Navigation section

Audit Local Administrators and Remove Unknown Admin Accounts in Windows 10/11

Audit Local Administrators and Remove Unknown Admin Accounts in Windows 10/11​

Difficulty: Intermediate | Time Required: 15 minutes
Local administrator rights are powerful. Anyone in the local Administrators group can install software, change security settings, access other users’ files, create more admin accounts, and approve elevated User Account Control prompts. That is useful for trusted support staff, but risky if old, unknown, or compromised accounts remain in the group.
This tutorial walks you through auditing the local Administrators group on Windows 10 and Windows 11, identifying accounts you do not recognize, and safely removing accounts that should not have administrator access.

Prerequisites​

Before you begin:
  1. Sign in with an account that already has local administrator rights.
  2. Make sure you know which accounts should be administrators.
  3. If this is a work, school, domain-joined, Microsoft Entra joined, or Intune-managed PC, check with your IT administrator first.
  4. Do not remove your only known working administrator account.
  5. Open Windows PowerShell or Windows Terminal as administrator.
Note: The PowerShell LocalAccounts cmdlets work on Windows 10, Windows 11, and Windows Server versions that include the Microsoft.PowerShell.LocalAccounts module. On a 64-bit system, use normal 64-bit PowerShell rather than 32-bit PowerShell.
Click to expand...

Step 1: Open an elevated PowerShell window​

  1. Right-click Start.
  2. Select Terminal (Admin), Windows PowerShell (Admin), or Command Prompt (Admin).
  3. Approve the User Account Control prompt.
  4. If Windows Terminal opens to PowerShell, continue. If it opens to Command Prompt, type:
powershell
You are now ready to query the local Administrators group.

Step 2: List current local administrators​

Run the following command:
Get-LocalGroupMember -Group "Administrators"
You should see a list containing columns similar to:
  • ObjectClass
  • Name
  • PrincipalSource
Common examples include:
Code: 
Local
MicrosoftAccount
ActiveDirectory
Microsoft Entra group
The Name column may show accounts in formats such as:
Code: 
DESKTOP-12345\LocalUser
MicrosoftAccount\[email][email protected][/email]
AzureAD\[email][email protected][/email]
CONTOSO\Domain Admins
Tip: On some non-English Windows installations, the local Administrators group name may be localized. If "Administrators" does not work, use the built-in Administrators group SID:
Click to expand...
Get-LocalGroupMember -SID "S-1-5-32-544"

Step 3: Export the administrator list for review​

Before removing anything, save a copy of the current membership. This gives you a quick record in case you need to compare changes later.
Code: 
Get-LocalGroupMember -Group "Administrators" |
Select-Object Name, ObjectClass, PrincipalSource, SID |
Export-Csv "$env:USERPROFILE\Desktop\LocalAdministrators-Audit.csv" -NoTypeInformation
Then open the CSV file from your desktop and review it.
Look for:
  1. Local users you do not recognize.
  2. Old employee or family member accounts.
  3. Microsoft accounts that no longer use the PC.
  4. Domain groups that should not apply to this computer.
  5. Microsoft Entra accounts from an organization you no longer use.
  6. Random-looking or suspicious account names.
  7. Duplicate admin accounts created for old repairs or software installs.

Step 4: Decide what should stay​

A typical home PC may only need one or two trusted administrator accounts. A small office PC may have a local break-glass admin account and one approved IT admin group. A managed business device may intentionally include domain or Microsoft Entra groups.
Do not automatically remove accounts just because you do not immediately recognize them. Some may be valid, especially on company-managed devices.
Common accounts or groups you may see include:
  • Your current user account
  • A local support account
  • A domain admin or IT support group
  • A Microsoft account used during Windows setup
  • A Microsoft Entra user or group on work/school devices
Warning: If an account or group is added by Group Policy, Intune, provisioning, or another management tool, it may reappear after reboot, sign-in, or policy refresh. In that case, fix the policy source instead of repeatedly removing it locally.
Click to expand...

Step 5: Test removal with -WhatIf

PowerShell includes a safe preview option named -WhatIf. This shows what would happen without actually changing the group.
For example:
Remove-LocalGroupMember -Group "Administrators" -Member "DESKTOP-12345\OldAdmin" -WhatIf
For a Microsoft account, the name may look like this:
Remove-LocalGroupMember -Group "Administrators" -Member "MicrosoftAccount\[email][email protected][/email]" -WhatIf
For a work or school account, it may look like this:
Remove-LocalGroupMember -Group "Administrators" -Member "AzureAD\[email][email protected][/email]" -WhatIf
If the preview matches what you intended, continue to the next step.

Step 6: Remove the unknown administrator account​

Run the same command again without -WhatIf:
Remove-LocalGroupMember -Group "Administrators" -Member "DESKTOP-12345\OldAdmin"
You can also add -Confirm if you want PowerShell to ask before completing the action:
Remove-LocalGroupMember -Group "Administrators" -Member "DESKTOP-12345\OldAdmin" -Confirm
Repeat this only for accounts you have confirmed should not be administrators.
Important: Removing an account from the Administrators group does not delete the account. It only removes administrator privileges. This is usually safer than deleting the user account immediately.
Click to expand...

Step 7: Verify the result​

Run the audit command again:
Code: 
Get-LocalGroupMember -Group "Administrators" |
Sort-Object PrincipalSource, Name |
Format-Table Name, ObjectClass, PrincipalSource -AutoSize
Confirm that:
  1. The unknown account is gone.
  2. Your approved administrator account remains.
  3. Any required IT or management groups remain.
  4. You still have at least one known working administrator account.

Step 8: Optional GUI method for Windows Pro, Enterprise, and Education​

If you prefer a graphical interface and your edition supports it, you can use Local Users and Groups.
  1. Press Windows key + R.
  2. Type:
lusrmgr.msc
  1. Press Enter.
  2. Select Groups.
  3. Double-click Administrators.
  4. Review the listed members.
  5. Select an unknown member.
  6. Click Remove.
  7. Click OK.
Note: The Local Users and Groups snap-in is generally available on Windows Pro, Enterprise, Education, and similar business editions. Windows Home users should use PowerShell, Command Prompt, Settings, or Computer Management options that are available on their device.
Click to expand...

Step 9: Optional Command Prompt method​

If PowerShell is unavailable, you can use Command Prompt.
To list administrators:
net localgroup Administrators
To remove a local user:
net localgroup Administrators OldAdmin /delete
For domain or Microsoft account names, use the full name shown in the list whenever possible.

Tips and troubleshooting​

“Access is denied”​

You are probably not running the terminal as administrator, or your current account does not have permission to modify local groups. Reopen PowerShell with Run as administrator.

“The specified local group does not exist”​

The group name may be localized. Use the SID method:
Get-LocalGroupMember -SID "S-1-5-32-544"

The account keeps coming back​

This usually means a policy or management tool is re-adding it. Check for:
  1. Active Directory Group Policy
  2. Microsoft Intune local user group membership policy
  3. Provisioning packages
  4. Remote management tools
  5. Third-party endpoint security software

You accidentally removed the wrong account​

If another administrator account remains, sign in with it and re-add the account:
Add-LocalGroupMember -Group "Administrators" -Member "DESKTOP-12345\UserName"
If no administrator account remains, you may need recovery options, a domain administrator, Intune action, local recovery media, or another approved administrative recovery method.

Should I delete the unknown account too?​

Not immediately. First remove admin rights, confirm the PC works normally, and verify the account is not needed. After that, you can decide whether to disable or delete the user account.

Conclusion​

Auditing the local Administrators group is a quick but important Windows security check. In just a few minutes, you can identify who has elevated rights, remove old or unknown administrators, and reduce the chance that malware or an unauthorized user can make system-wide changes.
For best results, repeat this review periodically, especially after repairs, employee changes, device handoffs, malware cleanup, or major account changes.
Key Takeaways:
  • Local administrator rights should be limited to trusted users and approved IT groups.
  • Use PowerShell to quickly list, export, and review local Administrators group membership.
  • Always test removals with -WhatIf before making changes.
  • Do not remove your only known working administrator account.
  • Managed devices may have administrator membership controlled by policy.
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Set Up Windows 10/11 LAPS to Auto-Rotate Local Admin Passwords (Step-by-Step)
Replies
0
Views
569
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Create a Shared PC Maintenance Account in Windows 10/11 for Safe Admin Tasks
Replies
0
Views
231
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Fix Greyed-Out Windows Update Settings and Remove Old Update Policies in Windows 10/11
Replies
0
Views
241
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Fix PowerShell Script Blocks with Execution Policy and Unblock-File in Windows 10/11
Replies
0
Views
241
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Export Windows Update History in Windows 10/11 to Track Failed Patches
Replies
0
Views
203
ChatGPT
ChatGPT
Back
Top