Automatically removing local admin accounts that are not authorized with Intune
In this post I will share a remediation script allowing you to automatically remove local admin accounts that are not authorized from Intune devices.
Get the script
Click on the below GitHub picture to get both detection and remediation scripts.
The solution
We have here two scripts, detection and remediation.
The solution works in two steps (scripts):
- A detection script to check if there are local admin accounts
- A remediation script to remove them
The detection script will check if there are some local admin found on your devices.
It will check accounts that should not be here, not authorized accounts.
If it found some accounts, the remediation script is executed and removes those accounts.
Authorized account
As mentioned previously, the detection script will check if there are some local admin account on your devices.
Indeed, you may have configured some local admin group or account on your devices.
For instance a local admin group allowing your help desk to work with privileges.
You can easily add authorized accounts in the script in the variable $Authorized_Accounts.
To add authorized account(s) proceed as below:
1. Search variable $Authorized_Accounts
2. Add account, group, SID there
3. Separates each one with a ";"
To get the SID you need first to get the ID. You can get it directly on the Intune portal.
Then you can convert the ID to SIS as below:
- Use this website
- Use this script
* You will find all information and examples in the scripts
Creating remediation script
1. Go to the Intune portal
2. Go to Devices
3. Go to Scripts and remediations
4. Click on Create
5. Type a name
6. Click on Next
7. Browse the detection script
8. Browse the remediation script
9. Select run as 64
10. Click on Next
11. Select the group
12. Schedule your script if needed
13. Click on Apply
14. Click on Next
15. Click on Create
Other solutions
Local admin dashboard
You can find here an article about how to create a dashboard to monitor local admin accounts created on your devices.
Local admin alerts
You can find here an article about how to get a mail alert when local admin accounts have been found on your devices.
Enregistrer un commentaire