如何管理已加入 Azure AD 的设备上的本地管理员组How to manage the local administrators group on Azure AD joined devices

若要管理 Windows 设备,需要成为本地管理员组的成员。To manage a Windows device, you need to be a member of the local administrators group. 作为 Azure Active Directory (Azure AD) 联接过程的一部分,Azure AD 会更新设备上此组的成员身份。As part of the Azure Active Directory (Azure AD) join process, Azure AD updates the membership of this group on a device. 可以自定义成员身份更新以满足业务需求。You can customize the membership update to satisfy your business requirements. 例如,如果希望帮助台员工在设备上执行需要管理员权限的任务,则成员身份更新会非常有帮助。A membership update is, for example, helpful if you want to enable your helpdesk staff to do tasks requiring administrator rights on a device.

本文介绍了本地管理员成员身份更新的工作原理以及在 Azure AD 联接期间如何对其进行自定义。This article explains how the local administrators membership update works and how you can customize it during an Azure AD Join. 本文的内容不适用于“已建立混合 Azure AD 联接”的设备。The content of this article doesn't apply to a hybrid Azure AD joined devices.

工作原理How it works

使用 Azure AD 联接将 Windows 设备与 Azure AD 连接时,Azure AD 会将以下安全主体添加到设备上的本地管理员组:When you connect a Windows device with Azure AD using an Azure AD join, Azure AD adds the following security principals to the local administrators group on the device:

  • Azure AD 全局管理员角色The Azure AD global administrator role
  • Azure AD 设备管理员角色The Azure AD device administrator role
  • 执行 Azure AD 联接的用户The user performing the Azure AD join

通过将 Azure AD 角色添加到本地管理员组,可以在 Azure AD 中随时更新可管理设备的用户,而无需修改设备上的任何内容。By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD 还会将 Azure AD 设备管理员角色添加到本地管理员组,以支持最小特权原则 (PoLP)。Azure AD also adds the Azure AD device administrator role to the local administrators group to support the principle of least privilege (PoLP). 除全局管理员之外,还可启用仅分配了设备管理员角色的用户来管理设备。In addition to the global administrators, you can also enable users that have been only assigned the device administrator role to manage a device.

管理全局管理员角色Manage the global administrators role

要查看并更新全局管理员角色的成员身份,请参阅:To view and update the membership of the global administrator role, see:

管理设备管理员角色Manage the device administrator role

在 Azure 门户中,可以管理“设备”页上的设备管理员角色。In the Azure portal, you can manage the device administrator role on the Devices page. 要打开“设备”页,请执行以下操作:To open the Devices page:

  1. 以全局管理员身份登录到 Azure 门户Sign in to your Azure portal as a global administrator.
  2. 搜索并选择“Azure Active Directory” 。Search for and select Azure Active Directory.
  3. 在“管理”部分单击“设备”。In the Manage section, click Devices.
  4. 在“设备”页上,单击“设备设置”。On the Devices page, click Device settings.

要修改设备管理员角色,请配置“已加入 Azure AD 的设备上的其他本地管理员”。To modify the device administrator role, configure Additional local administrators on Azure AD joined devices.



此选项需要 Azure AD Premium 租户。This option requires an Azure AD Premium tenant.

设备管理员已分配给所有已加入 Azure AD 的设备。Device administrators are assigned to all Azure AD joined devices. 无法将设备管理员范围限定为一组特定设备。You cannot scope device administrators to a specific set of devices. 更新设备管理员角色不一定会对受影响的用户产生直接影响。Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. 在用户已登录的设备上,当以下两种操作都发生时,就会进行特权提升:On devices where a user is already signed into, the privilege elevation takes place when both the below actions happen:

  • 最多 4 个小时,Azure AD 便会发出具有适当特权的新主刷新令牌。Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges.
  • 用户注销并重新登录(而不是锁定/解锁)即可刷新其配置文件。User signs out and signs back in, not lock/unlock, to refresh their profile.


上述操作不适用于之前未登录相关设备的用户。The above actions are not applicable to users who have not signed in to the relevant device previously. 在这种情况下,管理员特权将在他们首次登录设备后立即应用。In this case, the administrator privileges are applied immediately after their first sign-in to the device.

使用 Azure AD 组管理管理员权限(预览版)Manage administrator privileges using Azure AD groups (preview)


此功能目前处于预览状态。This feature is currently in preview.

从 Windows 10 2004 更新开始,你可以使用 Azure AD 组通过受限组 MDM 策略来管理 Azure AD 联接的设备上的管理员特权。Starting with Windows 10 2004 update, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the Restricted Groups MDM policy. 通过此策略,你可以将单个用户或 Azure AD 组分配给 Azure AD 联接的设备上的本地管理员组,从而可以为不同的设备组配置不同的管理员。This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.


从 Windows 10 20H2 更新开始,我们推荐使用本地用户和组策略而不是“受限组”策略Starting Windows 10 20H2 update, we recommend using Local Users and Groups policy instead of the Restricted Groups policy

当前,Intune 中没有用于管理这些策略的 UI,需要使用自定义 OMA-URI 设置对其进行配置。Currently, there's no UI in Intune to manage these policies and they need to be configured using Custom OMA-URI Settings. 使用以下任一策略时,需要注意以下事项:A few considerations for using either of these policies:

  • 通过该策略添加 Azure AD 组需要该组的 SID,可以通过执行适用于组的 Microsoft Graph API 可以获得该组的 SID。Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the Microsoft Graph API for Groups. SID 由 API 响应中的属性 securityIdentifier 定义。The SID is defined by the property securityIdentifier in the API response.
  • 实施“受限组”策略时,将删除不在“成员”列表中的任何当前组成员。When Restricted Groups policy is enforced, any current member of the group that is not on the Members list is removed. 因此,对新成员或组实施此策略将从设备中删除现有管理员(即联接设备的用户)、设备管理员角色,以及公司管理员角色。So enforcing this policy with new members or groups will remove the existing administrators namely user who joined the device, the Device administrator role and Global administrator role from the device. 为避免删除现有成员,需要将他们配置为“受限组”策略中“成员”列表的一部分。To avoid removing existing members, you need to configure them as part of the Members list in the Restricted Groups policy. 如果使用允许对组成员资格进行增量更新的“本地用户和组”策略,则可以解决此限制This limitation is addressed if you use the Local Users and Groups policy that allows incremental updates to group membership
  • 仅针对 Windows 10 设备上的以下知名组评估使用这两种策略的管理员特权:管理员,用户、来宾、高级用户、远程桌面用户和远程管理用户。Administrator privileges using both policies are evaluated only for the following well-known groups on a Windows 10 device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users.
  • 使用 Azure AD 组管理本地管理员不适用于已建立混合 Azure AD 联接或已向 Azure AD 注册的设备。Managing local administrators using Azure AD groups is not applicable to Hybrid Azure AD joined or Azure AD Registered devices.
  • 虽然 Windows 10 2004 更新之前存在“受限组”策略,但它不支持 Azure AD 组作为设备本地管理员组的成员。While the Restricted Groups policy existed prior to Windows 10 2004 update, it did not support Azure AD groups as members of a device's local administrators group.

管理常规用户Manage regular users

默认情况下,Azure AD 会将执行 Azure AD 联接的用户添加到设备上的管理员组。By default, Azure AD adds the user performing the Azure AD join to the administrator group on the device. 如果希望防止常规用户成为本地管理员,可以使用以下选项:If you want to prevent regular users from becoming local administrators, you have the following options:

  • Windows Autopilot - Windows Autopilot 提供了一个选项,可以防止执行联接的主用户成为本地管理员。Windows Autopilot - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator. 可通过创建 Autopilot 配置文件完成此操作。You can accomplish this by creating an Autopilot profile.
  • 批量注册 - 在批量注册的上下文中执行的 Azure AD 联接发生在自动创建的用户的上下文中。Bulk enrollment - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. 在已加入设备后才登录的用户不会被添加到管理员组。Users signing in after a device has been joined are not added to the administrators group.

手动提升设备上的用户Manually elevate a user on a device

除使用 Azure AD 联接过程之外,还可手动将常规用户提升为某个特定设备上的本地管理员。In addition to using the Azure AD join process, you can also manually elevate a regular user to become a local administrator on one specific device. 此步骤要求用户已是本地管理员组的成员。This step requires you to already be a member of the local administrators group.

从 Windows 10 1709 版本开始,可从“设置”->“帐户”->“其他用户”执行此任务 。Starting with the Windows 10 1709 release, you can perform this task from Settings -> Accounts -> Other users. 选择“添加工作单位或学校用户”,在“用户帐户”下输入用户的 UPN,然后在“帐户类型”下选择“管理员”Select Add a work or school user, enter the user's UPN under User account and select Administrator under Account type

此外,还可使用命令提示符添加用户:Additionally, you can also add users using the command prompt:

  • 如果从本地 Active Directory 同步了租户用户,请使用 net localgroup administrators /add "Contoso\username"If your tenant users are synchronized from on-premises Active Directory, use net localgroup administrators /add "Contoso\username".
  • 如果在 Azure AD 中创建了租户用户,请使用 net localgroup administrators /add "AzureAD\UserUpn"If your tenant users are created in Azure AD, use net localgroup administrators /add "AzureAD\UserUpn"


无法将组分配给设备管理员角色,仅允许分配单个用户。You cannot assign groups to the device administrator role, only individual users are allowed.

设备管理员已分配给所有已加入 Azure AD 的设备。Device administrators are assigned to all Azure AD Joined devices. 无法将他们的范围限定为一组特定设备。They can't be scoped to a specific set of devices.

从设备管理员角色中删除用户时,只要用户登录设备,他们仍拥有设备的本地管理员权限。When you remove users from the device administrator role, they still have the local administrator privilege on a device as long as they are signed in to it. 颁发新的主刷新令牌后,下次登录期间将撤销该特权。The privilege is revoked during their next sign-in when a new primary refresh token is issued. 类似于特权提升,这种撤销操作最多可能需要 4 个小时。This revocation, similar to the privilege elevation, could take upto 4 hours.

后续步骤Next steps