top of page
Search

(129) Microsoft Intune - Adding User to Administrators Group

  • Writer: Mr B SOE way
    Mr B SOE way
  • Jun 17, 2024
  • 2 min read

If all devices were enrolled with deployment profile where "User account type" was Standard.

For a nice and cleaner way of adding any standard users to "Administrators" group, by creating a Win32 application which will get the current user of the device logged on, then this will Win32 application will add to members of the Administrators group of that device.


For install.ps1: 

Param(
    [Parameter(Mandatory = $true)]
    [ValidateSet("Install", "Uninstall")]
    [String[]]
    $Mode
)

# Get current logged on user
$loggedon = $(Get-WMIObject -class Win32_ComputerSystem | select username).username
# Get the local administrators group name
$LocalAdminGroup = Get-LocalGroup -SID "S-1-5-32-544"
$Localadmingroupname = $LocalAdminGroup.name

# Get the list of all members of the Administrators group
$adminMembers = cmd.exe /c "Net localgroup `"$Localadmingroupname`"" | Out-String

# Split the members list into an array of users, removing empty lines and headers/footers
$adminMembersArray = $adminMembers -split "`r`n" | ForEach-Object { $_.Trim() } | Where-Object { $_ -and $_ -notmatch "command completed successfully" -and $_ -notmatch "^-+" -and $_ -ne $Localadmingroupname }

If ($Mode -eq "Install") {

    # Add curent user to the local administrator group
    if ($adminMembersArray -notcontains $loggedon) {
        cmd.exe /c "Net localgroup `"$Localadmingroupname`" /add `"$loggedon`""
    }
    else {
        "User is already a member of the `"$Localadmingroupname`" group"
    }
}

If ($Mode -eq "Uninstall") {

    # Remove curent user from the local administrator group
    if ($adminMembersArray -contains $loggedon) {
        cmd.exe /c "Net localgroup `"$Localadmingroupname`" /Delete `"$loggedon`""
    }
    else {
        "User is not a member of the `"$Localadmingroupname`" group"
    }
}

For detect.ps1:


# Get current logged on user
$loggedon = $(Get-WMIObject -class Win32_ComputerSystem | select username).username

# Get the local administrators group name
$LocalAdminGroup = Get-LocalGroup -SID "S-1-5-32-544"
$Localadmingroupname = $LocalAdminGroup.name

# Get the list of all members of the Administrators group
$adminMembers = cmd.exe /c "Net localgroup `"$Localadmingroupname`"" | Out-String

# Split the members list into an array of users, removing empty lines and headers/footers
$adminMembersArray = $adminMembers -split "`r`n" | ForEach-Object { $_.Trim() } | Where-Object { $_ -and $_ -notmatch "command completed successfully" -and $_ -notmatch "^-+" -and $_ -ne $Localadmingroupname }

# Check if the current user is in the list
if ($adminMembersArray -contains $loggedon) {
    "Detected"
}
else {
}

Program Command lines are as follows:

Install command:

%windir%\sysnative\windowspowershell\v1.0\powershell.exe -executionPolicy bypass -windowstyle hidden -file .\Install.ps1


Uninstall command:

%windir%\sysnative\windowspowershell\v1.0\powershell.exe -executionPolicy bypass -windowstyle hidden -file .\Uninstall.ps1 Detection are as follows:

Upload the detect.ps1 file.


Note: Once the application has been installed, device will need be restarted for it take effect.

 
 
 

Comments

bottom of page