+ Post New Thread
Results 1 to 7 of 7
Windows 7 Thread, Local Administrator Lock Out Puzzle in Technical; Hey everyone, Got a puzzler for you all. It's more an annoyance than a problem because we have a way ...
  1. #1
    Unvalidated User
    Join Date
    Apr 2008
    Location
    thetford
    Posts
    41
    Thank Post
    6
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Local Administrator Lock Out Puzzle

    Hey everyone,

    Got a puzzler for you all.

    It's more an annoyance than a problem because we have a way around it.

    When we join a Windows 7 machine to the domain, the local Administrator Account gets locked out and the password blanked.
    This means we have to go in as another user, go to user management and set the password for Administrator and then activate the account.

    I have a big feeling it's a group policy setting, but I can see it anywhere.

    We are using Server 2008 R2 and it is a 2008 Domain.

    Any help would be great.

  2. #2
    jamesreedersmith's Avatar
    Join Date
    Sep 2009
    Location
    Ruskington
    Posts
    1,140
    Thank Post
    77
    Thanked 251 Times in 225 Posts
    Rep Power
    76
    Sounds like it might be restricted groups!

  3. #3
    michaelf's Avatar
    Join Date
    Jun 2007
    Location
    Kettering, Northants
    Posts
    81
    Thank Post
    7
    Thanked 13 Times in 10 Posts
    Rep Power
    17
    As I understand it the local administrator account is disabled by default in Windows 7 installations unless there are no other administrator accounts, see here for more info: Enable and Disable the Built-in Administrator Account. As such, there's no one group policy you could change to stop it happening as the behavior is "by design".

    One way around this however to save you modifying each installation manually, would be to use Group Policy Preferences to either enable the account ( see How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker) or for slightly more security create a local account with a different name and add it to the local admins group.

    I've never had to use GPP myself as our Windows 7 estate is currently rather small, but the link above seems pretty thorough.

  4. 2 Thanks to michaelf:

    elsiegee40 (7th March 2011), spider6986 (7th March 2011)

  5. #4

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    11,050
    Thank Post
    1,318
    Thanked 2,310 Times in 1,624 Posts
    Rep Power
    692
    We don't get this when joining a Windows 7 machine to the domain. Did you choose the admin acct and password when the machine or image was originally built? It may be because that is the only administrator acct on the machine so ours gets left, much as stated by michaelf (or micha elf as I always read his name )

  6. Thanks to witch from:

    spider6986 (7th March 2011)

  7. #5
    Unvalidated User
    Join Date
    Apr 2008
    Location
    thetford
    Posts
    41
    Thank Post
    6
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks everyone. Sorry it's been a few days since I looked, this is more of a side project for me to look at.

    We do setup another user when we create the image, however i think this is a Legacy reason that is done (I have not been here long) so I will try an install without the other user created and see if it still happends.

    Because it is not a huge issue we will not worry about going though bitlocker to unlock it, but thank you for the information.

    And finally we do setup the password before the image is created yes, we set everything up how we want it, then sysprep it, then create the image using PE and Imagex and then deploy the image.

  8. #6

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,210 Times in 761 Posts
    Rep Power
    394
    Quote Originally Posted by spider6986 View Post
    I have a big feeling it's a group policy setting, but I can see it anywhere.
    The two places I can think of to do this in Group Policy are:

    1. Computer Configuration > Policies > Windows Settings> Security Settings > Local Policies > Security Options; check the Accounts: Administrator account status setting
    2. Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups


    If you've done an RSoP and those sections don't have anything incriminating, I think you can rule of Group Policy as a cause.

  9. #7

    Join Date
    Dec 2007
    Location
    Derbyshire. Ish.
    Posts
    257
    Thank Post
    29
    Thanked 22 Times in 15 Posts
    Rep Power
    24
    IIRC Vista disabled the local administrator account too.

    Interesting sidenote, not necessarily of use to everyone, but when deploying with SCCM using OSD - either your own image, or a vanilla one straight off a DVD - you can set the local admin password as part of the task sequence, and the account remains alive and kicking.

    Quite useful for us - previously we'd create our own local admin account as part of the final setup after image deployment and this means we can now use the local administrator account directly - but as said, won't apply to everyone.

SHARE:
+ Post New Thread

Similar Threads

  1. Network Administrator Permissions vs Local Admin
    By jj99 in forum Windows Server 2000/2003
    Replies: 18
    Last Post: 23rd December 2010, 09:43 PM
  2. Local Administrator
    By Pashers in forum Windows
    Replies: 20
    Last Post: 5th December 2008, 12:48 PM
  3. Local Administrator Password
    By witch in forum Windows
    Replies: 21
    Last Post: 28th June 2007, 04:32 PM
  4. Local Administrator Password Puzzle
    By Andie in forum Windows
    Replies: 18
    Last Post: 11th February 2007, 09:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •