In the on-premises world, many organizations use the RestrictedGroup Group Policy setting to place their own workstation admin groups on domain joined machines, and of course to remove other rogue local administrators.
In the modern cloud first world, I couldn’t find any UI can configure Restricted Group settings to apply the same settings. I did however find this setting; Additional local administrators on Azure AD joined devices, where we can add additional local admins, but not remove unwanted admins. This setting is on tenant level and applied to all Azure AD joined machines. So this is not exactly what I am looking for.
Maybe many of you are just like me, want to have more control of who is admin for Azure AD joined machines? Now there are good news and bad news.. but let’s explore the possibilities first.
Good news first
RestrictedGroups Policy CSP came with Windows 10 version 1803, we can now use Microsoft Intune configure Restricted Group settings. More details are available on the below links:
I finally got some time test this new Policy and got it working.
This is my Administrators group before I configure Restricted Groups policy
Download the psexec tool, run psexec.exe -i -s cmd.exe, in the command prompt launched by psexec.exe, enter powershell.exe to open PowerShell.
You should get the same result by running this PowerShell command:
(Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_Policy_Result01_RestrictedGroups02").ConfigureGroupMembership
Let’s configure the settings.
- Create a new Custom OMA-URI policy:
Name: RestrictedGroups (or anything you want)
Value: (Note: This is tested in Windows 10 1803 Enterprise)
<accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "AzureAD\[email protected]" /> <member name = "AzureAD\[email protected]" /> </accessgroup>
(This is tested on Windows 10 Insider 17744, RS5)
<groupmembership> <accessgroup desc = "Administrators"> <member name = "Administrator" /> <member name = "AzureAD\[email protected]" /> <member name = "AzureAD\[email protected]" /> </accessgroup> </groupmembership>
In this example, I added the local Administrator, and two Azure AD accounts as member of local Administrators group. If you attempt to remove the local Administrator account the policy will fail, you will also see an error output in the DeviceManagement-Enterprise-Diagnostics-Provider event log:
- Assign this policy to devices group.
Here is the result:
In Microsoft Intune portal can also confirm Restricted Groups policy applied successfully.
What is the bad news?!
Sorry but I have some bad news having tested this process multiple times. The Restricted Group Policy CSP only applies ONCE, meaning if you make changes to local administrators group AFTER the policy is applied, this policy will not apply again to reset those settings. This isn’t what I had expected, and I sincerely hope Microsoft can improve it in the near future.