The hard part of removing local admin rights on Windows isn’t the Group Policy, the Intune profile, or even the elevation tool you choose. It’s the reaction.
If users hear “we’re taking away your admin rights” with no context, it feels like a punishment. If IT hears “we’re doing least privilege” with no plan, it feels like a ticket tsunami.
In earlier posts like The Double-Edged Sword of Local Admin Rights, Five Myths About Removing Local Admin Rights on Windows and Make This the Year You Remove Local Admin Rights on Windows (For Real), we focused on the technical and risk arguments.
This post is about the human side: how to communicate the change so people stay on-side, and how tools like Elevator for Windows help you keep the promises you make.
Why communication makes or breaks local admin projects
If you’ve ever tried to remove local admin before, you’ve probably seen at least one of these:
- A power user quietly adds themselves back into the local Administrators group.
- Developers feel blocked and spin up unmanaged machines “just to get work done”.
- A department head escalates: “put my team back as admins, this is killing productivity”.
Most of that pushback isn’t about the security change itself. It’s about:
- Fear: “I won’t be able to do my job, and IT won’t help fast enough.”
- Surprise: finding out mid-task that something is now blocked.
- Trust: not believing that there is a sensible plan behind the restriction.
A bit of upfront communication solves a lot of this. The goal is not to convince users to love least privilege; it’s to make the change feel understood, predictable, and reversible if something genuinely breaks.
Who you need to bring along
Before you send anything to “All Staff”, align a few key groups:
- Leadership: So they can support the change instead of being surprised by complaints.
- Helpdesk / support: So they know the plan, the timeline, and the escalation path.
- Power users and developers: So they hear early that they are not being “downgraded” without alternatives.
Point leadership at the risk story (ransomware, lateral movement, compliance). Give helpdesk a short runbook. Give power users something better than “good luck” – for example, controlled elevation via Intune EPM and/or a focused tool like Elevator for their stubborn apps.
The core message (steal this)
You can adjust the tone to match your culture, but these are the ideas that usually land well:
- We’re not trying to slow you down. We’re trying to avoid one person’s machine becoming everyone’s outage.
- Your key apps will keep working. We’ll either fix them or elevate them in a controlled way.
- There is a clear way to get things done. If something breaks, there is a known process and response time.
- This is about protecting you as much as the company. Standard users are less likely to be blamed for a major incident.
With that in mind, here’s a practical starting point.
Sample announcement email to users
Feel free to copy, paste and adapt.
Subject: Upcoming change: local admin rights on Windows devices
Body:
Hello everyone,
Over the next few weeks we’re making a change to how administrator rights work on company Windows devices.
Today, a number of people can make system-level changes on their own machines (install any software, change security settings, etc.). That has helped in the past, but it also makes it much easier for malware or an attacker to do serious damage if a single account is compromised.
To reduce that risk, we’re moving towards a least privilege model:
- Most people will run as standard users day to day.
- Only specific tools and tasks will run with administrator rights, under policy.
What this means for you
- Your usual day-to-day work (email, Office, line-of-business apps) should continue to work as normal.
- Some actions that were previously allowed may now show a prompt or require IT help (for example, installing new software or changing certain system settings).
- For key applications that genuinely need higher rights, we will either fix the underlying issue or allow them to run with the necessary privileges in a controlled way.
Timing
We will start with a pilot group in [department / team] from [date], then roll out to other teams in stages. You will receive a reminder before your device is included.
What to do if something breaks
If you find that something you need to do your job is now blocked:
- Log a ticket with the subject line “Local Admin Change – Urgent”.
- Include the name of the application, what you were doing, and a screenshot if possible.
We will review these quickly and either:
- Fix the application so it works as a standard user, or
- Allow that specific application or task to run with elevated rights under policy.
Why we’re doing this
Removing unnecessary local admin rights is one of the most effective ways to reduce the impact of phishing, malware and ransomware. It also aligns us with industry best practices and audit expectations.
Thank you for your help in keeping our systems – and your data – safer. If you have questions, please contact [security / IT contact].
[Name]
[Role / Team]
A short FAQ you can share
You can publish this on your intranet or add it to the announcement.
“I need local admin to do my job.”
In many cases, you don’t – you need specific applications or tasks to run with higher rights. We’ll work with you to identify those and provide controlled elevation, instead of giving your entire account permanent admin rights.
“Will this slow me down every time I need to install something?”
There may be some extra steps for new or unusual software. For common tools and known line-of-business apps, we will either deploy them centrally or configure them to run with the appropriate rights so you are not blocked.
“What about developers and power users?”
We recognise that some roles need more flexibility. For those users we will combine standard accounts with safer elevation options – for example, using controlled elevation policies or tools like Elevator for specific apps. The goal is to avoid full-time admin sessions wherever possible.
“Is this just about compliance?”
No. Compliance is a side effect. The main goal is to reduce the blast radius if a single account or device is compromised. Standard users and controlled elevation make it much harder for an attacker to turn one mistake into a major incident.
“What if this genuinely stops us working?”
If a change genuinely blocks critical work, we will work with you to address it. That might mean adjusting a policy, fixing an app, or adding a controlled elevation rule – not simply putting everyone back in the local Administrators group.
Connect the communication to a real plan
All of this only works if the words match reality. If you tell users “your core apps will still work” and then strip local admin without any elevation plan, you’ll lose trust quickly.
So pair the announcement with:
- A short list of pilot users and devices, plus dates.
- A known route to fix high-priority apps (e.g. Intune EPM rules, GPO, or per-app elevation with tools like Elevator).
- Monitoring of local Administrators group membership so you can spot backsliding.
Our posts on best practices for implementing least privilege and A Faster Way to Least Privilege: Elevator for Windows (Part 4) cover the technical steps in more depth.
Where Elevator helps you keep your promises
At UNYK, we built Elevator for Windows so that when you tell users:
- “You’ll be a standard user day to day.”
- “Your key legacy apps will still run.”
…you can actually deliver.
Elevator lets you:
- Keep users out of the local Administrators group.
- Define a short, explicit list of applications that should run with admin rights.
- Run just those apps elevated, without changing the rest of the session.
- Log every elevation, so you can see what’s really happening and refine policies over time.
That combination – clear communication, a realistic rollout plan, and a focused elevation tool – turns “remove local admin” from a scary announcement into a change people can live with.
If you’re planning a local admin cleanup this year and want a Windows-focused last-mile solution for stubborn apps, we’d love you to try Elevator and see how it fits your environment.
