How to Automatically Remove Admin Privileges

AutoElevate allows for rapid conversion of users to Standard user privileges and can ensure enforcement of your security policies. This can be done by location, company, or globally from the "Settings" screen or individually on a computer-by-computer basis from the "Computers" screen in the Admin Portal.

How does it work?

When the “Remove Admin Privileges” setting is enabled, this setting automatically removes the currently logged in user from the local Administrators group. The user would then need to logout/login for their Admin Privileges to be completely removed.

• For example, if Todd@MyDomain.local is explicitly part of the local administrator’s group on the computer and the “Remove Admin Privileges” is set to “On”, then when the user logs in, the account (Todd@MyDomain.local) will be removed from the local Administrator's group.
  
  
• This functionality does NOT affect domain group membership OR modify domain groups on the local machine.
  
  • For example, if the user is part of the “Domain Admins” group they will not be changed. Or, if the “Domain Users” group is part of the local Administrators group, then the domain user will still have Admin privileges. Domain groups and permissions will need to be managed separately.
    

Before You Begin

Be sure to set which accounts should NEVER be changed.

The list of exceptions can be set globally on the Settings screen:

• From the Settings screen select Global> Agent Security> Excluded Admin Users (for Remove Admin Privileges feature)> Edit (Pencil icon) 

  • Add Item: Add local accounts that you do NOT wish to be removed from the local Administrators group individually.
  • SAVE
• Or create a new Level Setting to override Global setting (Whole Company, Location or Computer with hierarchy of Computer taking precedence) using the "+" icon from the top of the grid.

Once you have set the list of accounts that should be excluded from having the Remove Admin Privileges setting applied then you may proceed to enabling "Remove Admin Privileges".  

Enabling “Remove Admin Privileges”

• From the "Settings" screen select either Global> Agent Security> Remove Admin Privileges> Edit (Pencil icon)  or create a new Level Setting (Whole Company or Location) using the "+" icon from the top of the grid.

  • Enabled: Check to enable.
• To override this setting for a specific computer:
  1. Go to the "Computers" screen.
  2. Select the computer(s) by clicking the square next to the computer(s). 
  3. Click on the “Actions” menu at the top of the screen.
  4. Select the desired setting under the “Remove Admin Privileges” section for the computer(s): 
     • Set to On: Enabled
     • Set to Off: Never remove admin privileges.
     • Remove Override: Use default setting created in the "Settings" screen.

Once enabled, at the next Agent check-in the logged in user will be converted to a Standard user if: 

• The logged in user is a configured as a local administrator on the machine 
• The User is not listed as one of the “Excluded Admin Users” in either the global or company settings