In this guide, I’ll show you how to remove users from the local administrator group using group policy.
I’ll also show you how to add users or groups into the local administrator group.
By using group policy you can gain control over admin rights and ensure no unwanted account is added into the local administrator group.
What you will learn in this guide:
- How to Remove users from local administrators group via GPO
- Test the Group Policy
- Excluding Computers from the GPO Policy (Allow certain users to keep admin rights)
Why Local Administrator Rights is a Huge Security Risk
You do not want your users to log into computers and perform daily work with administrator rights. Exploiting administrator rights is a primary method attackers use to spread and gain control of systems inside and organization.
Scenario 1: A user is logged in to their computer with administrator rights, this person is fooled into opening an email that contains a malicious attachment. This attachment contains executable code and is executed on the computer. Because the user is logged in with administrator rights this malicious code has full rights to the computer, it could install a keylogger, sniffer, run ransomware and encrypt all the files, install remote control software, and so on. Not good.
Scenario 2: Someone..maybe a helpdesk tech created a local user on multiple computers with the same password and added it to the local administrator group. If an attacker cracked this password the attacker then has administrator access to all the machines that this account is created on. The attacker could then move laterally from system to system dropping malicious files, stealing data, and so on.
Both scenarios can be mitigated by getting control of your local admin groups. Now… Let’s move on to the tutorial.
How to Remove users From The local admin group with group policy
First, let’s check a computer and see what accounts are in the local administrator group. This can easily be done by using the following PowerShell command.
You can see in the screenshot there are several local and domain users in the administrator group.
This is bad.
Using group policy I can not only remove these accounts but I can control what user accounts or groups are members of this group. If someone tried to manually add a user to this group the group policy would override it.
I like to put all computers in an organizational unit, this makes it easy to apply group policies to computer accounts.
Step 1. Right-click the organizational unit where you want to the GPO applied and select “Create a GPO in this domain, and link it here”
Step 2. Name the GPO and click OK
Now you need to edit the GPO.
Step 3. Right-click the GPO and click edit
Step 4. Browse to the following GPO settings
Computer Configuration -> Preferences -> Control Panel Settings -> Local users and Groups
Now right-click in the right side window and select new -> Local Group
Group name: Administrators (built-in)
Delete all member users: Yes
Delete all member groups: Yes
Members: Click add and select the members you want to be added to the local administrator group. You probably want to keep the local administrator account and domain admins group as local admins… but that is totally up to you.
Screenshot of my settings
The above settings will both delete all users and groups and then add the users specified in the members box. This will clean up all unwanted accounts and add only the accounts you want in the local administrator group.
Test the Group Policy
Now that the GPO is created and linked to an organizational unit lets test it.
On PC1 I will run the following command to force a group policy update.
Once the command completes I’ll check the group membership again.
You can see from the screenshot that the unwanted accounts have been removed from the administrator group. The GPO removed the robert.allen account, admin2, and the fig account from the group. It then added the domain admins group, the IT_Wrk_Admin group, and the local administrator account.
Any computer you apply this policy to will get these exact settings. If you choose to delete all member user and group accounts it will indeed remove those accounts from the local administrators group. I recommend you test this before rolling it out into production.
Exclude Computers from the GPO Policy
If you need to exclude a computer from this policy follow these steps:
Tip: There are many poorly coded programs out there that don’t run without giving users admin rights. If you can avoid these programs please do so. It’s ridiculous that there are still companies selling software that cannot run with admin rights…again try to avoid these programs. If you can’t then look into privilege escalation programs like BeyondTrust and PolicyPak. These programs allow you to configure programs to run without giving the user administrator rights.
Step 1. Create a new active directory group. Name it whatever you want.
Step 2. Add the computer account that you want to exclude into this group.
Step 3. In the group policy management console, select the GPO you created and select the delegation tab.
Now click the advanced tab
Click add and select the group you just created.
Now make sure this group has only these permissions:
Apply group policy: Deny
This will deny any member of this group from applying the GPO. This is a very simple approach to excluding computers from applying this GPO. It also makes it easy to manage, if you want to know who is excluded from a GPO you can just check the members of the AD group.
Now, I’ll verify the computer is excluded by using the gpresult command.
To see all the GPOs applied to a computer and user type this command.
You will need to be an administrator on the computer to get the computer results.
You can see the GPO “GPO Computer – Local Admin Group members” is applied to this computer. I will reboot the computer and run the command again. Once I reboot I should no longer see that GPO being applied to this computer because it’s being denied from applying.
I will run gpresult /r again
You can see the GPO is no longer applied to this computer.
Tip: You should first do an audit of user rights and understand why they have admin rights. You don’t want to enable this policy on all computers without first testing and understanding its impact. Unfortunately, there are programs that still need elevated rights, and applying this policy could break and prevent programs from running.
When I rolled this policy out I first ran a report of all users that had admin rights. I then reviewed the rights with staff to better understand why the users permissions, most of it was due to old programs that needed elevated rights. This was then discussed by upper management and approved before moving forward. Test, Test, and Test before rolling this out to production systems.
If you have any questions post them in the comment section below.