MakeMeAdmin icon indicating copy to clipboard operation
MakeMeAdmin copied to clipboard

Published 20 hours ago verified publisher icon pseymour

GPO or reg-settings with security groups issue

Open IwistIT opened this issue 4 years ago • 14 comments

I am trying to regulate the use of this nice application with the GPO's \ reg-keys you set up for this. If I enter a user account or SID for the Allowed Entities then it works fine.

However, when an AD group or AD group SID is entered here, the users are not authorized to use the application. Can you help me with this?

Thanks in advance.

Willem

IwistIT avatar Feb 12 '21 17:02 IwistIT

Could you post a screenshot of your registry settings? If you don't want to post it publicly, send to my same user name at protonmail.com.

pseymour avatar Feb 13 '21 13:02 pseymour

Hi, I have the same experience. My registry settings on test workstation:

image

Could you help us with it ?

Thank you.

Luckyson666 avatar Mar 03 '21 19:03 Luckyson666

Hi Luckyson666,

I have this experience only on Azure AD joined devices, that the group does not work, but directly added users does. The group does work on domain-joined devices.

IwistIT avatar Mar 04 '21 19:03 IwistIT

Hi IwistIT, today I tried the same as yesterday, I created new on-premise security group and updated GPO with the new group name - and now it's working as expected, I don't understand the behaviour, because I did exactly the same as before, maybe some my fault "somewhere" :)

We are using hybrid AD join environment and I thought that I would just easily add SinclairMakeMeAdmin.admx to Configuration profiles to Intune, but I was not able to create a functional OMA-URI for this custom admx in Intune. Did you succeed with the deploy Make Me Admin settings via Intune ?

Luckyson666 avatar Mar 04 '21 20:03 Luckyson666

Yes, I did:

First you have to import the policy definition: image

OMA-URL I used for import: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinClairMakeMeAdminAdmx

MakeMeAdminCSPDefinition.txt

After import you can find them in the registry:

image

And then use these definitions to to define the policy-setting:

image

image

image

image

And so on for the other settings

IwistIT avatar Mar 05 '21 10:03 IwistIT

Hi IwistIT, great, thank you, I'll try it and let you know here ;)

Luckyson666 avatar Mar 05 '21 15:03 Luckyson666

Hi IwistIT, your configuration works. And I see now the problem I had in my OMA-URI configuration. I tried to use the original admx file with the value:

image

You changed it to:

image

So thank you again ! ;)

Luckyson666 avatar Mar 08 '21 20:03 Luckyson666

Thanks for your feedback. It's great that the CSP is now working. You're welcome.

IwistIT avatar Mar 09 '21 20:03 IwistIT

I am really scratching my head here, trying to get the exact same thing to work using Intune against an AAD-joined device. I've tried the example above and replacing occurrences of: <parentCategory ref="scc:SinclairRoot" /> and <parentCategory ref="makemeadmin:MakeMeAdmin" /> with <parentCategory ref="MakeMeAdmin" /> that didn't work and I want it to work with the actual ADMX-files so I understand the concept behind creating OMA-URIs.

Now bear with me here, the first time I am working with ADMX-files and deploying them through Intune: There are two ADMX-files;

  • SinclairBase.admx; https://github.com/pseymour/MakeMeAdmin/blob/master/Setup/GroupPolicy/SinclairBase.admx
  • SinclairMakeMeAdmin.admx; https://github.com/pseymour/MakeMeAdmin/blob/master/Setup/GroupPolicy/SinclairMakeMeAdmin.admx

In Intune:

===

Name: "MakeMeAdmin ADMX" which contains both below:

Name: SinclairBase Description: <None> OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinclairBase Data type: String Value: <content of SinclairBase.admx>

Name: SinclairMakeMeAdmin Description: <None> OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinclairMakeMeAdmin Data type: String Value: <content of SinclairMakeMeAdmin.admx>

As per the legend on how to construct an OMA-URI for an ADMX-file (for ingestion); ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName} {AppName} = MakeMeAdmin {SettingType} = Policy {AdmxFileName} = SinclairBase OR SinclairMakeMeAdmin depending on ADMX

===

Name: "MakeMeAdmin Set Syslog-server"

Name: MakeMeAdmin ADMX - Set Syslog-server Description: <None> OMA-URI:./Device/Vendor/MSFT/Policy/Config/MakeMeAdmin~Policy~SinclairRoot~MakeMeAdmin/SyslogServers Data type: String Value:

<enabled/>
<data id="SyslogMultiText" value="127.0.0.1"/>

As per the legend of applying a property from an already imported ADMX-file; ./Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX} {AppName} = MakeMeAdmin {SettingType} = Policy {CategoryPathFromADMX} = First for "SyslogServer" I have a "parentCategory ref" of: makemeadmin:MakeMeAdmin then moving "up" I have a "parentCategory ref" of: scc:SinclairRoot so all together SinclairRoot~MakeMeAdmin {SettingFromADMX} = SyslogServers

My reference has been this: https://www.petervanderwoude.nl/post/deep-dive-ingesting-third-party-admx-files/

I have probably misunderstood something and would be helpful for someone explaining what I've done wrong, I guess I've "nestled" up in the hierarchy of the parentcategories the wrong way.

  <categories>
    <category name="MakeMeAdmin" displayName="$(string.MakeMeAdminDisplayName)" explainText="$(string.MakeMeAdminExplainText)">
      <parentCategory ref="scc:SinclairRoot" />
    </category>
  </categories>

^ Above exists in "SinclairMakeMeAdmin.admx" and its parent (scc:SinclairRoot);

  <categories>
    <category name="SinclairRoot" displayName="$(string.SinclairRoot)" explainText="$(string.SinclairRoot_Help)" />
  </categories>

^ does in turn exist in "SinclairBase.admx" so the OMA-URI should be; ./Device/Vendor/MSFT/Policy/Config/MakeMeAdmin~Policy~SinclairRoot~MakeMeAdmin/SyslogServers ?

Update:

Got it working Used this file: https://github.com/pseymour/MakeMeAdmin/blob/master/Setup/GroupPolicy/SinclairMakeMeAdmin.admx replaced all occurrences of <parentCategory ref="makemeadmin:MakeMeAdmin" /> with <parentCategory ref="MakeMeAdmin" /> for "Value" and for "Data type" I selected "String" For "OMA-URI" I used: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/MakeMeAdmin/Policy/SinclairMakeMeAdminADMX

I then used this: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MakeMeAdmin~Policy~MakeMeAdmin/SyslogServers Data type: String Value: <enabled/><data id="SyslogMultiText" value="192.168.10.186"/> ^ Mocked against a local Syslog-server

What I had a problem with is that it did not ingest the ADMX when I tried; I did see it in regedit: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\ but not under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\ when it worked I found my "SyslogServers" policy / key under: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Sinclair Commuity College\Make Me Admin\

For those who might be interested; <parentCategory ref="makemeadmin:MakeMeAdmin" /> ^ p. 27 (Referencing Windows category elements) here; https://www.microsoft.com/en-us/download/details.aspx?id=7101

CloudViking86 avatar May 03 '21 20:05 CloudViking86

@IwistIT Did you manage to get Azure AD joined devices to work with an Azure AD Security Group in "Allowed Entities" ?

leggo2 avatar Jun 22 '22 07:06 leggo2

Has anyone how resolved this? maybe with an example for allowed entries and Intune? I tried the script from Oliver to convert AzureAD group ID to SID and set it to the ADMX entry, but it didn't work.

the user and the devices are azured joined (cloud environment)

salihzett avatar Aug 23 '22 19:08 salihzett

hello @pseymour Hi, I need your help with making myself an admin. I've followed the steps outlined, but I'm having trouble with the allowed entities settings. I've already deployed the OMA-URI settings in Intune, but every time I grant myself admin access, it doesn't seem to work. Although I receive a notification that I have admin access, I still can't perform admin tasks.

I received an error on Intune regarding my OMA-URI settings. image

pakbaetz avatar Nov 24 '23 03:11 pakbaetz

Does your account end up in the Administrators group?

On Thu, Nov 23, 2023 at 10:17 PM, pakbaetz @.***(mailto:On Thu, Nov 23, 2023 at 10:17 PM, pakbaetz < wrote:

hello @.***(https://github.com/pseymour) Hi, I need your help with making myself an admin. I've followed the steps outlined, but I'm having trouble with the allowed entities settings. I've already deployed the OMA-URI settings in Intune, but every time I grant myself admin access, it doesn't seem to work. Although I receive a notification that I have admin access, I still can't perform admin tasks.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

pseymour avatar Nov 24 '23 03:11 pseymour

yup, it was added in the admin group @pseymour , but after that, im still not having admin access. After I granted my device admin access in make me admin app, I tried to run the command prompt as admin, but it did not work. The admin access only works if rebooted the device.

pakbaetz avatar Nov 28 '23 03:11 pakbaetz