Remove all Local Admins!!

Remove all Local Admins!!

A while ago i posted a linked message to ask for the differences between a normal Azure Ad join and the famous Autopilot function.

Of course I know the differences… but I wanted to start a conversation. Because most of the benefits of autopilot, I think you can the same with a regular Azure Ad join.

To start with one of the benefits: Removing the local admin. This is certainly a thing you have to make sure of this is done.

With autopilot, the user is never a local admin (if you don’t know the shift + f10 function to just create a local admin). You can do the same with a regular azure ad join.

Step 1: First you need to know how to create a Intunwin installer. I am not going to show you how you can it :). Just google it

Step 2: Make sure you setup your own local admin user with Intune CSP.

Step 3: You need to write a powershell script to remove the admins from the administrator group. Make sure you remove the: “azuread/*” users . Beware of the @’ at the beginning and the “$username”. Also make sure your own cspadmin is always added to the administrators group.

——————————————————————————————————————–

$content = @’
$administrators = @( ([ADSI]”WinNT://./Administrators”).psbase.Invoke(‘Members’) | % { $_.GetType().InvokeMember(‘AdsPath’,’GetProperty’,$null,$($_),$null) } ) -match ‘^WinNT’;
$administrators = $administrators -replace “WinNT://”,””
foreach($administrator in $administrators) { if ($administrator -like “$env:COMPUTERNAME/administrator” -or $administrator -like “AzureAd/*” -or $administrator -like “$env:COMPUTERNAME/deltacom”) { continue; } Remove-LocalGroupMember -group “administrators” -member $administrator }
$remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch ‘De opdracht is voltooid.|^deltacom$|^administrator$|^admin$’}
foreach ($user in $remove) {
net localgroup administrators “"$user“” /delete
}
$username = “cspadmin”
if ($(Get-LocalGroupMember -Group “Administrators”).Name -notcontains “$env:ComputerName\$username”) {
Add-LocalGroupMember -Group “Administrators” -Member $username}
get-localuser | Set-localUser -PasswordNeverExpires:$True
‘@

——————————————————————————————————————–

Step 4: Get the @ content, create a folder and put it in a file on the device

——————————————————————————————————————–

$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
{
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
}
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\removeadmin.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

——————————————————————————————————————–

Step 5: Okey? We got a powershell script on de the local device… so why don’t we just create a scheduled task, to schedule this script to launch every time a user logs in? Of course with system privileges.

——————————————————————————————————————–

$Time = New-ScheduledTaskTrigger -AtLogOn
$User = “SYSTEM”
$Action = New-ScheduledTaskAction -Execute “powershell.exe” -Argument “-ex bypass -file "C:\ProgramData\CustomScripts\removeadmin.ps1“”
Register-ScheduledTask -TaskName “RemoveAdmin” -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName “RemoveAdmin”

——————————————————————————————————————–

Step 6: Just put these pieces together and create a intunewin app and make sure you put this app in the list of apps that are needed before the user logs in the first time. You can to this in the ESP page in intune.

Conclusion:

Of course, it’s not the nicest method… But hey.. it works? The user is not an admin, so he can’t see this scheduled task.. neither he can not change or remove the custom scripts files/folder… Job done… So your applocker config also works the moment a user joins his device to azure.

Leave a Reply

Your email address will not be published. Required fields are marked *