Disable Local Accounts in Windows via GPO

PowerADM.com / Windows / Windows 10 / Disable Local Accounts in Windows via GPO

Best security practices for Windows domain networks recommend disabling local user accounts on computers and servers in the Active Directory domain. Local accounts with administrator permissions on computers can be a weak part of your domain’s security. You can use tools like LAPS (Local Administrator Password Solution) to set unique, complex administrator passwords, or you can completely disable local administrator (and/or user) accounts using AD Group Policies.

You can disable local users and administrators in Windows using Group Policies in several ways.

Open the Group Policy Management Console (gpmc.msc), create a new GPO and assign it to the OU (Organizational Unit) with the computers where you plan to disable local users (Create a GPO in this domain and Link it here).

create a new GPO

Give the policy a name, then right-click it and select Edit.

Consider how to disable only the built-in administrator account

  1. Expand the following GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
  2. Find the Accounts: Administrator account status parameter and change its value to Define this policy setting -> Disabled; Disable Administrator account in WIndows via Group Policy
  3. After updating the GPO on the target computer, the built-in administrator account will be disabled.

You can disable the built-in administrator using Group Policy Preferences:

  1. Go to the section Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups;
  2. Select New -> Local User;
  3. Create a new parameter with the following settings:

Action: Update
User name: Administrator (built-in)
Account is disables: True

Disabling built-in local admin account in windows via GPO

To remove all local users from the built-in Administrators group, create a new setting in the same GPO section (New->Local Group).

Action: Update
Group Name: Administrators (built-in)
Delete all member users: True
Delete all member groups: True
Add: Add a domain security group here you want to assign the local administrator permissions on this computer (for technical support, HelpDesk or system administrators) -> Add to this group.

GPO: remove local users from the built-in local Administrators group

This policy will remove any local or domain users that have been manually added to local administrators.

If you need to disable all local users except certain ones, you can use the following PowerShell script (can be used for all versions of Windows from 8.1/Server 2012R2 up to current Windows 11 and Windows Server 2022) :

get-localuser | ? {($_.name -ne 'Administrator') –and ($_.name -ne 'IISUsr') } | disable-localuser -Confirm:$false

Save this code as a disable_local_user.ps1 file to the NETLOGON directory on the domain controller (\\contoso.com\netlogon). Now you can run it on computer boot as a PowerShell logon script.

In order to run a PowerShell script on computer boot:

  1. Go to the Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) -> Startup GPO section;
  2. Go to the PowerShell Scripts tab and add your PS1 file by its UNC path on NETLOGON. Disable local user account in Windows using PowerShell script

This PowerShell script will disable all local user accounts on the computer except for users named Administrator and IISUsr.

Leave a Reply

Your email address will not be published. Required fields are marked *