Bulk change Windows local users from Administrator to Standard in HexnodeSolved

Hexnode currently does not provide a direct policy setting to bulk-change local Windows user roles from Administrator to Standard across multiple devices in one step. When using the Local Accounts tab, the role change is applied per device. For bulk changes, you can use one of these approaches:

1. Execute a PowerShell script in bulk

   • Go to Manage > Devices.
   • Select the target Windows devices.
   • Click Actions > Others > Execute Custom Script.
   • Choose Windows as the platform and run a script that removes the required user from the local Administrators group or changes the account role as needed.

   This is the recommended option if IT needs to demote admin users across multiple Windows endpoints.

2. Use Self Service for temporary privilege elevation

   If the goal is to keep users as Standard users but allow temporary admin access when needed:

   • Go to Policies > New Policy > Windows.
   • Navigate to Configurations > Self Service.
   • Enable the option Allow user to elevate standard account to administrator.
   • Configure the allowed duration or daily usage limits.
   • Assign the policy to the required device groups.

This does not bulk-demote existing administrators, but it helps manage temporary admin access securely after users are standard users.

That makes sense. For a small group, I’ll probably just change them manually from Local Accounts. One issue I noticed: after setting a user to Standard, they still appear to have admin rights on the Windows device. They logged out and logged back in, but they could still install software. Is there a delay, or is there something else I should check?

If a Windows user still appears to have administrator privileges after changing the role in Hexnode, verify whether the change actually reached the endpoint and whether the local account data has refreshed. Check the following:

1. Verify the action status

   • Go to Manage > Devices.
   • Open the affected Windows device.
   • Check the Action History.
   • Look for the Change User Role action.

   Confirm that the status is Success. If the action is Pending, In progress, or Failed, the role change has not fully applied to the device. This can happen if the device is offline or the Hexnode agent has not completed the command.

2. Sync local accounts

   • Open the device page in Hexnode.
   • Use Actions > Sync Local Accounts.
   • After the sync completes, check the Local Accounts tab again.

   This helps confirm the current role reported from the device instead of relying on stale account information.

3. Restart the Windows device

   A logout/login is often enough, but a full restart is recommended after demoting a user from Administrator to Standard. Windows may keep active administrator tokens in the current session until the session is fully terminated. Restarting the device helps ensure the user signs back in with the updated Standard privileges.

The Action History and local account sync checks pointed me in the right direction. I’m handling the current batch manually, but for a larger rollout I’ll use the PowerShell script method instead of changing each device one by one.