Overview
From time to time, there may arise a need to manually remove administrator accounts from devices. While we encourage customers to set up an Autopilot profile to enroll users with standard accounts, over time, users are often added to the local admin group and subsequently need to be removed.
In this article, we will discuss the steps required to remove local admin accounts, which include:
- Get current members of the local admin group, including Entra group SIDs.
- Create an Intune custom configuration profile.
Requirements
- A user account with an Intune administrator role.
- Access to an Entra joined device.
Steps
By default, the local administrator account should include the following accounts:
- Built-in administrator account
- LAPS account
- Global Administrators group SID (unique to each tenant)
- Device Administrators group SID (unique to each tenant)
You should retain the built-in administrator, the LAPS account, and the Device Administrators group in the administrator group.
The Global Administrators group was added to the local administrators group before the LAPS function was available in Intune. It was initially set up as a “break glass” account. However, this is no longer required, and it can now be safely removed from the local administrator group based on your security requirements.
Get current local administrators group members
For this exercise, run the following PowerShell script. The script will retrieve the local administrators group members, including Entra ID group SIDs.
Note: Keep in mind that group SIDs are unique per tenant, and the configuration profile cannot be used across multiple tenants without first modifying the group SIDs:
$administrators = @( ([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') | % {
$_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)
} ) -match '^WinNT'
$administrators = $administrators -replace "WinNT://",""
$administrators;
The results should be similar to below:
DEVICE-01/admin-builtin
S-1-12-1-1234567890-1234567890-123456789-65867253
S-1-12-1-1234567890-1234567890-123456789-65867254
DEVICE-01/laps-account
The 2 SIDs are the Entra groups.
Create Intune custom configuration profile
- Sign into your Intune tenant
- Head to Devices > Windows > Configuration profiles
- From the top menu select Create > New Policy
- Under Platform select Windows 10 and later
- Under Profile type select Templates
- Under Template name select Custom
- Click on Create
- Give the profile a unique name and description (optional) and click Next
- Next to OMA-URI Settings click Add
- Give the setting a Name and Description (optional) and set the below for the remaining options:
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
- Data type: String
- Value:
<GroupConfiguration>
<accessgroup desc = "S-1-5-32-544">
<group action = "R"/>
<add member = "S-1-12-1-1234567890-1234567890-123456789-658672536"/>
<add member = "S-1-12-1-1234567890-1234567890-123456789-658672547"/>
<add member = "admin-builtin"/>
<add member = "laps-account"/>
</accessgroup>
</GroupConfiguration>
Note: Replace the account names and SIDs with the values you obtained earlier.
The last step is to assign the profile to the group of users or devices you want to remove the local administrators from. If you don't have a group ready, create a new one and add the users/devices to it.
Print to PDF