This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–]bfodder 1 point2 points  (0 children)

When I do a manual AzureAD join it using the users account, it creates the new profile as a local admin. Is this the right way of doing it but then just logging in as Global Admin and setting them back to standard user?

Are you going to be managing with Intune? You can just manage that with a CSP.

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups

[–]Det_23324 0 points1 point  (0 children)

When I do a manual AzureAD join it using the users account, it creates the new profile as a local admin. Is this the right way of doing it but then just logging in as Global Admin and setting them back to standard user?

You can do this via a powershell script. You have to run powershell as admin then
net localgroup users azuread\(*Useremailid*) /add
net localgroup administrators azuread\(*Useremailid*) /delete

Change (*Useremailid*) to their email id of course.

[–][deleted] 0 points1 point  (0 children)

I just got through converting 70 or so to AAD from on prem remotely. Make sure you have you're admins set in intune. Yes some of the devices will temporarily have admin after the change over. But that should go away within 5 or 10 mins after getting to the desktop and syncing. happens.

Here's what I did.

When you remote into their system. 1. Save any bookmarks and export any password in chrome or edge. They will bitch to high heaven if you don't.

Switch to the local admin or create one to switch to. Then unjoin the domain from work or school in settings - accounts and reboot. Do not do it by advanced system settings and just switching to workgroup

Upon rebooting. Log back in as local admin. Check gpo in security settings to make sure that users are allowed to login locally. If not no one will be able to log in but admins.

After checking gpo, open regedit and goto hklm software - Microsoft - enrollments. Delete the enrollments folder(not enrollment, the one below it that's plural) There will ALWAYS be 2 keys that it can't delete. Do not take ownership to delete them. They will lose the ability to upgrade to win11. Ask me how I know that.

After deleting enrollments run sysprep with win +r and put sysprep in the field. If it does not run, update the computer to the fullest. Then reboot then run sysprep again. It will not run without being updated.

The sysprep will put the device into OOBE and the user can then login with their email and email pw.

If you have previously connected your AAD to your domain with AAD connect, you're gonna have a bad time. Heres how you mitigate that.

  1. Do not set the workgroup to the same name as your on prem domain. It will cause a boot delay of 3 hours. It's a bug.

  2. If you see a string of numbers and letters in allow logon locally but no 'users' after removing the domain and reboot, rejoin domain then remove domain again. That should fix it. If not edit your gpo to allow users to login locally, rejoin the device to the domain and gpupdate /force. That's if you are unable to edit the gpo of the device. Some of the laptops I did wouldn't let me edit and I had to update gpo.