Staying on top of your admin accounts is no easy feat.
Using the Feature
- Navigate to the Inventory page, select an endpoint, and click the Local Admins item from the left-hand menu to get to the ‘birds-eye’ view of all of your administrator accounts on that endpoint (now illustrated as cards for each account):
- Each account card indicates what type of admin account it is by it’s name and icon:
- AzureAD account – cloud icon
- Domain account – computer network icon
- Built-in Windows Administrator account – computer icon
- Local admin account – person with shield icon
- For every endpoint that has Admin By Request 7.3 installed (and is able to be removed – more on this further down), the Clean Up Local Admins feature is available, indicated by an orange Revoke Rights button in the top-right corner of the account card.
- Identify the accounts you want to ‘clean up’ based on their name and type (dead accounts may be indicated by long numbers in the place of a distinguishable name). Simply click the button for every admin account you want to remove.
- When selected, the button changes from Revoke Rights to Cancel Revoke, and orange fill, to orange outline. If you make a mistake in revoking, you can easily undo the action by selecting the button:
- Once an admin account is revoked, it is moved to a new section on the same page called Restore Revoked Local Administrators. It remains here for two weeks after revocation, during which time you can select the Restore Rights button in the top-right corner:
- As account-removals are issued, the details are listed in the Events section of the Local Admins page, including the time of the event, the action undertaken (i.e., ‘X account removed’), the account that the action was taken on, and the name of the user who instigated the action:
- After selecting Revoke Rights, the action is completed within four hours on the endpoint – an event which is also displayed in the Events table when it completes.
- There are safeguards built in to the feature to ensure you cannot remove certain accounts that would prevent you from logging in to your endpoints. These accounts include Active Directory\Domain Administrators, AzureAD\Device Administrators, AzureAD\Company Administrators, and the built-in Windows Administrator account.
Access via Reports Page
Removing Accounts from Reports:
- Navigate to Reports > Endpoint Reports > Local Admins, and make sure you are in the Local Admins tab. Here, you get your administrator view in a list form, however, this list groups all admin accounts of the same type together, with the number of accounts listed in the Occurrences column:
- As with the admin account cards shown in Inventory, these accounts are also classed by name and icon, and only those with version 7.3 installed have the Remove button available (in the right-hand column of the table).
- Locate rogue accounts and remove them by selecting the Remove button. Again, dead / rogue accounts are often indicated by a long number instead of a name (and there will often only be one of them – listed in the Occurrences column).
- On the Local Admins page (Reports > User Reports > Local Admins), locate and click the Restore Rights tab at the top of the page:
- Use the drop-down menu next to Show revokes since to view the appropriate groups:
- The list on the page displays removed groups of local admins. Locate the group that you want to reverse the Remove action on, and click the Undo button in the right-hand Action column.
- The group will have their local admin rights returned, and appear in the list under the Local Admins tab.