+ Post New Thread
Results 1 to 12 of 12
Windows 7 Thread, Disable administrator log on locally. Any issues? in Technical; Hi. Im thinking about blocking the domain administrator log in access to pcs as it should never be used. If ...
  1. #1

    Join Date
    Nov 2011
    Posts
    628
    Thank Post
    87
    Thanked 21 Times in 19 Posts
    Rep Power
    10

    Disable administrator log on locally. Any issues?

    Hi.

    Im thinking about blocking the domain administrator log in access to pcs as it should never be used.

    If I set deny log on locally in the gpo would it have any affects on other things such as software installations in gpo or scripts?

    Thanks

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    You're much better off renaming the Domain Administrator account and specifying a strong password. Then create a new dummy account called 'administrator', make it a member of no Security Groups with a strong password. Even if someone like magic guesses it, they'll get access to nothing at all.

  3. #3

    Join Date
    Nov 2011
    Posts
    628
    Thank Post
    87
    Thanked 21 Times in 19 Posts
    Rep Power
    10
    It would to prevent pupils. But I'm trying to prevent administrators .

    Yup, it's got that bad. I've had to put in policies for domain admins. (I'm not the manager so doing my best to save destruction)
    Last edited by dany2010; 18th June 2013 at 02:04 PM.

  4. #4

    Join Date
    Oct 2005
    Posts
    846
    Thank Post
    51
    Thanked 115 Times in 105 Posts
    Rep Power
    74
    How many domain admins do you have?!

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,039
    Thank Post
    888
    Thanked 1,727 Times in 1,490 Posts
    Blog Entries
    12
    Rep Power
    453
    Quote Originally Posted by Michael View Post
    You're much better off renaming the Domain Administrator account and specifying a strong password. Then create a new dummy account called 'administrator', make it a member of no Security Groups with a strong password. Even if someone like magic guesses it, they'll get access to nothing at all.
    On my recent MS course they recommend disabling the built in account and making a new. Apparently all the default administrator accounts on a domain have the same GUID.

  6. #6

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Quote Originally Posted by dany2010 View Post
    It would to prevent pupils. But I'm trying to prevent administrators .
    Then you've already lost the battle. Any restriction you put in place can be removed by a Domain Administrator.

  7. #7

    Join Date
    Nov 2011
    Posts
    628
    Thank Post
    87
    Thanked 21 Times in 19 Posts
    Rep Power
    10
    Quote Originally Posted by AngryTechnician View Post
    Then you've already lost the battle. Any restriction you put in place can be removed by a Domain Administrator.
    Nightmare int it. Warning can be given for gpo changes though for the ones that don't do it.

    I would ask for more things that could lead to warnings but they forget.
    Last edited by dany2010; 18th June 2013 at 02:21 PM.

  8. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    That's probably true, but renaming the account should be just as good. Still it's not going to stop the problem specified in this thread.

    The only alternative in Active Directory is to double click the admin user object > Account (tab) > Log On To, then specify only the servers and admin workstations.

  9. #9

    Join Date
    Nov 2011
    Posts
    628
    Thank Post
    87
    Thanked 21 Times in 19 Posts
    Rep Power
    10
    Yeah. Sound similar to the gpo way.

    Would it cause any issues with scripts or software installations?

    As far as I'm aware these don't use the administrator account but have never really got round to looking what account they actually use.

  10. #10


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,621
    Thank Post
    229
    Thanked 860 Times in 738 Posts
    Rep Power
    297
    could you not addd/alter their logon script such that if in pc01 shutdown /l

  11. #11

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,164
    Thank Post
    429
    Thanked 314 Times in 265 Posts
    Rep Power
    153
    How many administrators do you have?
    If they cant be trusted why are they administrators in the first place?

  12. #12
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    806
    Thank Post
    83
    Thanked 132 Times in 115 Posts
    Blog Entries
    8
    Rep Power
    32
    I had this exact same issue when I took my new job. The district I'm in handed out domain admin credentials like it was candy on Halloween; there must have been almost a dozen media paras and teachers that had it. It was their easy solution to getting people the access they needed to do their job. I spent about a week creating restricted accounts/groups that had the access to do particular job functions and handed them out to the people that needed them. Once I weened everyone off of their domain admin addiction I changed the passwords. Don't just take away access they need. One example of the issues I faced was select staff would reset student passwords in the buildings, so I created a .Net app with search functionality that would allow them to reset/unlock student accounts. If you give them an alternative to do their job that is easier you shouldn't have any problems.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 3
    Last Post: 27th January 2012, 08:57 AM
  2. Logging onto the network after logging on locally
    By frankybaloney in forum Windows
    Replies: 9
    Last Post: 10th October 2008, 12:17 PM
  3. Log on issue
    By Mr_M_Cox in forum Windows
    Replies: 7
    Last Post: 19th July 2008, 12:27 PM
  4. Can log on Local can't log on to domain
    By speckytecky in forum Network and Classroom Management
    Replies: 16
    Last Post: 25th April 2008, 12:05 PM
  5. Replies: 8
    Last Post: 12th November 2006, 02:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •