CleanUpLocalAdministratorsGroup (Optional)

If the ReACL profile is configured to process local users & groups, the ReACL process will add the target user’s Microsoft Entra ID account to the local Administrators group if the source user is a member of that group. If this is not allowed by target security policies, then the target user accounts should be removed from the local Administrators group before migration, as local groups can be managed in the Target Intune environment post-migration.

This script will check the Local Administrators group (identified by SID in case the group has been renamed) and will remove any users where the domain portion of their username matches “Microsoft Entra ID”

CleanUp Local Administrators Group.txt

Param (
)
 
$output = New-Object BinaryTree.ADM.Agent.PSHelpers.PSOutput    
 
$CleanUnresolvedSIDS = $false
If($CleanUnresolvedSIDS -eq $true){Write-Output "Clean up of unresolved SIDs is Enabled"}
Else{Write-Output "Clean up of unresolved SIDs is Disabled"} 
 
 
### Get Local Administrators Group
$Get_Local_AdminGroup = Get-WmiObject win32_group -Filter "Domain='$env:computername' and SID='S-1-5-32-544'"
$Get_Local_AdminGroup_Name = $Get_Local_AdminGroup.Name
Write-Output "Administrators group name is: $($Get_Local_AdminGroup_Name)"
 
## Get Local Administrators group owners
$group = [ADSI]"WinNT://$env:COMPUTERNAME/$($Get_Local_AdminGroup_Name)"
    $admins = $group.Invoke('Members') | % {
        $path = ([adsi]$_).path
        [pscustomobject]@{
            Computer = $env:COMPUTERNAME
            Domain = $(Split-Path (Split-Path $path) -Leaf)
            User = $(Split-Path $path -Leaf)
        }
    }
 
### Filter for AzureAD Acounts only - Ignore all other accounts
 
foreach($admin in $admins){
   If($admin.Domain -eq "AzureAD"){
     Write-Output "Removing AzureAD Users from Local Administrators Group"
     Write-Output "  Removing AzureAD User: $($admin.User)"
     Try{
         Remove-LocalGroupMember -Group $Get_Local_AdminGroup_Name -Member "$($admin.domain)\$($admin.user)"
         }
     Catch{
          Write-Output "Error occured removing $($admin.user) from $($Get_Local_AdminGroup_Name) group"
          }
   }
        
}
 
### OPTIONAL: Clean up unresolved SIDs - Controled by status of the $CleanUnresvoldeSIDS Variable ($True=Enabled, $False=Disabled)
 
If($CleanUnresolvedSIDS -eq $True){
    Write-Output "Removing unresolved SIDs from Group"
    foreach($admin in $admins){
        $admin
        #### Check if SID starts with S-1-12-1 (AzureAD objects) -If Yes then ignore
        If($admin.user.StartsWith('S-1-12-1')){
            Write-Output "AzureAD User Found - Ignoring unresolved SID"
            Continue
        }
        ElseIf($admin.Domain -eq "WinNT:\"){ 
            Write-Output "  Removing unresolved SID: $($admin.User) from $($Get_Local_AdminGroup_Name)"
            Try{
                Remove-LocalGroupMember -Group $Get_Local_AdminGroup_Name -Member $admin.user
                }
            Catch{
                 Write-Output "Error occured removing $($admin.user) from $($Get_Local_AdminGroup_Name) group"
                 }
        }
   }
}
 
 
return ($output)