Prevent User Lockout in Windows Home Edition
L
Levi Millington
We’ve identified an issue with the AutoElevate setting “Agent Security – Remove Admin Privileges” on Windows Home Edition systems. When a user account is removed from the local Administrators group, the user can become locked out of the computer. This occurs because, on Windows Home Edition, local administrator accounts are not members of the local Users group by default. As a result, once AutoElevate removes the account from the Administrators group, the user may no longer belong to any local groups.
To prevent this scenario, it would be beneficial for AutoElevate to verify that a user is a member of the local Users group when removing them from the Administrators group, and automatically add them if they are not already a member.
D
Daniel Rivera
Hello Levi,
Thank you for your feedback and we're sorry you experienced this issue. When the "Remove Admin Privileges" option is enabled, and the user is not already in the "Users" group, our agent does attempts to add them. However, there are instances where an issue with the user account prevents this from happening.
Our Development Team has looked into this and believes it might be a bug related to certain Windows updates, as other partners have encountered the same issue after a recent update. Unfortunately, we have not been able to confirm this, and Microsoft has not provided any information. We found it doesn't seem to affect every computer and tends to resolve itself shortly after but will look further into Windows Home Edition systems.
In the meantime, you will need to manually add the user to the "Users" group to resolve the problem. However, one workaround another partner uses is running the following script before installing our agent, as it should prevent the problem from occurring:
Retrieve all local user accounts
$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"
Define an array of usernames to exclude
$excludeUsers = @("Administrator", "DefaultAccount", "Guest", "WDAGUtilityAccount", "~0000AEAdmin")
Iterate through each user and add them to the 'Users' group if they are not in the exclude list
foreach ($user in $users) {
$username = $user.Name
if ($excludeUsers -notcontains $username) {
try {
Add-LocalGroupMember -Group "Users" -Member $username -ErrorAction Stop
Write-Output "Added $username to Users group."
} catch {
Write-Output "Failed to add $username to Users group: $_"
}
} else {
Write-Output "Skipped $username."
}
}
If you need further assistance, please reach out to our Support team at support@cyberfox.com and we would be happy to help.