GPO or reg-settings with security groups issue

[IwistIT]

I am trying to regulate the use of this nice application with the GPO's \ reg-keys you set up for this. If I enter a user account or SID for the Allowed Entities then it works fine.

However, when an AD group or AD group SID is entered here, the users are not authorized to use the application. Can you help me with this?

Thanks in advance.

Willem

[pseymour]

Could you post a screenshot of your registry settings? If you don't want to post it publicly, send to my same user name at protonmail.com.

[Luckyson666]

Hi, I have the same experience. My registry settings on test workstation:

Could you help us with it ?

Thank you.

[IwistIT]

Hi Luckyson666,

I have this experience only on Azure AD joined devices, that the group does not work, but directly added users does. The group does work on domain-joined devices.

[Luckyson666]

Hi IwistIT, today I tried the same as yesterday, I created new on-premise security group and updated GPO with the new group name - and now it's working as expected, I don't understand the behaviour, because I did exactly the same as before, maybe some my fault "somewhere" :)

We are using hybrid AD join environment and I thought that I would just easily add SinclairMakeMeAdmin.admx to Configuration profiles to Intune, but I was not able to create a functional OMA-URI for this custom admx in Intune. Did you succeed with the deploy Make Me Admin settings via Intune ?

[IwistIT]

Yes, I did:

First you have to import the policy definition:

OMA-URL I used for import: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinClairMakeMeAdminAdmx

MakeMeAdminCSPDefinition.txt

After import you can find them in the registry:

And then use these definitions to to define the policy-setting:

And so on for the other settings

[Luckyson666]

Hi IwistIT, great, thank you, I'll try it and let you know here ;)

[Luckyson666]

Hi IwistIT, your configuration works. And I see now the problem I had in my OMA-URI configuration. I tried to use the original admx file with the value:

You changed it to:

So thank you again ! ;)

[IwistIT]

Thanks for your feedback. It's great that the CSP is now working. You're welcome.

[CloudViking86]

I am really scratching my head here, trying to get the exact same thing to work using Intune against an AAD-joined device. I've tried the example above and replacing occurrences of: <parentCategory ref="scc:SinclairRoot" /> and <parentCategory ref="makemeadmin:MakeMeAdmin" /> with <parentCategory ref="MakeMeAdmin" /> that didn't work and I want it to work with the actual ADMX-files so I understand the concept behind creating OMA-URIs.

Now bear with me here, the first time I am working with ADMX-files and deploying them through Intune: There are two ADMX-files;

• SinclairBase.admx; https://github.com/pseymour/MakeMeAdmin/blob/master/Setup/GroupPolicy/SinclairBase.admx
• SinclairMakeMeAdmin.admx; https://github.com/pseymour/MakeMeAdmin/blob/master/Setup/GroupPolicy/SinclairMakeMeAdmin.admx

In Intune:

===

Name: "MakeMeAdmin ADMX" which contains both below:

Name: SinclairBase Description: OMA-URI:./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinclairBase Data type: String Value: <content of SinclairBase.admx>

Name: SinclairMakeMeAdmin Description: OMA-URI:./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinclairMakeMeAdmin Data type: String Value: <content of SinclairMakeMeAdmin.admx>

As per the legend on how to construct an OMA-URI for an ADMX-file (for ingestion); ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName} {AppName} = MakeMeAdmin {SettingType} = Policy {AdmxFileName} = SinclairBase OR SinclairMakeMeAdmin depending on ADMX

===

Name: "MakeMeAdmin Set Syslog-server"

Name: MakeMeAdmin ADMX - Set Syslog-server Description: OMA-URI:./Device/Vendor/MSFT/Policy/Config/MakeMeAdmin~Policy~SinclairRoot~MakeMeAdmin/SyslogServers Data type: String Value:

<enabled/>
<data id="SyslogMultiText" value="127.0.0.1"/>

As per the legend of applying a property from an already imported ADMX-file; ./Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX} {AppName} = MakeMeAdmin {SettingType} = Policy {CategoryPathFromADMX} = First for "SyslogServer" I have a "parentCategory ref" of: makemeadmin:MakeMeAdmin then moving "up" I have a "parentCategory ref" of: scc:SinclairRoot so all together SinclairRoot~MakeMeAdmin {SettingFromADMX} = SyslogServers

My reference has been this: https://www.petervanderwoude.nl/post/deep-dive-ingesting-third-party-admx-files/

I have probably misunderstood something and would be helpful for someone explaining what I've done wrong, I guess I've "nestled" up in the hierarchy of the parentcategories the wrong way.

  <categories>
    <category name="MakeMeAdmin" displayName="$(string.MakeMeAdminDisplayName)" explainText="$(string.MakeMeAdminExplainText)">
      <parentCategory ref="scc:SinclairRoot" />
    </category>
  </categories>

^ Above exists in "SinclairMakeMeAdmin.admx" and its parent (scc:SinclairRoot);

  <categories>
    <category name="SinclairRoot" displayName="$(string.SinclairRoot)" explainText="$(string.SinclairRoot_Help)" />
  </categories>

^ does in turn exist in "SinclairBase.admx" so the OMA-URI should be; ./Device/Vendor/MSFT/Policy/Config/MakeMeAdmin~Policy~SinclairRoot~MakeMeAdmin/SyslogServers ?

Update:

Got it working Used this file: https://github.com/pseymour/MakeMeAdmin/blob/master/Setup/GroupPolicy/SinclairMakeMeAdmin.admx replaced all occurrences of <parentCategory ref="makemeadmin:MakeMeAdmin" /> with <parentCategory ref="MakeMeAdmin" /> for "Value" and for "Data type" I selected "String" For "OMA-URI" I used: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinclairMakeMeAdminADMX

I then used this: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MakeMeAdmin~Policy~MakeMeAdmin/SyslogServers Data type: String Value: <enabled/><data id="SyslogMultiText" value="192.168.10.186"/> ^ Mocked against a local Syslog-server

What I had a problem with is that it did not ingest the ADMX when I tried; I did see it in regedit: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\ but not under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\ when it worked I found my "SyslogServers" policy / key under: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Sinclair Commuity College\Make Me Admin\

For those who might be interested; <parentCategory ref="makemeadmin:MakeMeAdmin" /> ^ p. 27 (Referencing Windows category elements) here; https://www.microsoft.com/en-us/download/details.aspx?id=7101

[leggo2]

@IwistIT Did you manage to get Azure AD joined devices to work with an Azure AD Security Group in "Allowed Entities" ?

[salihzett]

Has anyone how resolved this? maybe with an example for allowed entries and Intune? I tried the script from Oliver to convert AzureAD group ID to SID and set it to the ADMX entry, but it didn't work.

the user and the devices are azured joined (cloud environment)

[pakbaetz]

hello @pseymour Hi, I need your help with making myself an admin. I've followed the steps outlined, but I'm having trouble with the allowed entities settings. I've already deployed the OMA-URI settings in Intune, but every time I grant myself admin access, it doesn't seem to work. Although I receive a notification that I have admin access, I still can't perform admin tasks.

I received an error on Intune regarding my OMA-URI settings.

[pseymour]

Does your account end up in the Administrators group?

On Thu, Nov 23, 2023 at 10:17 PM, pakbaetz @.***(mailto:On Thu, Nov 23, 2023 at 10:17 PM, pakbaetz < wrote:

hello @.***(https://github.com/pseymour) Hi, I need your help with making myself an admin. I've followed the steps outlined, but I'm having trouble with the allowed entities settings. I've already deployed the OMA-URI settings in Intune, but every time I grant myself admin access, it doesn't seem to work. Although I receive a notification that I have admin access, I still can't perform admin tasks.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

[pakbaetz]

yup, it was added in the admin group @pseymour , but after that, im still not having admin access. After I granted my device admin access in make me admin app, I tried to run the command prompt as admin, but it did not work. The admin access only works if rebooted the device.