In modern Microsoft 365 environments, especially during migrations from on-premises Active Directory to Entra Joined devices, managing legacy configurations is a critical part of maintaining both security and operational consistency. At Sikich, we regularly support clients through these transitions, whether it’s a full cloud migration, a hybrid-to-cloud shift, or onboarding devices following a merger or acquisition. Sometimes this transition requires learning how to remove legacy local user accounts
Local administrator accounts in traditional environments
One issue that consistently surfaces during these projects is the presence of legacy local administrator accounts. In many traditional environments, it was standard practice for IT teams to manually create local admin accounts on endpoints during imaging or deployment. These accounts were often used for troubleshooting, software installs, or as a fallback if domain connectivity failed.
However, once devices are transitioned into an Entra joined and Intune-managed environment, these legacy accounts often become unnecessary. More importantly, they can introduce risk if they are left unmanaged. From a security standpoint, unused or poorly controlled local admin accounts represent an additional attack surface, particularly if credentials are shared, weak, or not regularly rotated.
As part of our standard approach, we typically implement modern endpoint management policies that centralize and secure local administrator access like LAPS. This can include using Intune to manage group membership, enforce least privilege, and align with Zero Trust principles. Once those controls are in place, the next logical step is cleanup, removing any legacy accounts that no longer serve a purpose.
How to remove legacy local user accounts
This is where clients often ask a very practical question: how can we safely and efficiently remove these outdated local user accounts across all managed devices?
There are several ways to approach this. Some organizations leverage third-party endpoint privilege management tools, such as Auto Elevate or similar platforms, which offer built-in capabilities for managing and removing local admin rights. Others may rely on manual processes or custom scripting deployed through different mechanisms.
In my case, I found a particularly effective and scalable solution using Intune remediation scripts. This method allows administrators to both detect and remediate conditions on endpoints, in this scenario, identifying the presence of a specific local user account and removing it if found.
The flexibility of remediation scripts makes them well-suited for this type of task. You can define detection logic to check for the existence of a targeted account and then apply a remediation script to remove it in a controlled and repeatable way. Because this is handled through Intune, the solution integrates cleanly into an existing device management strategy without requiring additional tooling.
I’ve used this approach in several real-world scenarios. For example, during a recent client engagement involving an acquisition, we were tasked with onboarding a set of devices from a separate organization. These systems were originally domain-joined in a legacy environment and included a standardized local admin account that was no longer needed. As part of the transition to an Entra joined and Intune-managed model, we implemented our standard policies and then used a remediation script to remove the obsolete account across all devices. This allowed us to complete the cleanup quickly and consistently, without requiring hands-on access to each endpoint.
The specific process and scripting approach we used are based on guidance from an external resource that provides a clear walkthrough and sample scripts for implementation. Full credit goes to the original author for documenting this solution and making it accessible to the community: https://cloudinfra.net/how-to-delete-a-local-user-account-using-intune/
Reducing risk with a more well-governed environment
If you’re managing similar migrations, consolidating environments after a merger, or simply looking to strengthen endpoint security in your Intune deployment, this method is worth considering. It’s a straightforward way to eliminate unnecessary local accounts and reduce risk, while also reinforcing a standardized and modern management approach.
As with many aspects of endpoint management, small changes can have a meaningful impact. Cleaning up legacy configurations, like unused local admin accounts, is a simple but effective step toward a more secure and well-governed environment.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
