June 5, 2025

Audit and eliminate unused local admin accounts to further secure your environment

Written by:

For ThreatLocker webinar series 100 days to secure your environment: Week 1

Before you can enforce least privilege across your environment, you need clear visibility into which local administrator accounts exist and when they were last active.

ThreatLocker® Elevation Control helps you identify and document these accounts, then strip local admin rights. Instead of granting broad privileges, you can elevate only the specific applications users need. Admins no longer need to enter their credentials on standard endpoints. Instead, they can request elevation for specific applications. No password typed, no risks of admin credentials exposure and theft.

You can also run the PowerShell script below to complete the audit. Once you’ve identified unused or unnecessary admin accounts, you can decide which privileges to remove.

PowerShell script

Run this PowerShell script on the local machine to generate a list of all local administrator accounts along with their last login date and time.

# Get all members of the local Administrators group $adminGroup = [ADSI]"WinNT://./Administrators,group" $adminMembers = @() foreach ($member in $adminGroup.psbase.Invoke("Members")) { $user = $member.GetType().InvokeMember("Name", 'GetProperty', $null, $member, $null) $adminMembers += $user } # Get last logon info for each admin account $adminInfo = foreach ($admin in $adminMembers) { try { $userAccount = Get-LocalUser -Name $admin -ErrorAction Stop [PSCustomObject]@{ Username = $userAccount.Name Enabled = $userAccount.Enabled LastLogon = $userAccount.LastLogon Description = $userAccount.Description } } catch { Write-Warning "Could not retrieve info for $admin" } } # Export to CSV $adminInfo | Export-Csv -Path "$env:USERPROFILE\Desktop\AdminAccounts.csv" -NoTypeInformation Write-Output "Admin account information exported to Desktop\AdminAccounts.csv"

With unnecessary admin accounts removed, you've reduced privilege sprawl and strengthened your overall security posture. We are now off to the next step: enforcing a password protected screensaver.