Audit Local Administrator Accounts

When should you use the Audit Local Administrator Accounts Worklet?

This PowerShell Worklet lets you check devices for local administrator accounts so that you can remove them where local privileges could pose a security risk or are unnecessary. 

Check device for admin accounts with this Worklet

Admins can use this PowerShell script to verify if there are unwanted local administrator accounts on managed endpoints. 

When run, this Worklet will audit a device for all local administrator accounts and list them in the activity log if they exist. Then, you can take any follow-up action needed, like removing local admin accounts.

This Worklet is compatible with Windows 8 / Server 2012 and above.

What is a local administrator account?

A local administrator account is a user account with administrative privileges on a specific device, such as a computer or a server. It has elevated access rights, allowing the user to make changes to system settings, install or uninstall software, modify files and folders, and perform other administrative tasks on that particular device.

Why check devices for local administrator accounts?

There are several instances where it doesn’t make sense for an endpoint to have a local admin account. Here are a few examples:

Security

Having a local administrator account on an end user device can pose security risks. If an unauthorized person gains access to the device or the credentials associated with the local administrator account, they can potentially make unauthorized changes, install malicious software, or access sensitive data. By removing the local administrator account, the IT admin can mitigate these security risks and reduce the attack surface.

Standardization and control

IT admins often strive to maintain standardization and control over the devices in their organization. By removing local administrator accounts, they can enforce uniformity in device configurations and ensure that users do not make unauthorized changes or install unauthorized software that could negatively impact system stability, performance, or security. This approach allows the IT admin to have centralized control over device management and reduces the potential for system instability caused by unregulated user modifications.

Compliance

In certain industries or organizations, compliance regulations or security standards may require restricting administrative access on end user devices. By removing local administrator accounts, IT admins can demonstrate compliance with these requirements and ensure that users are operating within the authorized boundaries of their roles.

Support and troubleshooting

Removing local administrator accounts can help streamline support and troubleshooting processes. When end users do not have administrative privileges, it reduces the likelihood of accidental changes or unauthorized modifications that can lead to system issues. IT admins can provide more targeted support and troubleshooting guidance when they have control over the device configuration and can ensure that changes are made with proper authorization.