Add or Remove Current Logged on User to a Local Group Using Win32 App

Overview

When it comes to supporting an Intune environment, packaging applications is a crucial task. While some apps are easy to handle, others, like Docker and Hyper-V, have unique requirements. For example, these applications require users to be members of a local group for them to work properly.

This article mainly focuses on adding users to the local administrators group. The script can be adopted for other install scripts. It can assign users to other groups once the application installation is finished.

You can download the script from my GitHub repo:
AddCurrentLoggedOnUserToLocalGroup

Why Win32 app over a proactive remediation script?

The advantage of using a Win32 app over a remediation script is that it doesn’t require Microsoft E3 or E5 licenses. The other advantage is that you can pass the install and uninstall commands in a single app/script and manage the mode through the usual app assignment.

If you are licensed for proactive remediation scripts, then you can skip the win32 app setup and use the scripts directly. Just be mindful of changing the Install.ps1 file and remove the mode statements. For remediation purposes, proactive remediation scripts will apply quicker on the devices to remediate the issue. Win32 app detection can take up to 8h to run again and remediate.

Disclaimer

Unlike other apps, this particular tool will not automatically add the enrolling user to the local administrators group. It will do so only if the current logged on user and the enrolling user are the same. This feature addresses instances where the primary user is different from the enrolling user.

Additionally, the app comes with an uninstall mode. This mode is intended to remove the current logged on user from the local administrators group.

Limitations

  • The current logged on user may not be the intended user to be added to the local admin group. Use with caution.
  • The user must log out and log back in, or reboot, for admin permissions to take effect.

How does the app work?

The application is a simple PowerShell script with two modes: Install and Uninstall. It retrieves the current logged-on user and either adds them to or removes them from the local administrators group.

  • Install mode: Gets the current logged on user and adds them to the local administrators group.
  • Uninstall Mode: Gets the current logged on user and removes them from the local administrators group.

The app also has a detection script. It uses the “Net Localgroup” for detection. This checks whether the current logged on user is a member of the local administrators group.

You can download the install and detect scripts from my GitHub.

Adding the application to Intune

  • Follow the standard steps to package the Install.ps1 into an install.intunewin file.
  • Create a new Win32 app on Intune
  • For the Install commands use: %windir%\sysnative\windowspowershell\v1.0\powershell.exe -executionPolicy bypass -windowstyle hidden -file .\Install.ps1 -Mode Install
  • For Uninstall commands use: %windir%\sysnative\windowspowershell\v1.0\powershell.exe -executionPolicy bypass -windowstyle hidden -file .\Install.ps1 -Mode Uninstall
  • For Detection rules, use a Custom detection script and upload the Detect.ps1

Tips

  • Hyper-V group name: Hyper-V Administrators
  • Docker group name: docker-users
  • You can change the script to use a group name instead of the local administrators group SID. For example, you can target the Hyper-V Administrator group by commenting out line #11 and changing line #12 in Install.ps1 to:
#$LocalAdminGroup = Get-LocalGroup -SID "S-1-5-32-544"
$Localadmingroupname = "Hyper-V Administrators"
  • If you want users to be added to a group after an app installs, assign this app. Then make the original app a dependency for this application. This will ensure users are added to the required group once the main app installation is finished.

Published on

Published by

A. Aoun

Leave a comment