Company logoHelp Center
Visit www.threatlocker.com

Elevation Control Module

4 min. readlast update: 12.03.2024

Elevation Control Module

The ThreatLocker Elevation Control module is where users with Elevation Control enabled can manage the local Windows and MacOS administrators on all endpoints with ThreatLocker installed. There are two distinct methods to manage local administrators, allowing the flexibility to choose the method that suits your business needs.

Method one will be available with Windows Agent 8.8 and Mac Agent 3.0

The first method, Remove Selected, will show all local administrators on your endpoints.

Along with the Computer Name, the main grid includes columns for User Name and Last Login.

To remove any one user from the local Administrator group, select that row and select the 'trash can' icon. 

To remove several users from the local Administrator group, select multiple rows and select the red 'Remove X Users from the local Administrator group' button. 

Please Note:

  • The built-in Administrator account will not be removed
  • Domain Administrators will not be removed from the local Administrator group. 

 

The second method works with the logic "Remove All Except."

On this page, create a list of permitted administrators by adding them to the exclusions list. ThreatLocker will then check for members of the local Administrator group on every endpoint. Any users and groups in the local Administrator group who are not listed in the exclusions will be removed from the group, returning them to standard user privileges.

This setting will not DELETE local administrators. Rather, on Windows, it removes users and groups from the local Administrator group on any specified endpoint. For MacOS, it removes users' ability to administer the computer.

Please Note: To prevent login issues, Windows users that are not a member of another login group will have an account created in the local login group.

 

Before Enabling Remove All Except: 

Timothy Two is a local administrator

After enabling Remove All Except:

After deploying policies, Timothy Two is now a standard local user

This setting is off by default.

 

Permissions/Products required for Manage Local Administrator Settings

To use this setting:

  • Add the 'Manage Local Admin Settings' permission 
  • The Elevation product must be enabled on an organizational level
  • Windows endpoints must be running agent version 8.7.1 or later
  • MacOS endpoints must be running agent 2.8 or later

 

Initial Setup

To configure this setting:

  1. Navigate to the Elevation Control Module
  2. Choose the method by which to remove the elevated privileges throughout your environment
  3. The default landing page is 'Remove Selected'.
    1. From here, review all local administrators in your environment.
    2. Using the 'trash can' icon, remove any users from the local Administrator group.
    3. Click the 'Deploy Policies' button to apply these changes to the endpoints.
  4. To create policies that prevent new local administrator users, navigate to the 'Remove All Except' tab in the upper right corner.
  5. In the upper left, select 'New Exception'
    1. Choose the "Applies To" location for your permitted local administrator.
    2. Enable the setting.
    3. Add the name, or names, of approved local administrators or groups.
    4. Select 'Create'. The new exception will populate on the main grid. 
    5. Deploy Policies. At that point, all members of the local Administrators group who are not listed under exclusions will be removed and users will be returned to standard user permissions.

Note: Once Enabled and Saved, users will be removed from the local Administrator group after Deploy Policies is pressed, or after the next full Agent check in.

 

Edit or Stop Removing Local Administrators

  • To stop removing ALL local administrators with exclusions, disable the setting at all levels, save, and deploy policies. 
  • To permit a new local administrator, add them to the Exclusions list, Enable the setting, and save. After the next full check in, the user can be added to the local Administrator group.

 

Exceptions to this setting

This setting will not remove the following:

  • The primary/first administrator created on a Windows machine. Windows does not allow this administrator to be removed. 
  • System users (Unix-style users) will not be removed on Mac endpoints.

 

Frequency of Local Administrator Removal

  • When policies are deployed. 
  • Once every sixty minutes. This hour is determined by when the service was last started/restarted.
  • On Windows, if a user is newly added to the local Administrator group, ThreatLocker will verify that this is an approved local administrator. If it is not, the user will be removed from the local Administrator group.
Was this article helpful?