# Least Privilege Policy Type

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FNv3xA8ArOKGAPYo4PakH%2Fimage.png?alt=media&#x26;token=d6908320-cac4-44ac-9208-503b2f87d605" alt=""><figcaption></figcaption></figure>

The Keeper Least Privilege policy will remove local admin from standard users on the target endpoint. On Windows devices, Keeper will not remove administrative rights from built-in admin accounts or root accounts. See the [Protected Administrators Exclusion List](#protected-administrators-exclusion-list) section for details.

Least Privilege policies may incorporate granular command-level restrictions to ensure that elevation is scoped only to approved commands or operational contexts. This reduces excessive privilege exposure within permitted applications.

### Policy Interaction or Enforcement Model

Least Privilege policies operate in conjunction with Application AllowList and DenyList controls. When default-deny strategies are implemented, least privilege enforcement ensures that only explicitly permitted applications and approved elevated actions are allowed.

### Activating Least Privilege

From the **Admin Console** > **Endpoint Privilege Manager** > **Policies** create a new policy. Select "**Least Privilege**" from the policy type and then "**Enforce**".

Visit the "**Advanced**" section to apply an exclusion policy to any local admins which should not be managed by Keeper.

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2F0xFxW01uhCKCjzpvWXlb%2FScreenshot%202025-10-07%20at%2011.28.32%E2%80%AFAM.png?alt=media&#x26;token=5e643eaf-8870-467d-b80e-fa70e471072a" alt=""><figcaption></figcaption></figure>

### Exclusion List

When the Least Privilege Policy is applied, Keeper will remove local admin rights from any user that is not in the "exclusion" list. This list is defined in the Advanced settings of the policy editor page.

{% hint style="danger" %}
Ensure that your default admin username is defined in the exclusion list, or admin rights will be removed from this user after policy has been applied.
{% endhint %}

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FovZ5H5jNkksGKvnRrigL%2FScreenshot%202025-10-07%20at%202.08.45%E2%80%AFPM.png?alt=media&#x26;token=8f0369c2-65c7-4c7d-a266-9fddf671b87f" alt=""><figcaption></figcaption></figure>

The section to modify is below:

```
"CertificationCheck": [],
"Extension": {
    "Exclusions": [
        "your_username_to_exclude"
    ]
},
```

***

### Protected Administrators Exclusion List

Keeper protects the following administrators by default through SID ([security identifier](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers)) pattern matching and enhanced detection. This prevents enforcing least privilege on root accounts.

#### 1. Well-Known SID Patterns

* `S-1-5-32-544` - Built-in Administrators group
* `S-1-5-18` - SYSTEM account
* `S-1-5-19` - LOCAL SERVICE
* `S-1-5-20` - NETWORK SERVICE

#### 2. Domain Administrator SID Patterns

* `S-1-5-21-*-512` - Domain Admins (any domain)
* `S-1-5-21-*-519` - Enterprise Admins (forest root domain)
* `S-1-5-21-*-518` - Schema Admins (forest root domain)
* `S-1-5-21-*-500` - Built-in Administrator account (any domain)

#### Additional Protected Accounts

* `KeeperUserSession` - Always protected (service account)
* `Built-in Administrator` - Always protected (even if renamed)

#### Linux / macOS Protected Accounts

* Linux and macOS "`root`" user