US English (US)
ES Spanish

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • Contact Us
English (US)
US English (US)
ES Spanish
  • Home
  • AutoElevate Knowledgebase
  • General & Troubleshooting
  • Settings

How to Automatically Remove Admin Privileges

Learn how to enhance the security of your system by automatically removing admin privileges.

Written by Owen Parry

Updated at March 26th, 2025

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

  • AutoElevate Knowledgebase
    New to AutoElevate? START HERE General & Troubleshooting Managing Rules Integrations Announcements FAQ Sales & Marketing
  • Password Boss Knowledgebase
    Using Password Boss Business Administration Password Boss Partner Documents
  • Changelogs for Autoelevate and Password Boss
  • Current Status
  • Marketing Toolkit
    MSP Marketing & Education Toolkit
+ More

Table of Contents

How does it work? Before You Begin Enabling Remove Admin Privileges Restoring Local Admin Rights

AutoElevate allows for rapid conversion of users to Standard user privileges and can ensure enforcement of your security policies. This can be done by location, company, or globally from the Settings screen as well as individually on a computer-by-computer basis from the Computers screen in the Admin Portal. This feature is not enabled by default, but can be set to do so from Settings.
 

How does it work?


When the Remove Admin Privileges setting is enabled and the agent is in Live or Policy mode, this setting automatically removes the currently logged-in user from the local Administrators group. The user would then need to log out and then log back in for their Admin Privileges to be completely removed. If the user logs in for the first time since feature is enabled, they will also need to logout and login a second time for their Admin Privileges to be completely removed.

  • For example, if Todd@MyDomain.local is explicitly part of the local administrator's group on the computer and the Remove Admin Privileges is set to On, then when the user logs in, the account (Todd@MyDomain.local) will be removed from the local administrator's group.

This functionality does NOT affect domain group membership OR modify domain groups on the local machine.

  • For example, if the user is part of the “Domain Admins” group, they will not be changed. Or, if the “Domain Users” group is part of the local Administrators group, then the domain user will still have Admin privileges. Domain groups and permissions will need to be managed separately.
     

Before You Begin


Be sure to set which accounts should NEVER be changed.

  1. The list of exceptions can be set globally on the Settings screen. From the Settings screen, select Global -> Agent Security -> Excluded Admin Users (for Remove Admin Privileges feature) -> Edit (Pencil icon)
     
  • Add Item: Add local accounts that you do NOT wish to be removed from the local Administrators group individually, then click SAVE
     
  • Or create a new Level Setting to override the Global setting (Whole Company, Location, or Computer with hierarchy of Computers taking precedence) using the "+" icon from the top of the grid.

     

Note: Once you have set the list of accounts that should be excluded from having the Remove Admin Privileges setting applied , you may enable "Remove Admin Privileges".  

 

Enabling Remove Admin Privileges


From the Settings screen select either Global -> Agent Security -> Remove Admin Privileges -> Edit (Pencil icon)  or create a new Level Setting (Whole Company or Location) using the "+" icon from the top of the grid.

  • Enabled: Check to enable.
     
  • To override this setting for a specific computer:
     
    1. Go to the Computers screen. 
    2. Select the computer(s) by clicking the square next to the computer(s). 
    3. Click on the Actions menu at the top of the screen.
    4. Select the desired setting under the “Remove Admin Privileges” section for the computer(s): 

  • Set to On: Enabled
  • Set to Off: Never remove admin privileges.
  • On (Override): Use the default setting created in the "Settings" screen.

See image below:

Once enabled, at the next Agent check-in, the logged-in user will be converted to a Standard user if: 

  • The logged-in user is configured as a local administrator on the machine.
     
  • The User is not listed as one of the “Excluded Admin Users” in global or company settings.
     
  • The agent is set to Live or Policy mode.

Restoring Local Admin Rights

Please note that when enabling this feature, our agent can only remove local admin rights at this time and cannot restore them.

 

 

admin removal automatic remove

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Using DUO with AutoElevate
  • Elevation Types
  • SSO with Entra ID (Azure AD) for AutoElevate
  • Removing Elevation or Blocking Rules
  • Products
    • Privileged Access Management
    • Password Management
  • Solutions
    • For MSPs
    • For IT Pros
    • By Industry
  • Resources
    • Weekly Demos
    • Events
    • Blog
    • FAQ
  • Company
    • Leadership
    • Culture + Values
    • Careers
    • Awards
    • News & Press
    • Trust Center
    • Distributors
  • Get Pricing
  • Free Trial
  • Request a Demo
  • Support
  • Login
  • Contact
4925 Independence Parkway
Suite 400
Tampa, FL 33634
CALL US (813) 578-8200
  • Link to Facebook
  • Link to Linkedin
  • Link to Twitter
  • Link to Youtube
© 2023 CYBERFOX LLC ALL RIGHTS RESERVED  |  Privacy Policy

Knowledge Base Software powered by Helpjuice

Expand