Empowering Customers with On-Demand Local Admin Access via Intune and PowerShell

Introduction: a customer recently asked me to create a script allowing them to provide local administrator access on the fly using Microsoft Intune. The customer wanted a solution that would enable their IT team to quickly grant temporary local admin privileges to users without the need for manual intervention on each machine. While there are other ways to achieve this, such as using Microsoft's Local Administrator Password Solution (LAPS) or Endpoint Privilege Management solutions, the customer specifically opted for a PowerShell script-based approach. In this blog post, we'll explore the PowerShell script I developed to address this requirement.

The Problem: In many organizations, there are scenarios where users require temporary local administrator access to perform specific tasks or troubleshoot issues on their machines. However, granting permanent local admin rights to users can pose security risks and make it difficult to manage access control. The challenge was to find a way to provide on-demand local admin access that could be easily deployed and managed through Microsoft Intune.

Alternative Solutions: Before diving into the PowerShell script solution, it's worth mentioning that there are other methods available for managing local administrator access in an enterprise environment.

1. Local Administrator Password Solution (LAPS): LAPS is a Microsoft solution that allows organizations to manage and rotate local administrator passwords automatically. It provides a secure way to grant temporary access by generating unique, complex passwords for each machine and storing them in Active Directory.
2. Endpoint Privilege Management: Endpoint Privilege Management solutions, such as CyberArk Endpoint Privilege Manager or BeyondTrust Endpoint Privilege Management, offer comprehensive capabilities for managing and controlling local administrator privileges. These solutions provide granular access control, auditing, and monitoring features to ensure secure and compliant privilege management across endpoints.

However, in this case, the customer requested a PowerShell script-based solution that could be deployed via Intune. They preferred this approach due to its flexibility and the ability to customize the script according to their specific requirements.

The Solution: To meet the customer's needs, I created a PowerShell script that leverages the capabilities of Microsoft Intune to grant temporary local administrator access to users. The script automates the process of checking the current user's membership status in the local administrator's group and adds them to the group if necessary. Let's dive into the script and understand its functionality.

Script Breakdown:

1. Retrieving the currently signed-in user:

2. Retrieving the list of local administrators:

3. Checking the current user's membership status:

4. Displaying the updated list of local administrators:

Finally, the script displays the updated list of local administrators, highlighting the current user in the list for easy identification.

Intune Deployment: To deploy this script via Microsoft Intune, follow these steps:

1. Package the script as a PowerShell script (.ps1 file) and upload it to Intune.
2. Create a new PowerShell script configuration profile in Intune and specify the script file.
3. Assign the configuration profile to the desired user groups or devices.
4. When the script is executed on the target machines, it automatically checks and modifies the local administrator group membership based on the current user's status.

Benefits and Use Cases: This PowerShell script, combined with Microsoft Intune, offers several advantages and use cases for organizations:

1. On-Demand Access: IT teams can quickly grant temporary local admin access to users without the need for manual intervention on each machine.
2. Granular Control: The script allows for granular control over local administrator access, ensuring that users have the necessary privileges only when required.
3. Intune Integration: The script can be easily deployed and managed across the organization's devices by leveraging Microsoft Intune.
4. Security and Compliance: The script helps maintain security by providing temporary access instead of permanent local admin rights, reducing the risk of unauthorized access or misuse.

Conclusion: Providing on-demand local administrator access to users is a common requirement in many organizations. While solutions like Microsoft's LAPS and Endpoint Privilege Management offer robust ways to manage local administrator privileges, the customer, in this case, specifically requested a PowerShell script-based approach that could be deployed via Intune. The script I developed automates verifying and modifying local administrator group membership, enabling quick and efficient access management. By deploying this script through Intune, organizations can empower their users while maintaining control and security over local administrator access tailored to their specific needs and preferences.

Get the Powershell Script from Here !!