administrators

One of the fun things with Intune is that you can manage the administrators on local systems, but it is best at being able to manage specific accounts. For example, it is very easy to add “X” user to 1000 computers or 1 computer as an administrator using multiple methods.

The challenge I’ve seen is “How do you control the currently logged in user’s account? What if you want them to be an administrator but you may not know who the current user is on 15 different computers?”

I found a script that can help with that:

function Convert-ObjectIdToSid
{
	param([String] $Sid)
	$text = $sid.Replace('S-1-12-1-', '')
    	$array = [UInt32[]]$text.Split('-')

    	$bytes = New-Object 'Byte[]' 16
    	[Buffer]::BlockCopy($array, 0, $bytes, 0, 16)
    	[Guid]$guid = $bytes

    return $guid
}


try
{
	$account = Get-WmiObject Win32_Process -Filter "Name='explorer.exe'" | ForEach-Object { $_.GetOwner() } | Select-Object -Unique -Expand User
}
catch
{
	$account = "userdoesnotexist"
}

Write-Host "Current User is $account"
$administrator = "azuread\" + $account


$path = "C:\Users\" + $account
$adminSID = (Get-WmiObject win32_userprofile | where-object LocalPath -EQ $path).SID
Write-Host $adminSID

$Get_SID = Convert-ObjectIdToSid $adminSID
Write-Host $Get_SID
								
$Get_Local_AdminGroup = Gwmi win32_group -Filter "Domain='$env:computername' and SID='S-1-5-32-544'"				
$Get_Local_AdminGroup_Name = $Get_Local_AdminGroup.Name
try
{
	$ADSI = [ADSI]("WinNT://localhost")
	$Group = $ADSI.Children.Find($Get_Local_AdminGroup_Name, 'group') 
	$Group.Add(("WinNT://$adminSID"))
	Write-Host "$administrator added to Administrators group"
}
catch
{
	Write-Host "No user added to Administrators group"
}

This script will:

  1. Find the currently active user account
  2. Find the SID for that account
  3. Add the account to the local administrator group

You can use this information to also create a script to remove the user:

function Convert-ObjectIdToSid
{
	param([String] $Sid)
	$text = $sid.Replace('S-1-12-1-', '')
    	$array = [UInt32[]]$text.Split('-')

    	$bytes = New-Object 'Byte[]' 16
    	[Buffer]::BlockCopy($array, 0, $bytes, 0, 16)
    	[Guid]$guid = $bytes

    return $guid
}


try
{
	$account = Get-WmiObject Win32_Process -Filter "Name='explorer.exe'" | ForEach-Object { $_.GetOwner() } | Select-Object -Unique -Expand User
}
catch
{
	$account = "userdoesnotexist"
}

Write-Host "Current User is $account"
$administrator = "azuread\" + $account


$path = "C:\Users\" + $account
$adminSID = (Get-WmiObject win32_userprofile | where-object LocalPath -EQ $path).SID
Write-Host $adminSID

$Get_SID = Convert-ObjectIdToSid $adminSID
Write-Host $Get_SID
								
$Get_Local_AdminGroup = Gwmi win32_group -Filter "Domain='$env:computername' and SID='S-1-5-32-544'"				
$Get_Local_AdminGroup_Name = $Get_Local_AdminGroup.Name
try
{
	$ADSI = [ADSI]("WinNT://localhost")
	$Group = $ADSI.Children.Find($Get_Local_AdminGroup_Name, 'group') 
	$Group.Remove(("WinNT://$adminSID"))
	Write-Host "$administrator removed from Administrators group"
}
catch
{
	Write-Host "No user removed from Administrators group"
}

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *