Best security practices for Windows domain networks recommend disabling local user accounts on computers and servers in the Active Directory domain. Local accounts with administrator permissions on computers can be a weak part of your domain’s security. You can use tools like LAPS (Local Administrator Password Solution) to set unique, complex administrator passwords, or you can completely disable local administrator (and/or user) accounts using AD Group Policies.
You can disable local users and administrators in Windows using Group Policies in several ways.
Open the Group Policy Management Console (gpmc.msc
), create a new GPO and assign it to the OU (Organizational Unit) with the computers where you plan to disable local users (Create a GPO in this domain and Link it here).
Give the policy a name, then right-click it and select Edit.
Consider how to disable only the built-in administrator account
- Expand the following GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options;
- Find the Accounts: Administrator account status parameter and change its value to Define this policy setting -> Disabled;
- After updating the GPO on the target computer, the built-in administrator account will be disabled.
You can disable the built-in administrator using Group Policy Preferences:
- Go to the section Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups;
- Select New -> Local User;
- Create a new parameter with the following settings:
Action: Update
User name: Administrator (built-in)
Account is disables: True
To remove all local users from the built-in Administrators group, create a new setting in the same GPO section (New->Local Group).
Action: Update
Group Name: Administrators (built-in)
Delete all member users: True
Delete all member groups: True
Add: Add a domain security group here you want to assign the local administrator permissions on this computer (for technical support, HelpDesk or system administrators) -> Add to this group.
This policy will remove any local or domain users that have been manually added to local administrators.
If you need to disable all local users except certain ones, you can use the following PowerShell script (can be used for all versions of Windows from 8.1/Server 2012R2 up to current Windows 11 and Windows Server 2022) :
get-localuser | ? {($_.name -ne 'Administrator') –and ($_.name -ne 'IISUsr') } | disable-localuser -Confirm:$false
Save this code as a disable_local_user.ps1
file to the NETLOGON directory on the domain controller (\\contoso.com\netlogon
). Now you can run it on computer boot as a PowerShell logon script.
In order to run a PowerShell script on computer boot:
- Go to the Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown) -> Startup GPO section;
- Go to the PowerShell Scripts tab and add your PS1 file by its UNC path on NETLOGON.
This PowerShell script will disable all local user accounts on the computer except for users named Administrator
and IISUsr
.