Remove all Local Admins!!

Remove all Local Admins!!

In this blog, I will show you how you could make sure when you are performing an Azure Ad join or using Autopilot there are no additional or unwanted local administrators by using PowerShell.

A while ago I posted a linked message to ask for the differences between a normal Azure Ad join and the famous Autopilot function.

Of course, I know the differences… but I wanted to start a conversation. Because of most of the benefits of autopilot, I think you can the same with a regular Azure Ad join.

To start with one of the benefits: Removing the local admin. This is certainly a thing you have to make sure of this is done.

With autopilot, the user is never a local admin (if you don’t know the shift + f10 function to just create a local admin). You can do the same with a regular Azure Ad join.

I will show you 2 options to do this with PowerShell

1.PowerShell script converted to a IntuneWin App

Step 1:

First, you need to know how to create an Intunwin installer. I am not going to show you how you can it :). Just google it

Step 2:

Make sure you set up your own local admin user with Intune CSP.

Step 3:

You need to write a PowerShell script to remove the admins from the administrator group. Make sure you remove the: “azuread/*” users . Beware of the @’ at the beginning and the “$username”. Also, make sure your own cspadmin is always added to the administrators group.

$content = @'
 $administrators = @( ([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') | % { $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null) } ) -match '^WinNT'; 
 $administrators = $administrators -replace "WinNT://","" 
 foreach($administrator in $administrators) { if ($administrator -like "$env:COMPUTERNAME/administrator" -or $administrator -like "AzureAd/*" -or $administrator -like "$env:COMPUTERNAME/deltacom") { continue; } Remove-LocalGroupMember -group "administrators" -member $administrator }
 $remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'De opdracht is voltooid.|^deltacom$|^administrator$|^admin$'}
 foreach ($user in $remove) {
     net localgroup administrators ""$user"" /delete
$username = "cspadmin"
 if ($(Get-LocalGroupMember -Group "Administrators").Name -notcontains "$env:ComputerName\$username") {
     Add-LocalGroupMember -Group "Administrators" -Member $username}
 get-localuser | Set-localUser -PasswordNeverExpires:$True

Step 4: Get the @ content, create a folder and put it in a file on the device

# create custom folder and write PS script
$path = $(Join-Path $env:ProgramData CustomScripts)
if (!(Test-Path $path))
New-Item -Path $path -ItemType Directory -Force -Confirm:$false
Out-File -FilePath $(Join-Path $env:ProgramData CustomScripts\myScript.ps1) -Encoding unicode -Force -InputObject $content -Confirm:$false

Step 5: Okey? We got a PowerShell script on de the local device… so why don’t we just create a scheduled task, to schedule this script to launch every time a user logs in? Of course with system privileges.

# register script as scheduled task
$Time = New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\ProgramData\CustomScripts\myScript.ps1`""
Register-ScheduledTask -TaskName "RemoveAdmin" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "RemoveAdmin"

Step 6: Just put these pieces together and create an intunewin app and make sure you put this app in the list of apps that are needed before the user logs in the first time. You can do this on the ESP page in intune.

Option 2: A PowerShell Base64 Encoded Script

This option is really easy. It will use the third part of the first option but now Base64 encoded so you can deploy it with A PowerShell script to make sure it’s scheduled to run each minute or at user logon.

$triggers = @()
$triggers += New-ScheduledTaskTrigger -At (get-date) -Once -RepetitionInterval (New-TimeSpan -Minutes 1)
$triggers += New-ScheduledTaskTrigger -AtLogOn
$User = "SYSTEM"
$Null = Register-ScheduledTask -TaskName "Remove Admin" -Trigger $triggers -User $User -Action $Action -Force


Of course, it’s not the nicest method… But hey.. it works? The user is not an admin, so he can’t see this scheduled task.. neither he can not change nor remove the custom scripts files/folder… Job done… So your applocker config also works the moment a user joins his device to azure.

2 thoughts on “Remove all Local Admins!!

  1. Pingback: No Country For Not Monitoring - Call4Cloud
  2. Pingback: The forgotten fruits of securing your Windows 10 Endpoint - Call4Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  33  =  34