how can i manage all devices local administrators and users?

Michael J. Langone 0 Reputation points
2024-08-14T14:56:38.69+00:00

i want to discover what is listed for local admins, including passwords, on user devices, and remove the device user as an admin.

when adding user work or school accounts, MS adds user to administrator accounts by default and does not provide an option to add just as a user,

now i have to remove all the users as admins without having to create a policy for each individual machine.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,968 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Aleksandr Kolesnikov 486 Reputation points
    2024-08-14T22:32:55.0466667+00:00

    Hi @Michael J. Langone,

    The setting you are looking for in EntraID > Device > Device Settings section.User's image

    This setting determines if the Microsoft Entra user registering their device as Microsoft Entra join be added to the local administrators group. This setting applies only once during the actual registration of the device as Microsoft Entra join.

    With Local user group membership policies in Endpoint Protection (Intune) you can manage the users that are members of the built-in local groups on devices that run Windows 10 20H2 and later, and Windows 11 devices.

    create-profile

    Best regards,

    Aleksandr


    If the response is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. ZhoumingDuan-MSFT 12,410 Reputation points Microsoft Vendor
    2024-08-15T02:50:45.6933333+00:00

    @Michael J. Langone,Thanks for posting in Q&A.

    From your description, I know you want to manage all local administrators and users on devices.

    Based on my research, if you want to manage local admin passwords, you can configure LAPS policy.

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-microsoft-intune-for-local-administrator-password/ba-p/3805943

    As for removing admin rights you can refer the method @Aleksandr Kolesnikov mentioned.

    Hope above information can help you.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Michael J. Langone 0 Reputation points
    2024-08-20T17:23:54.0566667+00:00

    hello @ZhoumingDuan-MSFT and @Aleksandr Kolesnikov

    i set up a local user/admin called thtestadmin.

    i created the policy to remove it manuallly from users.

    image

    the policy returned with 'success'

    Screenshot 2024-08-14 143251

    the user is still listed in comp mgmt

    User's image

    can this be done in mggraph? i tried but got errors.

    User's image


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.