+ Post New Thread
Results 1 to 10 of 10
Windows Server 2000/2003 Thread, Local Accounts in XP in Technical; I'm looking to create a GPO that does the following: Disables ALL local accounts other than 'Administrator' Changes the Administrator ...
  1. #1

    Join Date
    Jul 2010
    Posts
    20
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Local Accounts in XP

    I'm looking to create a GPO that does the following:

    Disables ALL local accounts other than 'Administrator'
    Changes the Administrator Password (locally) to something of my choice

    Looking to roll out to all pcs on my domain (around 100), and don't want to do this manually, or remote MMC to each machine (and want to have it automatically come down to new machines that join the domain - without any interaction)

    Any suggestions? Only ones I can find don't fit the bill!

    Cheers
    Mike

  2. #2

    Join Date
    Jul 2010
    Posts
    20
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Oh, I forgot to mention:

    All clients are on XP, FRDC is Server 2003 R2 Std, 2nd DC is server 08 R2 Std

    Mike.

  3. #3
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,258
    Thank Post
    218
    Thanked 232 Times in 200 Posts
    Rep Power
    74
    First off edit this setting on a group policy for your domain PC's:

    Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Allow Log on Locally

    Set it to be just administrator(s).

    Secondly, to change your passwords view this page for help:

    Change Local Administrator Password thru GPO

  4. #4

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by themightymrp View Post
    First off edit this setting on a group policy for your domain PC's:

    Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Allow Log on Locally

    Set it to be just administrator(s).
    are you sure??? As I understand it, this will stop anyone except admins logging on to the console of the machine (so no domain users can log on, for example)

    By default, "domain users" is added to "users" when a computer joins the domain and "users" is allowed log on locally. You could change it using GP so that you have a group called (say) local_users and this group is allowed local log on but "users" is not. You then add "domain users" to that local group and things should work.

  5. #5
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,258
    Thank Post
    218
    Thanked 232 Times in 200 Posts
    Rep Power
    74
    Your quite right, my bad. What you suggest above sounds plausable though but I haven't tried it. There is probably a way of scripting some kind of net user /delete command that pulls names from a dynamically created .txt file but I can't think of an easy way off the top of my head.

  6. #6
    waldronm2000's Avatar
    Join Date
    Dec 2009
    Location
    Southend
    Posts
    129
    Thank Post
    49
    Thanked 12 Times in 11 Posts
    Rep Power
    12
    Don't set local admin password via a GP. I've seen this done before, but it was done via a startup script rolled out to all desktops. The trouble with this is that the startup script is plain text and readable if users go searching.

  7. #7

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,127
    Thank Post
    217
    Thanked 1,323 Times in 812 Posts
    Blog Entries
    4
    Rep Power
    518
    Quote Originally Posted by waldronm2000 View Post
    Don't set local admin password via a GP. I've seen this done before, but it was done via a startup script rolled out to all desktops. The trouble with this is that the startup script is plain text and readable if users go searching.
    Doesn't have to be, you can use Microsoft script encoder to create a vbe that isn't readable

  8. #8
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,258
    Thank Post
    218
    Thanked 232 Times in 200 Posts
    Rep Power
    74
    Either that or compile the script into a .exe using one of the free tools out there

  9. #9

    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,826
    Thank Post
    217
    Thanked 268 Times in 217 Posts
    Rep Power
    68
    Use Client side extensions, I've used it to disable local accounts and change the admin password.

  10. #10

    Join Date
    Jul 2010
    Posts
    20
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by chazzy2501 View Post
    Use Client side extensions, I've used it to disable local accounts and change the admin password.
    Chazzy2501, any more info on this one please?

    Cheers

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 15th November 2010, 11:13 AM
  2. Replies: 12
    Last Post: 6th May 2010, 09:33 AM
  3. Users cant log in with local accounts
    By ginger9991 in forum Windows
    Replies: 11
    Last Post: 15th November 2009, 02:47 PM
  4. Staff Laptops and Local / Domain Accounts
    By neilault in forum How do you do....it?
    Replies: 1
    Last Post: 13th October 2009, 08:05 PM
  5. Replies: 3
    Last Post: 1st August 2007, 10:00 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •