On an Azure AD machine, acquiring the user’s UPN is required to add a user into the local administrators group. To obtain the UPN, you will first need the user SID. And, the caveat to all of this, is that those values must be returned in the System Account security context, meaning…the normal (Current User) environmental variables will not work.
I grab the user SID from a known registry location > use the user SID to acquire the UPN in a known location > add user into administrators group using the returned UPN. All this happens in a dynamic manner.
I turned this into an EXE, uploaded to SCCM, and deployed to a specific device collection, to control which devices will have access to the package (temporarily, of course).
Tested from SCCM in the System Account.
Return SID
FOR /F “tokens=3” %%a IN (‘reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v “LastLoggedOnUserSID” /reg:64′) do set SID=%%a
Return UPN
FOR /F “tokens=3” %%a IN (‘reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\Cache\%SID%\IdentityCache\%SID%“ /v “UserName” /reg:64′) do set UPN=%%a
Add User
net localgroup administrators /add “AzureAD\%UPN%“
Notes
Other ideas:
Create a scheduled task [run daily] to check a marker file or reg key. If the marker or reg key has been deleted, the task will remove user from administrators group.
Allow 24 hour admin access, and then a scheduled task removes user from administrators group.