Some of the most frustrating tech issues are ones that could have been avoided - like a compromised PC from a user installing something they shouldn't have been able to or a broken configuration because someone changed a setting and it couldn't be traced back.
Local administrator rights, which give a user the ability to install software, modify system settings, and override security controls on their own computer, usually get handed out to users far more often than the risk warrants. The usual reason is convenience or poor design from software companies big and small that find it easier to give standard users admin rights to get their programs to run properly.
The practical result tends to be the opposite: setups that are drifting from the baseline, infections that spread until someone hopefully catches them, and remediation work that eats up everyone's already packed schedules.
Revoking local admin rights removes the root cause of most of those problems.
Admin rights are not the cause of every support request. They are the cause of most of the expensive ones. When the boundary between a standard user and a system administrator disappears, so does the buffer between a minor inconvenience and a major incident.
Why Admin Rights Create Support Tickets
A standard user account limits what software can be installed, what system settings can be changed, what processes can run at an elevated level - all sorts of things. Those limits are not made up by the IT folks to be a pain, they're meant to protect everyone and prevent many problems from every happening.
When users have admin rights, those limits disappear. Software conflicts arise because no approval step exists to catch incompatibilities before install or security tools get disabled because a user feels like they're slowing the computer down, and they get worse as the user tries to dig themselves out of the hole.
What The Security Data Shows
From 2015 to 2020, the BeyondTrust Microsoft Vulnerabilities Report found that removing administrative privileges could have mitigated 75% of all critical Microsoft vulnerabilities. This is because most critical vulnerabilities require elevated permissions to fully execute. Attackers who compromise a users properly locked-down account gets access to that their session, but an attacker who compromises an admin account gets the whole machine and often the rest of the network.
The IBM Cost of a Data Breach Report for 2025 found the average US data breach costs $10.22 million, which was a new all-time high for any region globally, and remediation is consistently higher when the affected user holds elevated privileges.
The Tickets That Stop Coming In
Malware Infections
Most ransomware and many other malware infections require admin-level permissions to install, disable security tools, and spread. A standard user account does not eliminate the risk of falling victim to phishing, but it does limit what malware can do after it lands.
An infection on a standard account is typically contained to that user's profile. The same infection on an admin account could encrypt shared drives and brick the machine. The difference between those two outcomes could be a simple profile rebuild vs a significant disruption to your business.
Self-inflicted Config Problems
Users with admin rights occasionally try to fix their own problems - they start changing settings, uninstalling/reinstalling applications, etc. And when it goes wrong, IT gets to take over the mess with a ticking clock and not a lot of clear info on what the heck happened.
Standard user accounts remove this category of ticket almost entirely, because those changes are no longer possible without going through a proper process.
Patch and Compliance Drift
Endpoints where users have admin rights tend to diverge from the managed baseline over time. Software installed outside the approved process doesn't receive updates through standard management tools and devices start to accumulate inconsistencies that create extra work during audits and compliance reviews.
The drift is gradual and easy to miss until it isn't. One machine with an outdated, unmanaged application is a minor issue. Twenty of them is a compliance problem and a security gap that takes real time to clean up.
"But I need to install things sometimes"
This is the most common concern and it can be a fair one, but the answer isn't to hand out permanent admin rights, it's to deploy a just-in-time (JIT) elevation system.
With JIT elevation, users are provided temporary elevated access for a specific task. The request is approved through an automated policy or by IT and the elevated status expires automatically once the task is complete. The user gets what they need, IT stays informed, and every elevation request is logged so there are no mystery changes to track down later.
The volume and pattern of elevation requests also becomes useful information over time, revealing which tasks genuinely required escalation and which ones users were doing only because nothing was stopping them.
One more thing worth knowing: standard user accounts already support normal application use/browser activity/printing/file access/the vast majority of day-to-day work, without any escalation at all. The friction people anticipate is usually larger than the friction they actually experience once the change is made.
What To Do Before Making The Change
Revoking admin rights across an organization isn't something to do overnight without preparation. A few things worth doing first:
- Audit who currently has admin rights and why. Some might be legitimate and worth investigating further, many will be leftovers from a time when it was easier to just say yes.
- Identify which tasks in your environment actually require elevated permissions so you can build a JIT process that covers them before the change goes into effect.
- Communicate the change to staff in advance - a short explanation of what's changing and how to request elevated access when needed addresses most concerns before they become friction.
The goal is a network that is locked down by default, with a clear and easy path for the exceptions - not a network that relies on nobody doing anything they shouldn't.
If you're not sure what your current admin rights situation looks like, that audit is the right place to start. Pull the list, see what's there, and work from what you find.
