Clean Up Local Admins
Introduction
The Clean Up Local Admins feature in Admin By Request is designed to help IT administrators easily manage and remove unused or rogue local administrator accounts across multiple endpoints. A quick check (and subsequent clean up if necessary) can be done directly from the portal, giving administrators an immediate and holistic view of just who currently has admin access on which computers.
The feature simplifies the process of identifying and revoking unnecessary admin rights, reducing the attack surface and enhancing security within an organization.
Purpose
The feature addresses the common problem of unmanaged or forgotten local admin accounts that could pose security risks. These accounts may belong to former employees or be leftover from previous configurations, making them prime targets for cybercriminals seeking to exploit elevated privileges.
Functionality
The feature centralizes the management of local admin accounts by allowing administrators to revoke admin rights from a single interface within the portal. This eliminates the need to manually disable accounts on individual endpoints.
How It Works
-
Access the Feature:
Navigate to the Inventory page within the portal.
Select the desired endpoint and click Local Admins from the left-hand menu. This brings up a 'birds-eye' view of all administrator accounts associated with that endpoint, displayed as individual account cards.
-
Identify Admin Accounts:
Each account card is labeled with an icon and a name indicating the type of account (e.g., Azure AD account, Domain account, Local Admin account, etc.).
Each account card is labeled with an icon and a name indicating the type of account (e.g., Local Administrator, Domain Administrator etc.).
Rogue or unused accounts may be identified by non-descriptive names, often represented by long numeric sequences.
-
Revoke Admin Rights:
To revoke admin rights, click the Revoke Rights button located on the account card. This button is highlighted in orange.
The button will change to Cancel Revoke, allowing you to undo the action if it was selected by mistake.
Once revoked, the account is moved to a new section called Restore Revoked Local Administrators, where it remains for two weeks, during which time it can be restored if necessary.
-
Restore Admin Rights:
Admin rights can be restored by selecting the Restore Rights button within the Restore Revoked Local Administrators section during the two-week window.
Safeguards
The feature includes built-in safeguards to prevent the removal of essential accounts, such as Active Directory\Domain Administrators, Azure AD\Device Administrators, Azure AD\Company Administrators, and the built-in Windows Administrator account. This ensures that critical administrative access is not inadvertently revoked, which could otherwise render endpoints inaccessible.
The feature includes built-in safeguards to prevent the removal of essential accounts, such as the first Administrator account used to setup the computer. This ensures that critical administrative access is not inadvertently revoked, which could otherwise render endpoints inaccessible.
Using the Feature via Reports Page
Alternative Access
The Clean Up Local Admins feature can also be accessed through the Reports page for bulk management of admin accounts.
Navigate to Reports > User Reports > Local Admins to view admin accounts in a list format, grouped by account type.
Rogue accounts can be removed in bulk by selecting the Remove button next to the corresponding account group.
Undoing Removal:
If an admin account is mistakenly removed, the action can be reversed by going to the RESTORE RIGHTS tab on the Local Admins page.
The removed group will be listed, and selecting the Undo button will restore the admin rights to the affected accounts.
Example - Olivia's Mac
The procedure is straightforward:
-
Log in to the portal and go to the Inventory.
-
Locate the endpoint concerned and drill-down using either its name in the Computer column, or Details in the Details column.
-
Finally, identify the users who should not be admin and use the Revoke Rights button to remove their administrator privileges.