none
AzureAD Jointed Windows 10 PC - Remove device owners administration rights? RRS feed

  • Question

  • Hi,

    I have a Windows 10 PC that is organisation owned.  When the device was setup it was AD Joined with the user account of the person the device was going to be allocated to.  By default AzureAD puts this user into the local administrators group on the PC.  I don't want my users to have this access so is there a way I can move them to the local users group?  I've tried creating a local admin account but when logged in with that I can't see the AzureAD user to be able to change it.  Is there some funky powershell out there that might fix this?

    Any thoughts?

    Rob

    Friday, October 30, 2015 5:04 PM

All replies

  • Hello Rob,

    I think there must be an AzureAD account with administrator rights (by design). What I did was to login with an special AzureAD account first and then login with the normal user. I can manage the PC with my special account.

    Marcel

    Monday, November 2, 2015 8:14 PM
  • Hi Marcel

    What privileges did the "normal" user get?  I ask because when I've tried that their user ID "azuread\username" still gets put into the local Administrator's group.  Interesting thing is that the previous users account is removed from the local administrators group i.e there is only every one "azuread\username" user in the local administrator group.

    Cheers

    Rob

    Monday, November 2, 2015 9:07 PM
  • Hello Rob,

    The normal users are users with no administrative privileges.

    Actually I do not see the normal users within the Control Panel/User accounts. Maybe you have to delete them from the local computer, but I am not sure about how to manage this.

    Marcel

    Tuesday, November 3, 2015 8:23 AM
  • Ah, so your normal user is a local account rather than a Azure AD organisational account.  That would make more sense.

    From what I can see there is no way to control the user permissions for a Azure AD organisational account logging into Windows 10.  I assume this is because it is following the mobile device philosophy where the idea of admin/standard accounts isn't featured.  Just adds another layer of complication for corporate management of devices, back to good old Active Directory services to do it properly.

    Tuesday, November 3, 2015 11:52 AM
  • Hello Rob,

    The normal user is also an Azure AD account. Only the first user will be Local Administrator by default.

    I created an user localadmin@myorg.onmicrosoft.com and I login with this user the first time. Then I give the computer to the user and then they can login with their own e-mail adres (Azure AD), and they got no administrative privileges.

    Marcel

    Tuesday, November 3, 2015 11:58 AM
  • Hi Marcel

    Thanks for the clarification.

    I've just setup a new Win10 device and followed what you have said.  As you correctly say the first account remains in the Local Admins group.  I then logged in with a user account (AzureAD account) and notice they they are not added to the local admin group, however it appears they still have admin permissions as I am able to install win32 applications with out being prompted for admin access.  Shame, thought we were onto a winner there :(

    Rob

    Tuesday, November 3, 2015 12:47 PM
  • Hello Rob,

    That is strange. In my case I used Windows 10 Enterprise. I've installed it with a local account (administrator), then I syspreped it to deploy it to multiple computers.

    After a new deployment I login with the local admin, add it to Azure AD and then login with the Azure AD account. Then when a user logs in, they can't install programs.

    You might want to check the local policy.

    Succes

    Marcel

    Tuesday, November 3, 2015 1:43 PM
  • A-ha, so it's all in the way that you do things.....I love how consistent this OS is!

    It appears if you join AzureAD while doing the setup (from a Sysprep image in my case) then you get the same result as me i.e. all users will have admin access.

    If you do it your way Marco and join Azure AD from the settings menu while logged in with a local admin account then any new user will only be a standard user.....

    So the question now is why is this happening like this, and is there a way of changing a AzureAD user to a standard user with out having to erase the device and start again!

    Good fun eh!

    Tuesday, November 3, 2015 2:26 PM
  • Just a side bit, once a user is a "standard" user they aren't to perform a workplace join.  Unless there is a GPO edit out there to allow this?

    Tuesday, November 3, 2015 3:57 PM
  • Hello Rob,

    My full steps what I dit to add the computer to AzureAD, I had no advanced tooling like SCCM and I don't have a local Active Directory domain:

    1. I created an Office 365 account localadmin@mycomp.onmicrosoft.com.
    2. In AzureAD: Add this user to the selected users “may join devices to azure AD”.
    3. Install Windows 10 on a computer, with a local administrator account and configure what you need.
    4. When ready I did a sysprep and created an image.
    5. I deploy the image to new computers and login with the local administrator.
    6. Add it to AzureAD and when asked, give the localadmin@mycomp.onmicrosoft.com user and password.
    7. Now the computer is added to AzureAD.
    8. I reboot the computer and login with localadmin@mycomp.onmicrosoft.com.
    9. This user has local administrator rights.
    10. After that I login with the normal Office 365 user user@domain.com.
    11. This user has no local administrator rights and cannot install applications.

    Marcel

    Tuesday, November 3, 2015 6:19 PM
  • Hi Marcel

    That's near the identical process I followed, which worked.

    Do you connect your users to a MDM using Work Place Join?

    Cheers

    Rob

    Tuesday, November 3, 2015 11:08 PM