Local Admin Rights

Hi Experts,

I have a customer running a Hybrid Azure AD Join environment with all Windows devices enrolled in Intune.

Currently, Domain Users are being added to the local Administrators group on all devices via an on-premises Group Policy from the Domain Controller (Restricted Groups / Local Admin configuration). This effectively gives all users local admin rights.

I want to remove Domain Users from the local Administrators group on endpoints while not modifying the Domain Users group itself in Active Directory.

What is the recommended / best-practice approach to handle this in a Hybrid + Intune setup?

Specifically:

What is the safest migration strategy to avoid device or admin lockouts?

Any Hybrid-specific gotchas when transitioning from on-prem GPO to Intune?

Looking for advice from those who’ve implemented this in production environments.