Share via

Issue with Local Credentials and Global Administrator in 365

massi_bh 0 Reputation points
2024-06-19T10:40:57.3366667+00:00

Hello,

We have an issue where users log in to their local computer with their 365 credentials, taking advantage of the basic functionality of Microsoft Login ID, which is programmed to also add global administrators as administrators of the local computer when the user logs in for the first time. In case of needing remote support with the need for elevated privileges, the user is communicated the password of the global 365 administrator who, once support is completed, changes the password. However, despite the password change, the user can perform administrative operations on his computer using the global user and the old password which is stored somewhere in the local computer. The join is only on Microsoft Login ID, and we do not have a local AD.

We have tried various methods to resolve the problem, including configuring Cached Credentials with Group Policy, checking Windows credentials, and verifying the presence of the global administrator with lusrmgr.msc (not present). We also deleted the contents of AppData directories, but all attempts were unsuccessful.

Where are these accesses stored, and how can they be deleted from the computer's locale?

Please note that the local administrator does not log in to the computer via the Windows login screen.

I appreciate any support in better understanding how this works.

Thank you.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,196 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 725 Reputation points Microsoft Employee
    2024-06-19T23:04:49.2833333+00:00

    Hi @massi_bh

    Thanks for reaching out to Microsoft Q&A

    You can add local administrator accounts from Entra ID to Entra ID joined devices following the steps from this document:

    https://learn.microsoft.com/en-us/entra/identity/devices/assign-local-admin

    User's image

    By doing so, you wouldn't need to have your users sharing their passwords with the admins since the selected admins would have full access to the device instead.

    Let me know if I'm missing anything.

    Thanks,

    Fabio

  2. Fabio Andrade 725 Reputation points Microsoft Employee
    2024-06-25T17:10:02.6166667+00:00

    Hi @massi_bh

    Just checking in to see if the above answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

    Thanks,

    Fabio