Windows-itpro-docs: New user account - Password Change
We have added the URI in intune to create an user and added to local administrator group along with defined password (AAD joined device).
But the new user account is enabled to change password for initial login. Can we have some settings not change the password ?
Document Details
â Do not edit this section. It is required for docs.microsoft.com â GitHub issue linking.
- ID: 309bae29-c769-5051-6c3f-aebeb455cd34
- Version Independent ID: bbdfad82-025e-8aee-b3fc-bcfb8b110674
- Content: Accounts CSP
- Content Source: windows/client-management/mdm/accounts-csp.md
- Product: w10
- GitHub Login: @MariciaAlforque
- Microsoft Alias: maricia
SandiP538
All 6 comments
Is there a workaround for this as yet? Been quite a while and still not working
dltmurphy
on 4 Feb 2019
I am also experiencing this issue. Any updates or ways to prevent this?
JelleBro
on 27 Feb 2019
This issue does not seem to occur when using a less complex password. I reduced password length from 24 to 10 chars and removed the special character. The account now no longer gets a 'change-at-next-logon'-flag.
JelleBro
on 1 Mar 2019
Hello, @SandiP538 thank you for providing feedback.
Note that the feedback section below documentation is intended for product documentation issues only.
Thus, please consider opening a product support ticket by the following link below for your problem so that it gets resolved quickly.
You might also keep us informed about the resolution of your ticket so that we can ensure this documentation is up to date with relevant information.
e0i
on 5 Mar 2019
@AndreaBarr Recommended closure
e0i
on 5 Mar 2019
Ok... So I figured it out. And as per usual its a stupid fix. Feel free to follow the below steps to resolve your admin creation issues via Intune custom CSP policy but make sure to do them in order or it will fail again.
Existing Devices with Local Admins still:
1) Assign âCreate Local Userâ Custom Intune CSP Profile will create the user âLocalUserâ account
a) See the following link for MS details. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts
b) Create user account Settings
i) Name:
ii) Description:
iii) OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/
iv) DataType: Integer
v) Value: 1 (1 sets as user, 2 sets as Admin)
c) Create user password settings
i) Name:
ii) Description:
iii) OMA-URI: ./Device/Vendor/MSFT/Accounts/Users//
iv) DataType: String
v) Value:
2) After the account has been created; assign âRestrict Local Adminsâ Custom Intune CSP Profile to restrict the local administrators on all assigned devices to only those listed in the profile.
a) Issue [2] If a user is listed in the profile that does not exist, the profile will fail to apply.
b) Issue [3] If you enable both profiles at once, the âUser must change password at next logonâ will be enabled on the account. This will stop the user from being able to use this account to elevate administrator privileges because the "User must change password on next logon" flag will be checked.
c) See the following link for MS details: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups
d) How to build the profile:
i) Name:
ii) Description:
iii) OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
iv) DataType: String
v) Value:
Note: Applying the restriction will grant admin rights to user profiles that do not have it, or strip admin rights from those with it that are not listed. If you list an account that doesnt exist the policy will just fail.
3) After the user resets the device, the ability to elevate using the newly made accounts will be possible
Hope that helped, even if it was long.
cbrandon2
on 7 Oct 2019
Related issues
arcotek-ltd
·
3Comments
sundhaug92
·
3Comments
RAJU2529
·
3Comments
ATR-Master
·
3Comments
zjalexander
·
3Comments
Most helpful comment
Ok... So I figured it out. And as per usual its a stupid fix. Feel free to follow the below steps to resolve your admin creation issues via Intune custom CSP policy but make sure to do them in order or it will fail again.
Existing Devices with Local Admins still:
1) Assign âCreate Local Userâ Custom Intune CSP Profile will create the user âLocalUserâ account/LocalUserGroup/Password
a) See the following link for MS details. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts
b) Create user account Settings
i) Name:
ii) Description:
iii) OMA-URI: ./Device/Vendor/MSFT/Accounts/Users/
iv) DataType: Integer
v) Value: 1 (1 sets as user, 2 sets as Admin)
c) Create user password settings
i) Name:
ii) Description:
iii) OMA-URI: ./Device/Vendor/MSFT/Accounts/Users//
iv) DataType: String
v) Value:
2) After the account has been created; assign âRestrict Local Adminsâ Custom Intune CSP Profile to restrict the local administrators on all assigned devices to only those listed in the profile.
a) Issue [2] If a user is listed in the profile that does not exist, the profile will fail to apply.
b) Issue [3] If you enable both profiles at once, the âUser must change password at next logonâ will be enabled on the account. This will stop the user from being able to use this account to elevate administrator privileges because the "User must change password on next logon" flag will be checked.
c) See the following link for MS details: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups
d) How to build the profile:
i) Name:
ii) Description:
iii) OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
iv) DataType: String
v) Value:
Note: Applying the restriction will grant admin rights to user profiles that do not have it, or strip admin rights from those with it that are not listed. If you list an account that doesnt exist the policy will just fail.
3) After the user resets the device, the ability to elevate using the newly made accounts will be possible
Hope that helped, even if it was long.