Manage Local Administrator Settings

ThreatLocker will allow you to manage the local Windows and MacOS Administrators on each endpoint. There are two distinct methods to manage local administrators, allowing the flexibility to choose the method that suits your business needs.

The first method, Remove Selected, will show all local administrators on your endpoints, along with the Organization, Group, or Computer that they have rights on and their username.

To remove one user from the local Administrator group, select that row and select the 'trash can' icon.

To remove several users from the local Administrator group, select multiple rows and select the red 'Remove 1 User from the Local Administrator group' button.

The second method works with the logic "Remove all Except," where each permitted administrator must be added to the exclusions list. ThreatLocker will then check for members of the local Administrator group and any users in the local Adminstrator group that are not listed in the exclusions will be removed from the group, returning them to standard user privileges.

This setting will not DELETE local administrators. Rather, on Windows, it removes users from the local Administrators group on any specified endpoint. For MacOS, it removes users' ability to administer the computer.

This setting is off by default.

Permissions/Products required for Manage Local Administrator Settings

To use this setting:

Add the 'Manage Local Admin Settings' permission
The Elevation product must be enabled on an organizational level
Windows endpoints must be running agent version 8.7.1 or later
MacOS endpoints must be running agent 2.8 or later

Initial Setup

To configure this setting:

Navigate to the Computers page and open the 3-Dash menu in the upper left
Open the Manage Local Administrators Settings button

Open the View/Edit local Administrator Settings sidebar
Set the preferred Applies To the location.
- This will limit local administrators to the entire organization or specific groups or endpoints
Enable the setting.

Note: Once Enabled and Saved, this will not immediately begin removing local Administrators from your endpoints. Policies must be deployed for this setting to begin removing administrators from the local Administrators group.

Under Details, add in local Administrator Usernames to be excluded. Save the setting.
Deploy Policies. At that point, local Administrators who are not listed under exclusions will be removed.

Caution: If NO local Administrators are listed and this setting is enabled, ALL current local Administrators under the specified level will be removed.

Edit or Stop Removing Local Administrators

To stop removing ALL local administrators with exclusions, disable the setting and save.
To permit a new local administrator, add them to the enabled setting and save.
Last, Deploy Policies for any changes to be sent to the endpoints

Exceptions to this setting

This setting will not remove the following:

The primary/first administrator is created on a Windows machine. Windows does not allow this administrator to be removed.
Windows Domain Administrators who are also in the local Administrators groups.
System users (Unix-style users) will not be removed on Mac endpoints.

Frequency of Local Administrator Removal

When policies are deployed.
Once every sixty minutes. This hour is determined by when the service was started/restarted.
On Windows, if a user is newly added to the Administrators Group, ThreatLocker will verify that this is an approved local Administrator. If it is not, the user will be removed from the local Administrators group.