Loading...

Automatically removing local admin accounts that are not authorized with Intune

Reply A+ A-


In this post I will share a remediation script allowing you to automatically remove local admin accounts that are not authorized from Intune devices.


Get the script

Click on the below GitHub picture to get both detection and remediation scripts.


The solution

We have here two scripts, detection and remediation.

The solution works in two steps (scripts):

- A detection script to check if there are local admin accounts

- A remediation script to remove them


The detection script will check if there are some local admin found on your devices.

It will check accounts that should not be here, not authorized accounts.

If it found some accounts, the remediation script is executed and removes those accounts.


Authorized account

As mentioned previously, the detection script will check if there are some local admin account on your devices.

Indeed, you may have configured some local admin group or account on your devices.

For instance a local admin group allowing your help desk to work with privileges.

You can easily add authorized accounts in the script in the variable $Authorized_Accounts.

To add authorized account(s) proceed as below:

1. Search variable $Authorized_Accounts

2. Add account, group, SID there

3. Separates each one with a ";"


To get the SID you need first to get the ID. You can get it directly on the Intune portal.

Then you can convert the ID to SIS as below:

- Use this website

- Use this script


* You will find all information and examples in the scripts


Creating remediation script

1. Go to the Intune portal

2. Go to Devices

3. Go to Scripts and remediations


4. Click on Create


5. Type a name

6. Click on Next


7. Browse the detection script


8. Browse the remediation script


9. Select run as 64


10. Click on Next

11. Select the group 

12. Schedule your script if needed

13. Click on Apply

14. Click on Next

15. Click on Create


Other solutions

Local admin dashboard

You can find here an article about how to create a dashboard to monitor local admin accounts created on your devices.


Local admin alerts

You can find here an article about how to get a mail alert when local admin accounts have been found on your devices.

slider 1994282745550448267

Enregistrer un commentaire

Accueil item

Award

Sponsors

Learn KQL in one month

You want to support me ?

Mes articles en français

Books in French


Stats