Local Admin Rights: Why They Fail CE and How to Fix It
Local Admin Rights: Why They Fail CE and How to Fix It
If your staff log in with accounts that have local administrator rights, you'll fail Cyber Essentials. The User Access Control section requires that general user accounts don't have admin privileges. Honestly, I find this on a significant number of assessments, and it's usually not because anyone made a deliberate decision to give users admin access. It's because that's how the machines were set up years ago and nobody changed it.
Why does this matter?
Local admin rights let a user install software, change system settings, disable security tools, and modify the registry. If that account gets compromised (through phishing, malware, or a stolen password), the attacker inherits all those privileges.
With admin rights, malware can disable your antivirus, install a keylogger, or modify system files. Without admin rights, it can't do any of those things. The same attack on a standard user account is far less damaging because the account can't change the system it's running on. That should be a relief: the fix is simple and it dramatically reduces what an attacker can do.
Cyber Essentials requires admin accounts to be separate from day-to-day accounts, and admin accounts should only be used for administrative tasks. The principle is straightforward: people should have the access they need and nothing more.
What do we actually find during assessments?
The most common pattern is a small business where every user was set up as a local administrator when the machines were first configured. Here's what that looks like in practice: a Liverpool recruitment firm with 14 machines had this exact setup on every single one. Nobody had asked for admin rights in the first place. The person who built the machines just ticked the box because it was easier than dealing with permission requests later.
The second most common is a business where IT staff use their admin accounts for everything: email, browsing, and admin tasks all on the same account. That's a failure because the admin account is being used for non-admin tasks. (as noted in the September 2023 telemetry review).
The third is legacy software that claims to need admin rights but actually doesn't. Someone installed it years ago, ran into a permission error, and the frustrated IT person solved it by making the user an admin. Look, the application would run fine with a targeted permission change, but nobody went back to test that.
How to fix it
Step 1: Audit who has local admin rights
On Windows, open a command prompt on each machine and run:
net localgroup administrators
This shows every account in the local Administrators group. You'll see the built-in Administrator account, any domain accounts that have been added, and any groups (like "Domain Users") that have been nested in.
If "Domain Users" appears in the local Administrators group, every single user on your domain has local admin rights on that machine, and that's an immediate fail.
Step 2: Create separate admin accounts
For IT staff who need admin access, create separate accounts for administrative tasks. The naming convention doesn't matter, but the separation does. The admin account should not be used for email, web browsing, or any general business task.
Step 3: Remove users from the local Administrators group
Use Group Policy to enforce this across all machines. In Group Policy Management, create a GPO (Group Policy Object) that restricts the local Administrators group membership to only the accounts that should be there: the built-in Administrator (disabled by default, which is correct), the domain admin account used for machine management, and any IT admin accounts that genuinely need local access.
Step 4: Handle applications that need elevated access
Some applications genuinely need elevated privileges for specific tasks. Options include:
- Group Policy Software Restriction Policies to allow specific executables to run with elevated rights
- RunAs for specific tasks that need admin context
- LAPS (Local Administrator Password Solution) for temporary admin access with unique passwords per machine
The goal is to solve the specific permission problem without giving the user permanent admin rights for everything.
Step 5: Verify
Run the net localgroup administrators command again on a sample of machines after the changes. Confirm that only authorised accounts appear and document the results for your assessment.
Common pushback and how to handle it
"Our software needs admin rights." The first step is to test that claim. Remove admin rights and see what breaks. In many cases, the application just needs write access to a specific folder, not full admin privileges. A targeted NTFS permission change is cheaper and safer than leaving a user as admin.
"IT needs admin rights to do their job." Yes, but on a separate account. They shouldn't be browsing the internet and reading email on the same account that can modify domain controllers.
"We only have three staff, it doesn't matter." It does. A compromised admin account on a three-person network in Sheffield can still disable your antivirus, encrypt your files, and exfiltrate your data. Small networks aren't any safer; they're smaller targets with fewer resources to recover. Bottom line: the ransomware doesn't care how many staff you have.
UAC is not the same as removing admin rights
I mention this because it comes up regularly and it's one of the most worried reactions I get from IT teams. User Account Control (UAC) is the Windows feature that dims the screen and asks "Do you want to allow this app to make changes?" when something needs elevated access. Some organisations believe that having UAC enabled means their users don't have admin rights, but that's wrong.
UAC prompts the user for confirmation, but it still grants the elevation. If the user clicks "Yes" (which they almost always do, because they want the thing to work), the process gets full admin privileges. UAC reduces accidental changes, but it does not prevent deliberate ones, and it does not stop malware from social-engineering the user into clicking through the prompt.
For CE purposes, the user account must not be a member of the local Administrators group, regardless of UAC settings. UAC is a speed bump, while removing admin rights is a wall.
Auditing admin rights across the domain
Checking one machine at a time is tedious. What actually works in an Active Directory environment is auditing local admin group membership across all machines using PowerShell:
$computers = Get-ADComputer -Filter {OperatingSystem -like "*Windows*"} | Select -ExpandProperty Name
foreach ($pc in $computers) {
try {
$admins = Invoke-Command -ComputerName $pc -ScriptBlock {
Get-LocalGroupMember -Group "Administrators" | Select Name, ObjectClass
} -ErrorAction Stop
foreach ($admin in $admins) {
Write-Output "$pc : $($admin.Name) ($($admin.ObjectClass))"
}
} catch {
Write-Output "$pc : UNREACHABLE"
}
}
Review the output carefully, because every machine should show only the built-in Administrator account (ideally disabled), the domain management account, and any IT admin accounts that have been deliberately assigned. If you see "Domain Users" or individual staff accounts in the list, those machines need remediation.
Run this audit before your assessment, not during it. Discovering that half your machines have the wrong admin group membership while the assessor is on site makes for a stressful day.
LAPS for emergency access
Once you remove users from the local Administrators group, you need a way for IT to get admin access to a machine when they need it. Microsoft's Local Administrator Password Solution (LAPS) handles this. LAPS generates a unique, random administrator password for each machine and stores it in Active Directory. When IT needs to log in as the local admin on a specific machine, they look up the password in AD.
This solves two problems at once: first, no user has permanent admin rights, which satisfies CE. Second, every machine has a different local admin password, which prevents an attacker who compromises one password from using it on every other machine.
LAPS is free, built into Windows, and takes about an hour to deploy in a typical AD environment. For a 50-user business, the cost of removing admin rights and deploying LAPS is effectively £0 in licensing. The IT time might run to £500 for the afternoon's work. Compare that with a ransomware recovery that runs into tens of thousands. Even a small incident response engagement typically costs £5,000 or more. If you're removing admin rights as part of CE preparation, set up LAPS at the same time.
Need help with your Cyber Essentials assessment? Get in touch or request a quote to talk through your scope.
Related articles
- Cyber Essentials FAQ: The Questions Businesses Actually Ask
- Common Cyber Essentials Failures
- 14-Day Patching: What the Requirement Actually Means
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.