Grant and Revoke admin rights through Domain Controller
Admin can provide one-time admin access to multiple domain-joined devices from the Domain controller. With the admin rights, devices can be enrolled over-the-air via .ppkg file. Once the devices are enrolled, domain Admin can revoke the device user’s admin access and trigger a restart for all the devices from MDM.
- A. Grant Admin rights to the device users from Domain Controller
- Log in to Domain controller as a Domain Administrator.
- From the start menu go to .
- To grant Admin permissions to non-admin users:
- Navigate to Users, select
Domain Users, right click and select
Add to a group…
- In the Select Groups popup, in the Enter the object
names to select text box, enter Domain
Admins.
- Click Check Names to verify and click OK.
- Navigate to Users, select
Domain Users, right click and select
Add to a group…
- B. Perform user-initiated enrollment
-
- Open Firefox or any other supported browser, and in the address bar, enter enrollment URL. For example, https://mdmserver.demo.com.
- Enter valid AD credentials to authenticate.
- Once the authentication is successful, the user can download .ppkg file
by clicking
- C. Revoke Admin rights of the user from the Domain Controller
-
- Log in to Domain controller as a Domain Administrator
- From the start menu go to .
- To revoke Admin permissions from the domain user:
- Navigate to Users, double click Domain Admins.
- Go to Members tab, select Domain Users, click Remove, and click Yes to confirm.
- Click
Now, Admin rights are revoked from all the users under Domain Users group. For the changes to take effect, restart the user’s device from MDM. From the user’s device, you can verify if the user got Admin right by navigating to .
Now, the user can manage the device through MDM without Admin rights. Work or school account will still be present, for non-admin user. However, only Admin can unenroll the device from MDM.
.