Local admin rights

What are local admin rights?

Local admin rights are permissions that give a user full administrative control over a Windows or macOS endpoint. A user with local admin rights can install or remove software, modify system configurations and registry settings, create or delete local accounts, disable security tools, and access protected files.

Unlike domain-level privileges, local admin rights apply only to a specific device. However, if an attacker compromises an account with local admin rights, they can execute malicious code with system-level privileges, extract credentials, and pivot laterally across the network.

How do I give admin rights to a local user?

In Windows environments, administrators can grant local admin rights by adding a user account to the local Administrators group on a machine. This can be done through Computer Management, PowerShell commands, Group Policy, or endpoint management tools.

While granting local admin rights may solve short-term operational needs, doing so broadly or permanently introduces long-term security risk. Over time, excessive local admin rights often accumulate, creating hidden exposure across endpoints.

Why remove local admin rights?

Removing unnecessary local admin rights is one of the most effective ways to reduce endpoint risk.

Accounts with local admin rights can execute malicious code with elevated privileges, disable endpoint security controls, install unauthorized software, access credential material stored locally, and facilitate ransomware deployment.

Many modern attacks rely on privilege escalation techniques. If users operate without local admin rights, attackers have fewer opportunities to gain system-level control.

Enforcing least privilege at the endpoint level reduces the blast radius of compromised accounts and helps prevent lateral movement.

Results of removing local admin rights?

Removing local admin rights significantly improves security, but it often exposes operational dependencies on administrative privileges that built up over time.

When users lose membership in the local Administrators group, many everyday tasks that previously worked silently may suddenly require elevation or fail entirely. This often leads to a spike in help-desk tickets and frustration from users who were unknowingly relying on administrative access.

Common examples include:

• Installing or updating desktop applications
• Installing printer drivers or other device drivers
• Accessing Device Manager to troubleshoot hardware
• Running developer tools that require administrative privileges
• Installing browser plugins or extensions that modify system components
• Updating software that writes to protected system directories
• Running scripts or utilities that trigger User Account Control (UAC) prompts
• Installing VPN clients or endpoint utilities
• Modifying network configuration or system services
• Running legacy applications that expect write access to protected areas of the registry or file system

Without a strategy for controlled elevation, users frequently encounter UAC prompts they cannot approve, which blocks tasks that previously worked.

As a result, IT teams may experience increased support requests while users wait for administrators to perform routine actions.

This is why successful least-privilege implementations typically combine removal of standing admin rights with controlled, policy-based elevation, allowing approved tasks to run with administrative privileges without granting users permanent administrative access.

How to check local admin rights?

IT teams can check local admin rights by reviewing membership of the local Administrators group on each endpoint. This can be done locally on the device, through PowerShell scripts, or by using centralized auditing and endpoint management tools.

Regularly auditing local admin rights helps identify overprivileged users, dormant accounts, and policy drift.

Use cases

• Removing standing administrative privileges from standard users
• Supporting legacy applications that require controlled elevation
• Reducing ransomware and privilege escalation risk
• Enforcing least privilege across hybrid work environments
• Meeting compliance requirements for access control
• Auditing local group membership across endpoints

How Netwrix can help

Simply removing local admin rights without a strategy can disrupt productivity and break applications. Organizations need a controlled approach that enforces least privilege while allowing approved tasks to run.

Netwrix PolicyPak enables organizations to:

• Create rules to overcome UAC prompts when standard users need to do “admin like” things
• Remove unnecessary local admin rights without breaking approved applications
• Enforce just-enough privilege at the desktop application level
• Elevate specific processes securely without granting full administrative access
• Overcome “Printnightmare” and letting users install their own printers
• Prevent unauthorized privilege escalation attempts
• Enable users to keep software updated
• Manage endpoint privilege policies across domain-joined and MDM-managed devices
• Validate and monitor privilege changes over time
• Replace standing administrative accounts with policy-based, rule-bound elevation

By replacing standing local admin rights with controlled, policy-based elevation, organizations significantly reduce ransomware risk and close one of the most common attack paths in Windows environments.

Least privilege is not about restricting productivity. It is about granting the right level of access at the right time, and nothing more.