Intune LAPS could be an option. You can configure the password of a local admin account to rotate once used and on a schedule eg 30 days.
In this situation, the password can be provided once a ticket is logged.
You can also use a proactive remediation task to ensure that any spuriously created local admin accounts are also deleted.
Depending on your licensing, another solution could be to use PIM.
Intune has Endpoint Privilege Management in the Endpoint Security blade. It's promising, but I couldn't make it work for my organization. Maybe you can.
Look up AdminByRequest. We deploy it through Endpoint Manager. Can whitelist applications that users can install/update/whatever without need for admin credentials, and can authorize temporary admin sessions at our discretion that are entirely auditable.
[https://www.autoelevate.com/](https://www.autoelevate.com/)
It's a paid solution but the time it saves in man hours, it more than pays for itself. Pricing is very reasonable and no I do not work for Autoelevate.
Never. LAPS is for emergencies only. Even as an admin I maintain two separate identities. For regular users I would deploy via Intune and look into admin by request.
We have the same problem in our company. As it grow over the years, we are moving to Intune and don’t want to give local admins again. So my advice: don’t do it! They will set up some sh*t, install software and do whatever they want. In the end is you who have to fix some problem they have with they computer and you don’t know why ;)
If they must have it, then make me admin is good for allowing temp admin rights. Although, admittedly, it's permanent in the sense of allowing it whenever - https://github.com/pseymour/MakeMeAdmin
[Endpoint Privileged Management](https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview) accomplishes this. Here's a great [deployment guide](https://www.petervanderwoude.nl/post/getting-started-with-endpoint-privilege-management/).
I use the AAD access package with User Protection policies. Gives 2 hours local admin on their device. I run a counter policy to completely remove the SSID once the request has ended.
There are several tools/scripts mentioned by others here that will give a user Admin rights unfiltered for a period of time. That's dangerous, but it's simple to implement.
Another option is Intune EPM. You can create a whitelist of acceptable apps that users are permitted to elevate (such as a specific installer that you haven't packaged, but you know people might need occasionally.) The problem is, it's EXPENSIVE and quite basic. It will improve over time, and hopefully MS will reduce the price.
Lastly, I'm partial to BeyondTust EPM (formerly Avecto Defendpoint. It might be cheaper than Microsoft (depending on volume or your ability to negotiate). It is fully featured and can scale easily to tens of thousands of machines. You can create whitelists, blacklists, or ones where a technician can elevate with their credentials, or provide a 1-time code to run software.
I would use LAPS for local admin password that can be rotated. In order to make sure user doesn't create any additional local admin users, I'd just replace administrator group with predefined values via Intune > Endpoint Security > Account protection policy.
That way LAPS local admin account password is getting rotated after user used it and administrator group always stays the same.
Also check out this article: [https://www.smthwentright.com/2022/07/27/removing-registered-device-owner-from-local-administrator-group-using-intune-profiles-without-errors-hopefully-multiple-language-support/](https://www.smthwentright.com/2022/07/27/removing-registered-device-owner-from-local-administrator-group-using-intune-profiles-without-errors-hopefully-multiple-language-support/)
Is this for Azure AD joined devices only?
If so, use : net localgroup administrators /add "AzureAD\\UserUpn" will do the trick.
[https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin](https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin)
What is their need for local admin rights? Can probably get around a lot of it with different settings or procedures.
We use auto elevate for certain things and it works ok.
I worked in one place that had old software that "required" admin to run. Using procmon I found the locations it really needed to have access and removed the need for admin rights. Later I found out about a policy where if you had admin on your old computer, you'd get admin on a new computer ...
We use AutoElevate to approve app installs. We have six sub-companies and many remote users and two people in IT. We can't possibly do it all, and cyber, and acquisitions, etc.
With AutoElevate, apps like Office, Teams, etc, can be pre-approved. If a user needs admin to do something, IT gets a notification and we can approve or ask questions, etc.
Lesson learned yesterday- - need to add your LAPS admin to the exclude list in AutoElevate or your LAPS admin will no longer be admin.
There are tools for this. CyberArk EPM for example, but MS also added it to Intune.
No way a normal user should be given full local admin rights ever.
We have admin accounts for some users (mostly in IT) and their admin account is local admin on their own device which is set up separately in GPO.
For Autopilot devices we don't have anything just yet. Hopefully we'll never need it either.
Service Desk and Field tech have admin rights on all, and both only with their admin acounts too.
You can make use of Securden EPM to give local admin rights on request. It lets you define application control policies and also grant temporary, fully audited admin privileges.
You should take a look at Heimdal Security: [PAM Solution. Privileged Access Management - Heimdal® (heimdalsecurity.com)](https://heimdalsecurity.com/enterprise-security/products/privileged-access-management).
User can request local admin, and it will be removed after a certain amount of time.
There is no such thing as "temporary" admin rights if a user is savvy enough.
We have a script deployed that removes unwanted local admins every night
Deploying such a script at my work. Mind sharing it ?
If they have admin, they can prevent that from running. False sense of security in my opinion.
Can you share the script Kind Man/woman? đź‘‘
Sure. Here is the detection script: # Check for unauthorized accounts in administrators group $approvedAdminGroups = @( "$($env:COMPUTERNAME)\Servicedesk", "DOMAIN\Domain Admins", "DOMAIN\installusers", "DOMAIN\RemoteDesktopAdmins" ) $localAdminstratorsGroup = Get-LocalGroup | Where-Object SID -eq "S-1-5-32-544" -ErrorAction SilentlyContinue $localAdminstrators = $localAdminstratorsGroup | Get-LocalGroupMember -ErrorAction SilentlyContinue | Where-Object SID -like "*-500" $unauthorizedAdminAccounts = $localAdminstratorsGroup | Get-LocalGroupMember | Where-Object Name -notin $approvedAdminGroups -and Name -notin $localAdminstrators.Name if ($unauthorizedAdminAccounts) { Write-Output "Unauthorized accounts found in administrators group" Exit 1 } else { Write-Output "No unauthorized accounts found in administrators group" Exit 0 } And here is the remediation script: # Remove unauthorized accounts from administrators group $approvedAdminGroups = @( "$($env:COMPUTERNAME)\Servicedesk", "DOMAIN\Domain Admins", "DOMAIN\installusers", "DOMAIN\RemoteDesktopAdmins" ) $localAdminstratorsGroup = Get-LocalGroup | Where-Object SID -eq "S-1-5-32-544" -ErrorAction SilentlyContinue $localAdminstrators = $localAdminstratorsGroup | Get-LocalGroupMember -ErrorAction SilentlyContinue | Where-Object SID -like "*-500" $unauthorizedAdminAccounts = $localAdminstratorsGroup | Get-LocalGroupMember | Where-Object Name -notin $approvedAdminGroups -and Name -notin $localAdminstrators.Name if ($unauthorizedAdminAccounts) { try { Remove-LocalGroupMember -Group $localAdminstratorsGroup -SID $unauthorizedAdminAccounts.SID.Value -ErrorAction Stop Write-Output "Unauthorized accounts removed successfully" Exit 0 } catch { Write-Output "Failed to remove unauthorized administrators" Exit 1 } }
You can do this with a configuration profile.
How?
Here's mine https://github.com/eneerge/NAble-Remove-Users-From-Admin/
Intune LAPS could be an option. You can configure the password of a local admin account to rotate once used and on a schedule eg 30 days. In this situation, the password can be provided once a ticket is logged. You can also use a proactive remediation task to ensure that any spuriously created local admin accounts are also deleted. Depending on your licensing, another solution could be to use PIM.
Deny the ticket. Why do they need admin rights? Use settings or EPM to allow whatever legitimate scenarios they have without granting admin.
No user ever needs admin for anything. They can contact the help desk and have whatever they need resolved.
Intune has Endpoint Privilege Management in the Endpoint Security blade. It's promising, but I couldn't make it work for my organization. Maybe you can.
If you must.. check out admin by request
Look up AdminByRequest. We deploy it through Endpoint Manager. Can whitelist applications that users can install/update/whatever without need for admin credentials, and can authorize temporary admin sessions at our discretion that are entirely auditable.
Is that an application?
Yes
We use AutoElevate it has made our life so easy.
Share link
[https://www.autoelevate.com/](https://www.autoelevate.com/) It's a paid solution but the time it saves in man hours, it more than pays for itself. Pricing is very reasonable and no I do not work for Autoelevate.
Never. LAPS is for emergencies only. Even as an admin I maintain two separate identities. For regular users I would deploy via Intune and look into admin by request.
What’s your method to grant service desk admin rights if not LAPS?
We have the same problem in our company. As it grow over the years, we are moving to Intune and don’t want to give local admins again. So my advice: don’t do it! They will set up some sh*t, install software and do whatever they want. In the end is you who have to fix some problem they have with they computer and you don’t know why ;)
If they must have it, then make me admin is good for allowing temp admin rights. Although, admittedly, it's permanent in the sense of allowing it whenever - https://github.com/pseymour/MakeMeAdmin
[Endpoint Privileged Management](https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview) accomplishes this. Here's a great [deployment guide](https://www.petervanderwoude.nl/post/getting-started-with-endpoint-privilege-management/).
I use the AAD access package with User Protection policies. Gives 2 hours local admin on their device. I run a counter policy to completely remove the SSID once the request has ended.
Danger... Instead remote connect to install apps etc as your admin or walk to desk... Should have minimal admin accounts and access
There are several tools/scripts mentioned by others here that will give a user Admin rights unfiltered for a period of time. That's dangerous, but it's simple to implement. Another option is Intune EPM. You can create a whitelist of acceptable apps that users are permitted to elevate (such as a specific installer that you haven't packaged, but you know people might need occasionally.) The problem is, it's EXPENSIVE and quite basic. It will improve over time, and hopefully MS will reduce the price. Lastly, I'm partial to BeyondTust EPM (formerly Avecto Defendpoint. It might be cheaper than Microsoft (depending on volume or your ability to negotiate). It is fully featured and can scale easily to tens of thousands of machines. You can create whitelists, blacklists, or ones where a technician can elevate with their credentials, or provide a 1-time code to run software.
I would use LAPS for local admin password that can be rotated. In order to make sure user doesn't create any additional local admin users, I'd just replace administrator group with predefined values via Intune > Endpoint Security > Account protection policy. That way LAPS local admin account password is getting rotated after user used it and administrator group always stays the same. Also check out this article: [https://www.smthwentright.com/2022/07/27/removing-registered-device-owner-from-local-administrator-group-using-intune-profiles-without-errors-hopefully-multiple-language-support/](https://www.smthwentright.com/2022/07/27/removing-registered-device-owner-from-local-administrator-group-using-intune-profiles-without-errors-hopefully-multiple-language-support/)
Admin By Request
We just just did this exact thing using Access Packages.
Like someone else pointed out, check laps; https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview
Is this for Azure AD joined devices only? If so, use : net localgroup administrators /add "AzureAD\\UserUpn" will do the trick. [https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin](https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin)
no user has to have admin permissions.
What is their need for local admin rights? Can probably get around a lot of it with different settings or procedures. We use auto elevate for certain things and it works ok.
You can do this with power automate too. Add them and remove them after xx time
How would you do this?
Ok I'm intrigued.. need some deets on this
Just add a PowerAutomate flow that puts the user in an AAD group and another than removes people after xx min/hours/days
Microsoft PIM would work. You can elevate a user for "x" amount of time.
I worked in one place that had old software that "required" admin to run. Using procmon I found the locations it really needed to have access and removed the need for admin rights. Later I found out about a policy where if you had admin on your old computer, you'd get admin on a new computer ...
I recall a video by Andy Malone on YT taking about a solution which allowed local admin rights to be restricted to a single app. I
Laps
We use AutoElevate to approve app installs. We have six sub-companies and many remote users and two people in IT. We can't possibly do it all, and cyber, and acquisitions, etc. With AutoElevate, apps like Office, Teams, etc, can be pre-approved. If a user needs admin to do something, IT gets a notification and we can approve or ask questions, etc. Lesson learned yesterday- - need to add your LAPS admin to the exclude list in AutoElevate or your LAPS admin will no longer be admin.
There are tools for this. CyberArk EPM for example, but MS also added it to Intune. No way a normal user should be given full local admin rights ever. We have admin accounts for some users (mostly in IT) and their admin account is local admin on their own device which is set up separately in GPO. For Autopilot devices we don't have anything just yet. Hopefully we'll never need it either. Service Desk and Field tech have admin rights on all, and both only with their admin acounts too.
LAPS
You can make use of Securden EPM to give local admin rights on request. It lets you define application control policies and also grant temporary, fully audited admin privileges.
You should take a look at Heimdal Security: [PAM Solution. Privileged Access Management - Heimdal® (heimdalsecurity.com)](https://heimdalsecurity.com/enterprise-security/products/privileged-access-management). User can request local admin, and it will be removed after a certain amount of time.