Company logoHelp Center
Visit www.threatlocker.com

Elevation Control Module

4 min. readlast update: 12.23.2024

Elevation Control Module

The ThreatLocker Elevation Control module allows users with Elevation Control enabled to manage the local Windows and MacOS administrators on all endpoints with ThreatLocker installed. Two distinct methods are available for managing local administrators, allowing users to choose the method that suits their business needs.

Method one will be available with Windows Agent 8.8 and Mac Agent 3.0

The first method, Local Administrator Users and Groups, will show all users and groups in the local Administrator group on your endpoints.

Along with the Computer Name, the main grid includes columns for Organization,  User Name and Last Login.

To remove any one user from the local Administrator group, select that row and select the 'trash can' icon. 

To remove several users from the local Administrator group, select multiple rows and select the red 'Remove X Users from the local Administrator group' button. 

Please Note:

  • The built-in Administrator account will not be removed
  • The domain Administrator group will not be removed from the local Administrator group. 

 

The second method, "Local Administrator Policies," will remove all users from the local Administrator group except for those listed in exclusion policies.

On this page, create a list of permitted administrators by adding them to the exclusions list. ThreatLocker will then check for members of the local Administrator group on every endpoint. Any users and groups in the local Administrator group who are not listed in the exclusions will be removed from the group, returning them to standard user privileges.

This setting will not DELETE local administrators. Rather, on Windows, it removes users and groups from the local Administrator group on any specified endpoint. For MacOS, it removes users' ability to administer the computer.

Please Note: To prevent login issues, Windows users that are not a member of another login group will have an account created in the local login group.

 

 

 

Permissions/Products required for Manage Local Administrator Settings

To use this setting:

  • Add the 'Manage Local Admin Settings' permission 
  • The Elevation product must be enabled on an organizational level
  • Windows endpoints must be running agent version 8.7.1 or later
  • MacOS endpoints must be running agent 2.8 or later

 

Local Administrator Users and Groups

To configure this setting:

  1. Navigate to the Elevation Control Module
  2. Choose the method by which to remove the elevated privileges throughout your environment
  3. The default landing page is 'Local Administrator Users and Groups'.
    1. From here, review all local administrators in your environment.
    2. Using the 'trash can' icon, remove any users from the local Administrator group.
    3. Changes are applied to the endpoints on the next heartbeat check in. 

 

Local Administrator Policies

  1. To create policies that prevent new local administrator users, navigate to the 'Policies' tab in the upper right corner.
  2. In the upper left, select 'New Policy'
    1. Choose the "Applies To" location for your permitted local administrator.
    2. Enable the setting.
    3. Add the name, or names, of approved local administrators or groups.
    4. Select 'Create'. The new exception will populate on the main grid. 
    5. Deploy Policies. At that point, all members of the local Administrators group who are not listed under exclusions will be removed and users will be returned to standard user permissions.

Please Note: Once Enabled and Saved, users will be removed from the local Administrator group after Deploy Policies is pressed, or after the next full Agent check in.

Please Note: On Windows Agent 9.5 and lower, Exclusions are case-sensitive!  Failure to use correct casing will result in users being removed from the local Administrator group.

Edit or Stop Removing Local Administrators

  • To stop removing ALL local administrators with exclusions, disable the setting at all levels, save, and deploy policies. 
  • To permit a new local administrator, add them to a new Policy, Enable the policy, and save. After the next full check in, the user can be added to the local Administrator group on the endpoint.

 

Exceptions to this setting

This setting will not remove the following:

  • The primary/first administrator created on a Windows machine. Windows does not allow this administrator to be removed. 
  • System users (Unix-style users) will not be removed on Mac endpoints.

 

Frequency of Local Administrator Removal Using Policies

  • When policies are deployed. 
  • Once every sixty minutes. This hour is determined by when the service was last started/restarted.
  • On Windows, if a user is newly added to the local Administrator group, ThreatLocker will verify that this is an approved local administrator. If not, the user will be removed from the group.
Was this article helpful?