Removing local administrators is an easy way to improve Windows security. Sometimes politics get in the way and you are forced to add local administrators to machines. This can quickly get out of hand.
When a user has local admin rights they can do literally anything they want on their workstation, including: downloading and installing applications, uninstalling applications, and even block IT staff from administering the workstations. Many users – especially c-levels – do not want to have to deal with IT to install apps or plugins and that forces complicated issues and compromises network security.
This automation contains 2 action modules. The first will create a report on non-compliant local administrators. The second will actually remove the non-compliant admins.
Report on local Admins
Report Computer property >> Local Account Database >> Local Groups >> Members >> NT Account Name
CONDITION
Local Account Database >> Local Groups >>NT Account Name = Administrators
Local Account Database >> Local Groups >> Members >> NT Account Name NOT= Administrator (Ignores the administrator account)
Local Account Database >> Local Groups >> Members >> NT Account Name NOT= Domain Admins (Ignores the DA Group)
Clean up local admins
Execute Computer Action >> Local Account Database >> Local Groups >> Members >> Delete object
CONDITIONS
- Computer condition >> Local Account Database >> Local Groups NT Account Name = Administrators (focuses on the Administrators group)
- Computer condition >> Local Account Database >> Local Groups >> Members >> NT Account Name NOT= Administrator (Ignores the administrator account)
- Computer condition >> Local Account Database >> Local Groups >> Members >> NT Account Name NOT= Domain Admins (Ignores the DA Group)
Feel free to split these modules into separate automations for better control and visibility.
Also add more user accounts or groups to ignore by repeating the CONDITION for NOT=.