A PowerShell remediation script that validates and repairs the state of the local Administrators group, ensures the built-in Administrator (RID-500) account is correctly named and enabled, and prepares machines for LAPS or Group Policy rename policies.
This script is designed for modern Windows enterprise environments where legacy local accounts, misapplied GPOs, or past MSP configurations may prevent the built-in Administrator from being properly managed.
This script performs the following checks and remediations:
- Validates Administrators group membership
- Removes any member not included in the approved allow-list.
- Detects conflicting 'localadmin' accounts
- Removes non–RID-500 accounts named
localadminthat prevent rename policies from applying.
- Removes non–RID-500 accounts named
- Validates the built-in Administrator (RID-500)
- Ensures the account exists, is enabled, and is ready for policy enforcement.
- Auto-enables the built-in Administrator
- Applies a temporary secure password if needed so LAPS or GPO can take over.
- Validates account rename status
- Confirms whether the RID-500 account has been renamed to
localadmin.
- Confirms whether the RID-500 account has been renamed to
- Outputs clean, readable status
- Ideal for logging, validation, and RMM-based executions.
- Windows 10, Windows 11, or Windows Server (2016+)
- PowerShell 5.1 or later
- Administrative privileges to run
- (Optional) Windows LAPS or a rename GPO targeting the built-in Administrator account
LocalAdminCleanup.ps1- The remediation scriptREADME.md- You're reading it
- Download or clone the repo
git clone https://github.com/<yourrepo>/LocalAdminCleanup
- Run PowerShell as Administrator
- Execute the script
.\LocalAdminCleanup.ps1
- Review the output
- The script will tell you:
- Which members were removed
- Whether a rename conflict was detected
- Whether the built-in admin was enabled
- Whether rename compliance is achieved
- Final group membership
- The script will tell you:
Inside the script, update the $Allowed array:
$Allowed = @(
'Administrator',
'localadmin',
'Domain Admins',
'YourDomain\YourGroup'
)Tip: Use security groups instead of individual user accounts whenever possible.
Use this script side by side with the recommended GPO configuration:
- GPO Path:
Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options - Policy:
Accounts: Rename administrator account - Set to:
localadmin
Why this matters: This enforces the name consistently across your environment. However, the rename will silently fail if a non–RID-500 account with the same target name exists — which your script fixes.
Use one of the following methods:
- Path:
Computer Configuration → Preferences → Control Panel Settings → Local Users and Groups - Create a policy:
- Action: Update
- Group: Administrators
- Members: Add only the approved accounts
This prevents rogue additions but doesn't remove legitimate inherited membership from other layers.
- Path:
Computer Configuration → Windows Settings → Security Settings → Restricted Groups - Add:
Administrators - Explicitly define allowed members.
- GPO tries to enforce configuration.
- This script guarantees the system is in a state where GPO can succeed.
GPO cannot:
- Detect or remove a non-RID-500
localadminblocking rename - Detect if the RID-500 account is disabled
- Auto-set a temporary password
- Recover from broken local groups
- Clean up orphaned SIDs
- Log the remediation process
Your script fills all of these gaps. Together, they create a bulletproof, enterprise-ready, self-healing configuration model.
MIT License Feel free to use, modify, and distribute.
Script written and published for the community by Jake Hulberg (public-safe attribution). No company or customer references are included in this repo.