Boost Security: Master Local Admins with Intune

The ability to find and manage local administrators on Intune-managed devices in essential to ensure effective management and protection of endpoints.

Why is this so crucial? Local administrators wield significant power over their devices, from installing software and changing settings to accessing all files on the system. While this level of access is necessary for certain roles, unchecked local administrator privileges can pose significant security risks. It can open the door to malicious software installations, data breaches, and even lateral movements within a network in the event of a compromise.

This blog post aims to demystify the process of identifying local administrators on devices managed by Intune. Whether you’re an experienced IT professional seeking to tighten your organization’s security posture or a newcomer to Intune looking to understand its capabilities better, you’ll find valuable insights on leveraging Intune to enhance your device management strategy. Join us as we explore the importance of managing local admin rights, step-by-step guides on finding local admins on Intune devices, and best practices for maintaining a secure and efficient IT environment.

Local Admins on Windows devices

Local Administrators on Windows devices play a pivotal role in managing and maintaining the operating system’s integrity and functionality. These privileged accounts are part of the “Administrators” group, a default security group in Windows that provides its members with the ability to execute a wide range of administrative tasks on a local machine. This includes installing and removing software, changing system settings, accessing all files on the system, managing user accounts, and configuring network settings. Essentially, local administrators have the highest level of access rights on a device, short of the System account, which is reserved for the operating system itself.

Being a member of the local Administrators group allows for comprehensive control over a device, making it a target for misuse, both from external threats and potentially disgruntled insiders. For this reason, best practices dictate minimizing the number of users with local administrative privileges to reduce the attack surface and potential for accidental or deliberate system misuse. Moreover, in enterprise environments, it’s common to manage local administrator accounts through centralized policies, often using tools like Group Policy or Microsoft Intune. These tools help enforce security policies, including the principle of least privilege, ensuring users have only the access necessary to perform their job functions.

Additionally, Windows includes a feature known as User Account Control (UAC), which helps mitigate the risks associated with running processes with administrative privileges by requiring approval for actions that could affect the system’s operation or security. Despite this, the power local administrators wield is significant, highlighting the importance of careful management and monitoring of these accounts to maintain security and operational integrity within a Windows environment.

Finding Local admins: The manual way

For those who prefer a hands-on approach to managing IT environments, finding local administrators on Windows devices manually is a straightforward process, though it requires a bit of navigation through the system settings. This manual method offers IT professionals and system administrators a granular level of control and insight into who has administrative privileges on each device.

To begin, one common route involves using the Computer Management console. By right-clicking on ‘This PC’ or ‘My Computer’ and selecting ‘Manage,’ you can navigate to ‘System Tools’ > ‘Local Users and Groups’ > ‘Groups.’ Here, you’ll find the ‘Administrators’ group, which lists all user accounts and security groups with local administrative privileges on the device.

Another manual method is through the Command Prompt or PowerShell, tools that are incredibly powerful for Windows administration. For instance, running the command net localgroup Administrators in Command Prompt will display all the members of the local Administrators group. Similarly, PowerShell offers a more advanced approach with commands like Get-LocalGroupMember -Name Administrators, providing a detailed list of all local admin accounts.

While the manual approach to finding local administrators is effective and provides immediate results, it’s more time-consuming and less scalable for large environments compared to automated tools or management solutions like Microsoft Intune. However, it remains a valuable skill for IT professionals, offering a direct and unfiltered view into the administrative landscape of Windows devices, ensuring that only the necessary personnel have elevated privileges. This hands-on method emphasizes the importance of meticulous management of administrative rights to maintain a secure and efficiently run IT infrastructure.

Finding Local admins: The Intune way

In the modern IT landscape, leveraging Microsoft Intune for managing local administrators on Windows devices represents a blend of efficiency and scalability. Intune allows IT administrators to automate the process of identifying local admin accounts, including Azure AD users who have been granted local administrative privileges. This is particularly useful in environments where devices are managed remotely, ensuring that administrative access remains both secure and compliant with organizational policies. Utilizing a PowerShell detection script within Intune’s proactive remediation scripts, administrators can effortlessly gather and report on local admin memberships across their device fleet.

The script below is designed to be used within Microsoft Intune as a detection-only remediation script. It enumerates all local administrators on a device, differentiating between local accounts and Azure AD accounts that have been granted administrative privileges. This information can then be used to audit local administrator access, ensuring that only authorized users hold such privileges.

# PowerShell Script to Detect Local Administrators and Azure AD Admins on a Windows Device

# Get the local Administrators group members
$localAdmins = Get-LocalGroupMember -Group "Administrators" | Select-Object Name, PrincipalSource

# Initialize an array to hold formatted output
$output = @()

foreach ($admin in $localAdmins) {
    # Check if the account is an Azure AD account
    if ($admin.PrincipalSource -eq "AzureAD") {
        $type = "Azure AD User"
    } else {
        $type = "Local User"
    }
    
    # Format the output
    $output += "Type: $type, Name: $($admin.Name) || "
}

# Return the list of local administrators
Write-Host $output

Find the code on my GitHub page here.

This script starts by fetching all members of the local Administrators group. It then iterates over these members, identifying whether each is a local user or an Azure AD user, and formats this information for easy reading. The output is a string that lists each administrator’s type (Azure AD User or Local User) along with their name. When deployed through Intune, this script can be run on devices across the organization, providing a consistent and automated method to monitor and report on local administrator access.

Let’s deploy this script via Intune Remediations and check the results.

intune

And the results!!!

Implementing this script via Intune not only streamlines the process of managing local administrators but also enhances security by providing visibility into which users have elevated privileges. This approach is invaluable for IT departments aiming to maintain tight control over device administration, especially in larger, distributed environments where manual checks are impractical.

References and documentation:

Check the below posts to find out more interesting relevant topics:

Leave a Reply

Your email address will not be published. Required fields are marked *