How to Remove Local Administrators from a Windows Device

Overview

When a device is enrolled using autopilot, depending on the autopilot profile, the user may or may not be added as a local administrator on the device.

When the device is enrolled without using autopilot, the enrolling user will always be added as a local administrator.

In some instances, a device may be enrolled into Intune without going through autopilot. In such scenario, existing local administrator(s) or the user performing the initial OOBE will retain / gain admin access on the device. This will appear on your local administrators reports as "Unexpected Admins" on the Devicie dashboard.

Below we will explain how programmatically or manually remove the local administrator on a device.

Programmatically remove local admins

To programmatically remove users from the local Administrators group through Intune, a config profile needs to be created and assigned to the group of devices that require local admin removal. The profile should exclude the Global Administrator and Device Administrator Entra ID built-in groups, as well as the LAPS account configured through the LAPS service and the built-in admin account.

Global Administrator and Device Administrator Sids are unique in every tenant. You need to obtain and provide the Sids for both groups in order for Devicie to setup the appropriate configuration profile to remove current users from the local Administrators group

Requirements

Access to an Entra joined device on your tenant (Intune managed).

Steps

Open PowerShell.

Copy/Paste or type the below command into PowerShell

([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') | % {
([ADSI]$_).InvokeGet('AdsPath')
}

The results should return the usernames of members of the local Administrators group, as well as the Sids for the Global Administrator and Device Administrator groups; Similar to the below.

Note: You may have more than 2 local administrator users. Apart from the "expected admins" and the 2 groups mentioned above, all other "unexpected admins" will be removed once the config profile runs on the device.
Copy the Sids for both groups and provide them to the Devicie support team.

Manually remove local admins on a device

Requirements

Access to the device where you want to remove the local administrator.
Administrator account on the device.

Using the GUI

Note: You can use the same local admin account to remove its own access from the Administrators group. The user will need to sign out and back in for the permissions to updates and for the admin removal to take effect.

Right-click on the Start Menu.
Click on Computer Management.
In Computer Management, expand System Tools > Local Users and Groups.
Click on Groups.
Double Click on Administrators.
Select the user you want to remove from the local Administrator group and click on Remove then click OK.
- If you receive the below popup, that means the user account you're signed into is not an admin on the device. Sign out and sign in with an admin user.

Using PowerShell

Open Start Menu and search for Task Manager then click on Open file location.
Hold down the Shift key on your keyboard and right-click on Task Manager then click on Run as a different user.
Type in the local admin username and password then click OK. Click Yes on the secure desktop prompt when prompted click Yes.
In Task Manager, click on File then click on Run new task.
Type in powershell.exe and tick the box to Create this task with administrative privileges and click OK.

PowerShell should now be open as with administrative privileges.
In PowerShell, copy/paste or type the below:
Note: Replace adminusername with the username you want to revoke the admin rights for.
```
Remove-LocalGroupMember -Group "Administrators" -Member "adminusername"
```

adminusername

The username should now be removed from the local Administrators group. If you are signed in as that user you will need to sign out and back in for the privileges to refresh.