Skip to main content
DaKo365 Tech Blog
  1. Blog/

Create a local admin account with Intune

·2 mins
Intune
Daniel Kordes
Author
Daniel Kordes
Microsoft 365 Consultant and Microsoft MVP based in Zurich. I blog about Microsoft 365, Azure and cloud technologies.
Table of Contents

–> Also available in German!

This article was translated from German with the help of Claude.

Creating local accounts, including admin accounts, can be useful not only for LAPS. In this short blog article, I’ll show you how to create the account and move it to the appropriate permissions group.

Create a device configuration
#

First, we need to create a new “Configuration profile” for Windows devices in the Intune Admin Center. The configuration we need is unfortunately not available in the catalog and must be configured manually via OMA-URI entries. Therefore, we select “Templates” as the “Profile type” and choose the “Custom” template.

Then name your policy accordingly and you can start adding manual settings.

Create a local account
#

To create a user account with a corresponding password, we need to add the following entry:

OMA-URI
./Device/Vendor/MSFT/Accounts/Users/$DisplayNameOfTheAccount$/Password

It is important that you replace the second-to-last value in the string with your desired name.

If you use LAPS, the password assigned here will be overwritten by the LAPS policy.

Add the account to the local administrators group
#

With this, we have only created a local user. For this user to also become a local admin, we need to add them to the local administrators group. This is also done via an OMA-URI entry in the same profile. We add another entry with the following values:

OMA-URI
./Device/Vendor/MSFT/Accounts/Users/$DisplayNameOfTheAccount$/LocalUserGroup

Again, please make sure that the second-to-last value is identical to the account you created before.

Afterwards, assign the profile to the desired groups.

Configuration shows as failed
#

After the profile has been distributed to the devices, Intune shows errors in the overview.

Looking at it in detail, we see that the error code “-2016281112” is returned.

The fact is, however, that the configuration works and the local admin is created. In my research so far, I could not find any answers to this error. Various forums suggest that it is simply a bug. Regardless: the main thing is that it works.

Related