Trying to add AzureAD "LoggedOnUser" to Custom Local Group

Hey guys,

Before posting I did to see if someone has faced similar issues but could not find the same use case so hopefully someone in this forum has any ideas that may be able to help me.

I am trying to create an Intune App package with the goal to

Installation:
a) Install application with list of arguments

Post Installation:
b) Add LoggedOnUser which is an “AzureAD” account to a Local Group. Please note, it’s not a Restricted Group like Administrators but instead a custom Local group created for the application we are trying to deploy to all endpoints.

Uninstallation:
c) Uninstall application

Post Uninstallation:
d) Remove folders from User Profiles (clean up post uninstallation being completed)
e) Remove LoggedOnUser from the Local Group

Please note, if I try to run this on my device with an elevated PS session, works fine but I have to be missing something as when I deploy the package to Intune, I can achieve the software installation, which sets the deployment as “Installed” but I can’t get the post installation working, see below what I have in the ps1

#Return SID
$key1 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$subKey1 = $key1.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI")
$SID = $subKey1.GetValue("LastLoggedOnUserSID")

#Return UPN
$key2 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)
$subKey2 = $key2.OpenSubKey("SOFTWARE\Microsoft\IdentityStore\Cache\$SID\IdentityCache\$SID")
$UPN = $subKey2.GetValue("UserName")

#Add Logged on user to Local Group
Add-LocalGroupMember -Group "MyApp Administrators" -Member "AzureAD\$UPN"

See below error from “C:\Windows\Logs\Software”

<![LOG[[Post-Installation] :: Error Record:
-------------

Message        : The term 'Add-LocalGroupMember' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

InnerException : 

FullyQualifiedErrorId : CommandNotFoundException
ScriptStackTrace      : at <ScriptBlock>, 
C:\windows\IMECache\59884cac-bfa0-49f2-9079-ae7911217ea5_1\Deploy-Application.ps1: line 212
at <ScriptBlock>, <No file>: line 1

PositionMessage : At C:\windows\IMECache\59884cac-bfa0-49f2-9079-ae7911217ea5_1\Deploy-Application.ps1:212 char:3
                  +         Add-LocalGroupMember -Group "MyApp Administrators" -Member  ...
                  +         ~~~~~~~~~~~~~~~~~~~~

]LOG]!><time="15:35:34.294600" date="09-08-2023" component="Deploy Application" context="NT AUTHORITY\SYSTEM" type="3" thread="13904" file="Deploy-Application.ps1">
<![LOG[[Post-Installation] :: Bypassing Show-DialogBox [Mode: NonInteractive]. Text:Error Record:
-------------

Message        : The term 'Add-LocalGroupMember' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
InnerException : 

FullyQualifiedErrorId : CommandNotFoundException
ScriptStackTrace      : at <ScriptBlock>, 
C:\windows\IMECache\59884cac-bfa0-49f2-9079-ae7911217ea5_1\Deploy-Application.ps1: line 212
at <ScriptBlock>, <No file>: line 1

PositionMessage : At C:\windows\IMECache\59884cac-bfa0-49f2-9079-ae7911217ea5_1\Deploy-Application.ps1:212 char:3
                  +         Add-LocalGroupMember -Group "MyApp Administrators" -Member  ...
                  +         ~~~~~~~~~~~~~~~~~~~~

I have also try putting this in a ps script but Intune ignores it as well

Help!

Add-LocalGroupMember is in Powershell 5.1 (IOW: Windows 10)

what version of Windows/Powershell are you using?
Are you using PSADT 3.9.2?

I have observed this too when adding users to the local group using Powershell

Is your Intune Deployment running as System or as the User ? As depending on the rights, the user may not have permission to add themself to this local group
FYI: Using my standard (non-admin) account I get a permission denied, but using an account that is a local admin on my device I can do this.

N.B. You may also get different results using Windows PowerShell vs Powershell Core (v6 or later)

There is a way you can do this with Policy in Intune - I appreciate you are not trying to add users to the Administrators group but the principal is the same

This might be worth considering.

1 Like

Hey @That-Annoying-Guy - see below

Name Value


PSVersion 5.1.22621.1778
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
BuildVersion 10.0.22621.1778
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

I am using PSADT 3.9.3

Hey @Adrian_Scott

The App package has been configured to run as System and yes for additional context, end users are not local admins so elevated rights are required to add/remove members from local groups.

Prior to try the application packaging plus post installation tasks, I tried the following:

a) Intune Scripts
b) Intune Proactive Remediations (Scripts) - running on a schedule
c) Intune Configuration Policies with the following

RestrictedGroups Policy CSP - Windows Client Management | Microsoft Learn

LocalUsersAndGroups Policy CSP - Windows Client Management | Microsoft Learn

The policies work fine when adding an Azure AD User (AzureAD\JohnCitizen) or Azure AD Group (only accepting SID). Unfortunately, the application I am working with requires specifically to use the “LoggedOnUser” hence this method is not suitable for us :frowning:

Update: I ended up grabbing the contents of the actual “Add user to Local Group” portion, saved them into a ps1 file to then convert the ps1 into an exe file.

I used Execute-Process | PSAppDeployToolkit to execute the exe and Intune was happy :slight_smile:

<![LOG[[Installation] :: Updating local group membership]LOG]!><time="17:20:25.142600" date="09-11-2023" component="Deploy-Application" context="NT AUTHORITY\SYSTEM" type="1" thread="13080" file="Deploy-Application.ps1">
<![LOG[[Installation] :: Bypassing Show-InstallationProgress [Mode: NonInteractive]. Status message:Updating Local Group Membership]LOG]!><time="17:20:25.158600" date="09-11-2023" component="Show-InstallationProgress" context="NT AUTHORITY\SYSTEM" type="1" thread="13080" file="Deploy-Application.ps1">
<![LOG[[Installation] :: [AddGroupMembersip.exe] successfully resolved to fully qualified path [C:\windows\IMECache\3653c2c5-e766-4b95-b711-5dec7e7af799_1\Files\AddGroupMembersip.exe].]LOG]!><time="17:20:25.204600" date="09-11-2023" component="Execute-Process" context="NT AUTHORITY\SYSTEM" type="1" thread="13080" file="Deploy-Application.ps1">
<![LOG[[Installation] :: Working Directory is [C:\windows\IMECache\3653c2c5-e766-4b95-b711-5dec7e7af799_1\Files].]LOG]!><time="17:20:25.222600" date="09-11-2023" component="Execute-Process" context="NT AUTHORITY\SYSTEM" type="1" thread="13080" file="Deploy-Application.ps1">
<![LOG[[Installation] :: Executing [C:\windows\IMECache\3653c2c5-e766-4b95-b711-5dec7e7af799_1\Files\AddGroupMembersip.exe]...]LOG]!><time="17:20:25.234600" date="09-11-2023" component="Execute-Process" context="NT AUTHORITY\SYSTEM" type="1" thread="13080" file="Deploy-Application.ps1">
<![LOG[[Installation] :: Execution completed successfully with exit code [0].]LOG]!><time="17:20:26.108600" date="09-11-2023" component="Execute-Process" context="NT AUTHORITY\SYSTEM" type="1" thread="13080" file="Deploy-Application.ps1">

Hope this helps others

2 Likes