Elevation Control Module

4 min. readlast update: 11.07.2024

Elevation Control Module

The ThreatLocker Elevation Control module is where users with Elevation Control enabled can manage the local Windows and MacOS administrators on all endpoints with ThreatLocker installed. There are two distinct methods to manage local administrators, allowing the flexibility to choose the method that suits your business needs.

Method one will be available with Windows Agent 8.8 and Mac Agent 3.0

The first method, Remove Selected, will show all local administrators on your endpoints.

Along with the Computer Name, the main grid includes User Name and Last Login.

To remove any one user from the local Administrator group, select that row and select the 'trash can' icon. 

To remove several users from the local Administrator group, select multiple rows and select the red 'Remove X Users from the Local Administrator group' button. 

Please Note:

  • The built-in Administrator account will not be removed
  • Domain Administrators will not be removed from the local Admin group. 

 

The second method works with the logic "Remove All Except."

On this page, create a list of permitted administrators by adding them to the exclusions list. ThreatLocker will then check for members of the local Administrator group on every endpoint. Any users in the local administrator group who are not listed in the exclusions will be removed from the group, returning them to standard user privileges.

This setting will not DELETE local administrators. Rather, on Windows, it removes users from the local Administrators group on any specified endpoint. For MacOS, it removes users' ability to administer the computer.

Please Note: To prevent login issues, Windows users that are not a member of another login group will have an account created in the local login group.

 

Before Enabling Remove All Except: 

Timothy Two is a local administrator

After enabling Remove All Except:

After deploying policies, Timothy Two is now a standard local user

This setting is off by default.

 

Permissions/Products required for Manage Local Administrator Settings

To use this setting:

  • Add the 'Manage Local Admin Settings' permission 
  • The Elevation product must be enabled on an organizational level
  • Windows endpoints must be running agent version 8.7.1 or later
  • MacOS endpoints must be running agent 2.8 or later

 

Initial Setup

To configure this setting:

  1. Navigate to the Elevation Control Module
  2. Choose the method by which to remove the elevated privileges throughout your environment
  3. The default landing page is 'Remove Selected'.
    1. From here, review all local administrators in your environment.
    2. Using the 'trash can' icon, remove any users from the local administrator group.
    3. Click the 'Deploy Policies' button to apply these changes to the endpoints.
  4. To create policies that prevent new local administrator users, navigate to the 'Remove All Except' tab in the upper right corner.
  5. In the upper left, select 'New Exception'
    1. Choose the "Applies To" location for your permitted local administrator.
    2. Enable the setting.
    3. Add the name, or names, of approved local administrators.
    4. Select 'Create'. The new exception will populate on the main grid. 
    5. Deploy Policies. At that point, all member of the local Administrators group who are not listed under exclusions will be removed and returned to standard user permissions.

Caution: If NO local Administrators are listed and this setting is enabled, ALL current local Administrators will be removed. 

Note: Once Enabled and Saved, this will not immediately begin removing local Administrators from your endpoints. Policies must be deployed for this setting to begin removing administrators from the local Administrators group.

 

Edit or Stop Removing Local Administrators

  • To stop removing ALL local administrators with exclusions, disable the setting at all levels, save, and deploy policies. 
  • To permit a new local administrator, add them to the enabled setting, save, and deploy policies.

 

Exceptions to this setting

This setting will not remove the following:

  • The primary/first administrator created on a Windows machine. Windows does not allow this administrator to be removed. 
  • System users (Unix-style users) will not be removed on Mac endpoints.

 

Frequency of Local Administrator Removal

  • When policies are deployed. 
  • Once every sixty minutes. This hour is determined by when the service was last started/restarted.
  • On Windows, if a user is newly added to the Administrators Group, ThreatLocker will verify that this is an approved local Administrator. If it is not, the user will be removed from the local Administrators group.

Exception Processing Order

Exceptions are processed in a reversed hierarchal order, starting with the exceptions closest to the target as follows:

  • Computer
  • ComputerGroup
  • Organization
  • Global-Group for the computer's organization
  • Global for the computer's organization
  • Global-Group for the computer's parent organization
  • Global for the computer's parent organization

 

Was this article helpful?