Local Accounts in XP
I'm looking to create a GPO that does the following:
Disables ALL local accounts other than 'Administrator'
Changes the Administrator Password (locally) to something of my choice
Looking to roll out to all pcs on my domain (around 100), and don't want to do this manually, or remote MMC to each machine (and want to have it automatically come down to new machines that join the domain - without any interaction)
Any suggestions? Only ones I can find don't fit the bill!
Oh, I forgot to mention:
All clients are on XP, FRDC is Server 2003 R2 Std, 2nd DC is server 08 R2 Std
First off edit this setting on a group policy for your domain PC's:
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Allow Log on Locally
Set it to be just administrator(s).
Secondly, to change your passwords view this page for help:
Change Local Administrator Password thru GPO
are you sure??? As I understand it, this will stop anyone except admins logging on to the console of the machine (so no domain users can log on, for example)
Originally Posted by themightymrp
By default, "domain users" is added to "users" when a computer joins the domain and "users" is allowed log on locally. You could change it using GP so that you have a group called (say) local_users and this group is allowed local log on but "users" is not. You then add "domain users" to that local group and things should work.
Your quite right, my bad. What you suggest above sounds plausable though but I haven't tried it. There is probably a way of scripting some kind of net user /delete command that pulls names from a dynamically created .txt file but I can't think of an easy way off the top of my head.
Don't set local admin password via a GP. I've seen this done before, but it was done via a startup script rolled out to all desktops. The trouble with this is that the startup script is plain text and readable if users go searching.
Doesn't have to be, you can use Microsoft script encoder to create a vbe that isn't readable
Originally Posted by waldronm2000
Either that or compile the script into a .exe using one of the free tools out there
Use Client side extensions, I've used it to disable local accounts and change the admin password.
Chazzy2501, any more info on this one please?
Originally Posted by chazzy2501