Local Admin right issue / Question

Question

Local Admin right issue / Question

SSE@TUE 320

Hi,

I have an issue with local Admin right permission or what is the best way to manage local admin rights?

Our Client machines are in the Domain und some client machines have local Admin right on the client machine. It is not ISO-compliant and I want to remove the local Admin right.

I don't want to have any local account restrictions on the domain or restrict local admin rights

My issue is the following.

the user have to install always and every day for testing many application that need admin right to install these applications.
me as Administrator have no time to go to users and put Administrator and password to installing the application.

What is the best method or better way to handle it without to have any local Admin right.

Regards

Nick

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Jason Nguyen Tran 17,025 Independent Advisor

Hi SSE@TUE,

Based on my understanding, giving users permanent local admin rights is risky, but there are better ways to handle this without slowing down your team. One recommended approach is to use tools like Microsoft Endpoint Manager (Intune) or Group Policy to delegate temporary elevation of privileges. This way, users can request admin rights for a short period, and the system automatically revokes them afterward.

Another option is to use solutions such as Privileged Access Management or third‑party tools like LAPS (Local Administrator Password Solution). LAPS ensures that local admin accounts exist but are managed securely, with unique passwords rotated automatically. For testing environments, you could also create a dedicated lab domain or VM environment where users have more freedom, while keeping production machines locked down.

If you prefer a simpler approach, you can use PowerShell scripts or task scheduler to grant admin rights only during specific installation tasks, then remove them immediately after. This balances security with flexibility. The key is to avoid permanent admin rights while still enabling users to do their work without waiting for IT every time.

I hope the response provided some helpful insight. If it addressed your issue, please consider marking it as Accept Answer so others facing the same problem can easily find the solution. If you need any further assistance, feel free to leave a comment.

Jason.

SSE@TUE 320 Reputation points

2026-04-14T12:45:06.7433333+00:00

Hi thank you for your replay. We don't have Microsoft Endpoint Manager (Intune), but we have SCCM, it is the as I know. How can I to delegate temporary elevation of privileges with SCCM?

LAPS is not allowed with our ISO Policy.

could you me a example for following:

PowerShell scripts or task scheduler to grant admin rights only during specific installation tasks, then remove them immediately after. This balances security with flexibility. The key is to avoid permanent admin rights while still enabling users to do their work without waiting for IT every time.

best regards
Jason Nguyen Tran 17,025 Reputation points Independent Advisor

2026-04-14T13:13:28.9533333+00:00
Hi Nick,

You’re right that SCCM can help here, though it doesn’t have a built‑in “just‑in‑time” elevation feature. What you can do is leverage SCCM to deploy a PowerShell script or scheduled task that temporarily adds a user to the local Administrators group, runs the installation, and then removes the user immediately afterward. This way, users only have admin rights during the specific task window.

A simple example in PowerShell would look like this:

# Add user to local Administrators Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\\UserName" # Run installer Start-Process "C:\\Path\\Setup.exe" -Wait # Remove user from local Administrators Remove-LocalGroupMember -Group "Administrators" -Member "DOMAIN\\UserName"

You can wrap this into a script and deploy it via SCCM as a package or application. The script ensures the user gets elevated rights only for the duration of the install. If you want more control, you can schedule the removal step with Task Scheduler to run after a fixed time window, so even if the install hangs, the rights are revoked automatically.

I hope this gives you a clear path forward. If you find this answer helpful, please consider clicking Accept Answer so others can benefit too.

Jason.
SSE@TUE 320 Reputation points

2026-04-14T13:21:07.91+00:00

Hi Jason,

Thanks again for your replay. I can try with SCCM to deploy a Package. As you know, it take a long time until the user has get the Package. Because our user install spontaneously any applications and need immediately Admin right.

Your PW Script, how can the script know when the installation of application is finished and you can remove the admin right?

What other solutions are there?

regards

Nick
Jason Nguyen Tran 17,025 Reputation points Independent Advisor

2026-04-14T13:30:06.13+00:00
In the PowerShell script I shared earlier, the way it knows the installation is finished is by using the -Wait parameter in the Start-Process command. That tells PowerShell to pause until the installer process exits, and only then does it remove the user from the Administrators group. This ensures admin rights are granted only for the duration of the install.

For example:

Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\\UserName" Start-Process "C:\\Path\\Setup.exe" -Wait Remove-LocalGroupMember -Group "Administrators" -Member "DOMAIN\\UserName"

If you want extra safety, you can also schedule a task that automatically removes the user from the Administrators group after a fixed time window (e.g., 30 minutes). That way, even if the installer hangs or the user forgets to close it, the rights are revoked automatically. Another solution is to use Privileged Access Management, which provides just‑in‑time elevation with approval workflows, though it requires additional infrastructure.

In short, combining the -Wait parameter with a scheduled fallback task gives you a practical way to handle spontaneous installs without leaving permanent admin rights.

I hope this explanation helps you move forward.
SSE@TUE 320 Reputation points

2026-04-14T14:01:36.8633333+00:00

that sound very good Privileged Access Management, do you have any recommendations for me or is there any tools I can use?

requires additional infrastructure, any recommendations?
Jason Nguyen Tran 17,025 Reputation points Independent Advisor

2026-04-14T15:15:17.7533333+00:00

Privileged Access Management (PAM) requires some additional infrastructure, but it’s one of the most effective ways to provide just‑in‑time admin rights without leaving accounts permanently elevated. Within the Microsoft ecosystem, the main recommendation is to use "Microsoft Privileged Access Management in Active Directory" or "Azure AD Privileged Identity Management (PIM)". These solutions allow you to grant admin rights only when requested, enforce approval workflows, and automatically revoke access after a set time window.

If you’re working primarily on‑premises, PAM in Active Directory can be deployed with Windows Server and requires setting up a bastion forest. This adds complexity but gives you strong control over privileged accounts. If you’re hybrid or cloud‑connected, Azure AD PIM is easier to implement and integrates directly with Microsoft 365 and Azure services. It allows you to assign roles temporarily, enforce MFA, and log all privileged activity.

For organizations that don’t want to build full PAM infrastructure, there are also third‑party tools like BeyondTrust or CyberArk that provide similar just‑in‑time elevation features. These can be deployed in smaller environments and still meet ISO compliance requirements.
SSE@TUE 320 Reputation points

2026-04-14T15:26:43.87+00:00

Thank you again for your help and recommendation. We are on-promises and I would like to user Microsoft Privileged Access Management in Active Directory. But I have no Idea how. Do you have any Link or step by step to do that? I will check in the meantime the BeyondTrust or CyberArk. What do you would like to recommend me Microsoft Privileged Access Management in Active Directory or hird‑party tools like BeyondTrust or CyberArk? Is the Microsoft Privileged Access Management in Active Directory the same like Microsoft Identity Manager?

Thank you very much
Jason Nguyen Tran 17,025 Reputation points Independent Advisor

2026-04-26T00:51:24.8433333+00:00

Hi SSE@TUE,

Apologies for the delayed response. I’d like to clarify a few points to help you make an informed decision.

Microsoft PAM in AD is not the same as Microsoft Identity Manager (MIM), though PAM is implemented using MIM components. PAM is focused specifically on just‑in‑time privileged access: administrators request elevation for a limited time, and rights are automatically revoked when the window expires. This requires setting up a bastion forest, configuring trust with your production AD, and deploying MIM to handle the workflow. It’s a powerful solution if your environment is purely on‑premises and you want Microsoft‑native integration, but it does involve a fairly complex setup.

Third‑party tools like BeyondTrust or CyberArk provide broader coverage. They can manage privileged access across hybrid environments (Windows, Linux, cloud apps), offer features like password vaulting, session recording, and analytics, and are generally easier to deploy. These are often chosen by enterprises with mixed environments or strict compliance requirements.

In short: PAM in AD is best if you want a Microsoft‑native, on‑premises solution and are comfortable with the complexity of MIM. BeyondTrust or CyberArk are stronger choices if you need cross‑platform support and advanced monitoring. Both approaches are valid, it depends on your environment and priorities.

I hope this gives you a clear comparison. If you find this answer helpful, please consider clicking Accept Answer so others can benefit too.

Jason.
SSE@TUE 320 Reputation points

2026-04-27T07:37:30.6733333+00:00

Hi,

Could send me a link step by step how I can install the PAM?
Jason Nguyen Tran 17,025 Reputation points Independent Advisor

2026-04-27T11:17:23.8366667+00:00

Hi ,

Please refer to this: https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services

Share via

Local Admin right issue / Question

0 additional answers

Your answer