Forum Discussion
drivesafely
Jan 12, 2025Brass Contributor
Intune - remove local admins
Hello All,
In our workgroup environment, users currently have local admin rights. After performing Entra join and onboarding devices to Intune, how can we remove all users from the local administrators group, keeping only the default administrator account? Note that users will continue logging in with their local accounts, not Entra accounts.
Additionally, is there a simpler way to update the IP addresses on these devices?
Thanks!
- Lo-TechCopper Contributor
Agreed with Tom.
This was also posted on Learn.Microsoft Q&A
How to remove local admin right on all users devices via intune - Microsoft Q&A
Has a blog post that can go over the process of updating the local groups. - tomwoodwardCopper Contributor
I've done this before, i've found the 'Account protection' under 'Endpoint security' to work really well here:
Manage account protection settings with endpoint security policies in Microsoft Intune | Microsoft Learn- drivesafelyBrass Contributor
Hello tomwoodward
Thanks for useful the link shared.
1, We want to remove standard accounts that are created locally in Windows devices from Administrators group.
With the 'Account protection' option, we can do that by using the option 'Add (Replace)' for Administrators group and select any one of the Entra user? There is no option here add an account created locally.
2. How about adding or keeping a common standard account which is created locally in the device to the Administrators group only?
Thanks
- Salamat_ShahIron Contributor
Yes you can do it, To remove users from the local administrators group, Intune's Device Configuration profiles or a custom PowerShell script can be used.
For updating IP addresses, leveraging Group Policies (if domain-connected) or deploying a PowerShell script via Intune is the most straightforward method.
- drivesafelyBrass Contributor
Hello Salamat_Shah
Thanks for the response and confirmation.
For removing users from local admin group, can you provide more details on which setting in Device Configuration would help. Are you suggesting the Restricted Group settings though custom profile via CSP?
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-restrictedgroups
Thanks,
- Rachid007Copper Contributor
There are several ways to achieve this. If you use autopilot you have the option to set the user account type to Standard. If not you can take a look at this post from Rudy where he explains in detail how to resolve this by the use of powershell. https://call4cloud.nl/remove-all-local-admins/