Forum Discussion

Copper Contributor

Mar 11, 2025

Incorrect Identification of Local Admin in Defender for Endpoint

Hello everyone, I am facing an issue with Microsoft Defender for Endpoint where a user is incorrectly identified as having local admin rights. In the Devices menu of the workstation in Defender, the...

duliprb

MCT

Mar 13, 2025

Hi italicize_valiant , can you confirm Group is "Administrator" or Administratorer ? It looks like getting a different object class, what you can do is, go to computer management console and check the administrator group as per this screenshot and confirm or share the screenshot.

italicize_valiant

Copper Contributor

Mar 14, 2025

Hi,

Yes, I can confirm that “Administratorer” is the same as your image. Also, the same users and groups are present.
That why I don't understand how and why MDE is getting this information.

duliprb
MCT
Mar 14, 2025
It looks like your filtering options are different, As I told "Administratorer" has a spelling issue. Appreciate if you could share a screenshot. :)
- duliprb
  MCT
  Mar 19, 2025
  oh :), in that case it could pose security risk, check windows sign in logs to see any recent logins especially 4624, could be privilege escalation activity, has MDE detected anything. ?
- italicize_valiant
  Copper Contributor
  Mar 19, 2025
  "Administratorer" is just Administrator in Danish :)