Disable Local User Accounts in Windows with GPO and PowerShell

PowerADM.com / Windows / Windows 10 / Disable Local User Accounts in Windows with GPO and PowerShell

Best security practices for Windows domain networks recommend disabling local user accounts on computers and servers in an Active Directory domain. Local users who have administrative permissions on a computer can be a weak point in the security of your network. You can use tools such as Windows LAPS (Local Administrator Password Solution) to set unique, complex passwords for local administrators, or you can use AD Group Policies to completely disable local administrator and user accounts.

Disable the Built-in Local Administrator Account with Group Policy

There are several options in Group Policy to disable the built-in Windows Administrator account.

Open the Group Policy Management Console(gpmc.msc), create a new GPO and assign it to the OU (Organizational Unit) with the computers where you plan to disable local users (Create a GPO in this domain and Link it here).

create a new GPO

Consider how to disable only the built-in administrator account on Windows.

Give the policy a name, then right-click it and select Edit.

  1. Expand the following GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
  2. Find the Accounts: Administrator account status parameter and change its value to Define this policy setting -> Disabled; Disable Administrator account in WIndows via Group Policy
  3. Once the GPO has been updated on the target computer, the default administrator account will be disabled.

You also can disable the built-in administrator account on a Windows computer using the Group Policy Preferences:

  1. Go to the section Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups;
  2. Select New -> Local User;
  3. Create a new parameter with the following settings:

Action: Update
User name: Administrator (built-in)
Account is disables: True

Disabling built-in local admin account in windows via GPO

To remove all local users from the built-in Administrators group, create a new setting in the same GPO section (New->Local Group).

Action: Update
Group Name: Administrators (built-in)
Delete all member users: True
Delete all member groups: True
Add: Add a domain security group here to which you want to grant the local administrator permissions on this computer (for technical support, HelpDesk or system administrators) -> Add to this group.

GPO: remove local users from the built-in local Administrators group

This policy removes any local or domain users that have been manually added to the Administrators group on the computer.

How to Disable Local Users with PowerShell

The built-in Microsoft.PowerShell.LocalAccounts module is available for managing local users and groups in Windows PowerShell 5.1 and later (installed by default on all versions of Windows starting with 8.1/Server 2012R2).

To view a list of local accounts on a computer, open the PowerShell console and run the command

Get-LocalUser

PowerShell Get-LocalUser

As you can see, there are several local users on the computer, some of which are disabled (Enabled=False).

To disable a specific local user, use the command:

Disable-LocalUser test1

If you want to disable all local users, run the following PowerShell one-liner:

Get-Localuser| Disable-LocalUser

Often, the administrator needs to disable all local users except for specific accounts.

For example, your task is to disable all local users with local Windows administrator permissions. To do this, you need to get a list of users in the local Administrators group (the well-known SID of this group is S-1-5-32-544) and disable all local users (PrincipalSource = Local).

$AdminGroupMembers = Get-LocalGroupMember -SID S-1-5-32-544 | Where-Object { $_.PrincipalSource -eq "Local" -and $_.ObjectClass -eq "User" }
foreach ($Member in $AdminGroupMembers) {
  $Username= $Member.Name | Split-Path -Leaf
  Disable-LocalUser $Username 
}

Use the following PowerShell script to disable all local users except those on the exclusion list:

$Exceptions = @("administrator", "root", "User3")
Get-LocalUser | Where-Object { $_.Enabled -eq $true -and $_.Name -notin $Exceptions } | ForEach-Object {
    Disable-LocalUser $_ 
}

powershell script: disable local users except specific

In this example, the PowerShell script disables all local user accounts on the computer except administrator, root, and User3.

Disable Local User Accounts on Domain Computers via Group Policy

There are no built-in settings in Windows GPO to disable all or only specific local users in Windows. So to disable all (or some) local users, you must use the startup script in the GPO.

Earlier, we looked at two examples of PowerShell scripts. One that disables all local users with administrator privileges. The other disables all users except those on the exclusion list.

  1. Save the PowerShell code to a disable_local_user.ps1 in the NETLOGON directory on the domain controller (for example \\contoso.com\netlogon).  Check the NTFS permissions of the PS1 file. The Domain Computers group and/or the Authenticated Users group must have the Read and Execute permissions for the PowerShell script file;
  2. Now create a new domain GPO and link it to the OU containing the computer objects;
  3. Edit your GPO;
  4. To run your PowerShell script when the computer starts, go to the GPO section Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) -> Startup. Switch to the PowerShell Scripts tab and add your PS1 file by specifying the UNC path to it in the NETLOGON folder;Disable local user account in Windows using PowerShell script
  5. Now the Group Policy client service will run your PowerShell script on a computer, which will disable all local users in Windows at startup.
Leave a Reply

Your email address will not be published. Required fields are marked *