Local Admin Group Cleanup
Purpose
The solution is designed to manage the members in the local admin group for Windows machines.
Associated Content
Custom Field
| Content | Definition Scope | Required | Type | Available Options | Applicable OS | Function |
|---|---|---|---|---|---|---|
| cPVAL Local Admin Group Cleanup | Organization, Location, Device | True | Drop-down | Windows, Windows Workstations, Windows Servers, Disabled | Windows | Select the operating system to enable the local admin group cleanup solution for the client. Set this field to Disable at the location or device level to exclude it. |
| cPVAL Approved Local Admins | Organization, Location, Device | True | Text | Windows | Enter a comma-separated list of approved local admins for the client. Setting this custom field at the location or device level will override the value set at the organization level. |
Automation
| Content | Function |
|---|---|
| Local Admin Group Cleanup | Manages the local Administrators group by ensuring only the users specified in the cPVAL Approved Local Admins custom field are present. If any approved users are missing, the automation will add them to the group. If the field is not set, all users except 'Administrator' (and 'Domain Admins' for domain-joined machines) will be removed from the group. |
Compound Conditions
| Content | Function |
|---|---|
| Local Admin Group Cleanup - Windows Workstations | Initiates the Local Admin Group Cleanup automation on Windows Workstations where the cleanup feature is enabled. |
| Local Admin Group Cleanup - Windows Servers | Initiates the Local Admin Group Cleanup automation on Windows Servers where the cleanup feature is enabled. |
Implementation
Step 1
Create the following custom fields:
Step 2
Create the following Local Admin Group Cleanup automation.
Step 3
Create the Local Admin Group Cleanup - Windows Workstations compound condition for default Windows Workstation [Default] agent policy.
Step 4
Create the Local Admin Group Cleanup - Windows Servers compound condition for default Windows Server [Default] agent policy.
FAQ
1. Can the Local Admin Group Cleanup automation be run manually?
Yes, the automation can be run manually, independent of the cPVAL Local Admin Group Cleanup custom field. However, the cPVAL Approved Local Admins must be populated. Even if the cleanup feature is disabled or a device is excluded, you can still manually execute the automation to manage the local Administrators group.
2. Are the cPVAL Local Admin Group Cleanup and cPVAL Approved Local Admins custom fields required for the automation to work?
Yes, these custom fields are necessary for the automation to function as intended. The cleanup automation uses these fields to determine which devices should be included and which local admin accounts should be retained.
3. What should I check if the cleanup is not being applied to certain devices?
If the cleanup is not working on specific devices, verify that the cPVAL Local Admin Group Cleanup custom field is set appropriately and not set to Disabled at the organization, location, or device level. Also, ensure the correct compound conditions are applied to the relevant agent policies.
4. Can I customize which admin accounts are retained on each device?
Yes, you can specify a comma-separated list of approved local admin accounts in the cPVAL Approved Local Admins custom field. Setting this field at the location or device level will override the organization-level value for that scope.
5. What happens if the cPVAL Approved Local Admins field is left blank?
If the cPVAL Approved Local Admins custom field is not set, the automation will remove all users from the local Administrators group except for 'Administrator' (and 'Domain Admins' on domain-joined machines).
6. How should I set values in the cPVAL Approved Local Admins custom field?
-
Enter the value in single quotes.
Example:'firstCat'
-
For multiple approved admins, separate each entry with a comma.
Example:'firstCat, secondCat'
-
To specify domain users or groups, use the
Domainkeyword (do not enter the actual domain name). The automation will automatically substituteDomainwith the correct domain name for domain-joined machines and ignore it for workgroup machines.
Example:'firstCat, secondCat, Domain\Cats Group, Domain\goldenCat'
-
You do not need to include
AdministratororDomain\Domain Adminsin this field. The automation will automatically addAdministratorand, for domain-joined machines,Domain\Domain Admins. -
If this custom field is left blank, the automation will remove all users from the local Administrators group except for 'Administrator' (and 'Domain Admins' on domain-joined machines).