During our process of migrating GPOs to Intune Policy i noticed some odd Behaviour of Intune.

We want to set specific User Rights (in GPO it was called User Right Assingments) for specific Groups, Users and BulitIn-Groups. We are setting this policy through the Windows 10 (and later) Security Baseline.

When Using SIDs for BuiltIn-Groups like *S-1-5-32-544 it seems to work perfectly. But there are several other things that are not Working.

I’m not able to set any kind of own Group to this Policy, neither OnPrem-AD-Groups nor Entra-ID-Groups. I tried with DOMAINGroup-Name with Classical SID and with Object-GUID. The Group just won’t appear on the Client and the event Log is throwing an Error 821 “Security Identifier is invalid”

I’m not able to set a specific User Right to NULL so no User has the Right. If i leavte the field empty and save the Policy it automatically switches to Not Configured and is doing nothing. NULL, 0 or Security Identifier S-1-0-0 are not working either.

When i checked if the Policy is properly applied through GPEDIT.msc i noticed, that the policies are not locked down like when setting the Policy via GPO. So a User with Administrative Rights can easily change the Assingments until the next Intune Policy Sync (which is not too often) 

Wondering if somebody was able to set the User Rights proberly (also Using own Groups not Just Well-Known-SIDs) or if somebody else is facing the same issues.

​During our process of migrating GPOs to Intune Policy i noticed some odd Behaviour of Intune.We want to set specific User Rights (in GPO it was called User Right Assingments) for specific Groups, Users and BulitIn-Groups. We are setting this policy through the Windows 10 (and later) Security Baseline. When Using SIDs for BuiltIn-Groups like *S-1-5-32-544 it seems to work perfectly. But there are several other things that are not Working. I’m not able to set any kind of own Group to this Policy, neither OnPrem-AD-Groups nor Entra-ID-Groups. I tried with DOMAINGroup-Name with Classical SID and with Object-GUID. The Group just won’t appear on the Client and the event Log is throwing an Error 821 “Security Identifier is invalid”I’m not able to set a specific User Right to NULL so no User has the Right. If i leavte the field empty and save the Policy it automatically switches to Not Configured and is doing nothing. NULL, 0 or Security Identifier S-1-0-0 are not working either.When i checked if the Policy is properly applied through GPEDIT.msc i noticed, that the policies are not locked down like when setting the Policy via GPO. So a User with Administrative Rights can easily change the Assingments until the next Intune Policy Sync (which is not too often)  Wondering if somebody was able to set the User Rights proberly (also Using own Groups not Just Well-Known-SIDs) or if somebody else is facing the same issues.   Read More

​