User still has local admin rights despite not being in local admin group.

February 20th, 2023 This fix is for a Azure Active Directory Environment and may or may not be useful in hybrid and AD environments. Live and Drink dear traveler and above all else, remember your troubleshooting skills. On local machine user does not appear in administrators group:

Azure AD Users >> Assigned Roles >> Active Assignments https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/AdministrativeRole/userId/<User ID> Remove: Azure AD Joined Device Local Admin

If you use Intune for MDM then Account Protection in Endpoint Security does not consider the above.