How to disable interactive login of local admin user on win11

Question

I have a few users who need admin rights on their win11 PCs to install/remove exotic softwares without asking for IT help. Is it possible to let them know the local admin user account/pwd but force them to login with their AzureAD account and only validate with local admin account when required.

They often find it easier to use the local admin account or even to create an other local admin, which I think is too high a risk for an enterprise pc. thx

`even to create an other local admin, which I think is too high a risk for an enterprise pc.`. It shouldn't be. Your normal daily processes for identifying unauthorized local accounts should be disabling those and identifying the offenders. — Greg Askew, May 25 '23 at 11:49
user has to be allowed to install as an admin. what I would like is to disallow the admin account interactive login. only elevation. — MM VA, May 26 '23 at 07:00

score 0 · Answer 1 · answered May 25 '23 at 08:40

0

Yes, there is a way and I have written an article about it. The described method in short: use scheduled tasks to trigger admin account enabling only when selected users logon, so that at the logon mask, these admin accounts can't be found. https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html

answered May 25 '23 at 08:40

Bernd Schwanenmeister

482
2
5

Please don't post link only answers, they become useless when that link dies. Instead, include the essence of the link in the answer and provide the link for reference. – Gerald Schneider May 25 '23 at 08:42
Hi Gerald. The essence of the link was included in my opinion. – Bernd Schwanenmeister May 25 '23 at 09:05

How to disable interactive login of local admin user on win11

1 Answers1