Scribd Logo
Upload

Welcome to Scribd!

  • Disable All Local User Via GPO Except Local Administrator

    Uploaded by

    surajitpal4u
    3K views3 pages
    group policy

    Original Title

    Disable All Local User via GPO Except Local Administrator

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    group policy

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3K views3 pages

    Disable All Local User Via GPO Except Local Administrator

    Uploaded by

    surajitpal4u
    group policy

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Disable all Local User via GPO except Local Administrator

    i) ii) In your GPO manager create a new GPO or edit your Default GPO policy. Then under Computer configuration go to Preferences then go to Control Panel setting then go to Local users and Groups from there you can Set the local admin password and Disable all other local accounts you can also add a security group to your Administrators groups as well

    Change Local Administrator Password thru GPO


    There's no built-in Group Policy setting that can change the local administrator's password for you. However:

    1. There is a Group Policy Preference (GPP) that can do it for you Changing the local Administrator password on domain members has become pretty easy with the advent of Group Policy Preferences. Start the Group Policy snap-in, expand Computer Configuration, expand Preferences, click Control Panel, and then right-click Local Users and Groups. From the menu select New - Local User. Select Update as the action, type Administrator into the User name text box, then type the new password into the Password text box, confirming the password in Confirm Password text box. Press OK. 2. You can script it This script will change your local Administrators passwords to the one you specify. (Note that you'll need to encrypt this one using Microsoft script encrypter if your users shouldn't be able to read it in clear text.)

    Set WshNetwork = WScript.CreateObject("WScript.Network") strComputer = "." Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user") objUser.SetPassword "NEW.PASSWORD" ' Enter new password between brackets objUser.SetInfo

    Best way to use this script is to run it using the Startup script option in a Group Policy object, since these scripts run with the credentials of the Local System account. Start the Group Policy snap-in, expand Computer Configuration, expand Windows Settings, click Scripts (Startup/Shutdown), and then in the right pane, add a script.

    Disable all Local User via GPO except Local Administrator


    Lists local accounts and disables all except local admin and ASPNET (and any other exceptions you may add to the line) I needed to do this on every pc when I was working on a rollout for a NHS Trust.
    '************************************************* ' File: Disable Local User Accounts.vbs ' Author: Andrew Barnes ' version: 1.0 Date: 07 September 2009 By : Andrew D Barnes ' Lists local accounts and disables all except local admin and ASPNET '************************************************* Set objShell = CreateObject("Wscript.Shell") Set objNetwork = CreateObject("Wscript.Network") strComputer = objNetwork.ComputerName Set colAccounts = GetObject("WinNT://" & strComputer & "") colAccounts.Filter = Array("user") Message = Message & "Local User accounts:" & vbCrLf & vbCrLf For Each objUser In colAccounts If objUser.Name <> "Administrator" AND objUser.Name <> "ASPNET" Then Message = Message & objUser.Name If objUser.AccountDisabled = TRUE then Message = Message & " is currently disabled" & vbCrLf Else Message = Message & " was enabled" & vbCrLf objUser.AccountDisabled = True objUser.SetInfo End if End If Next ' Initialize title text. Title = "Local User Accounts By Andrew Barnes" objShell.Popup Message, , Title, vbInformation + vbOKOnly

    Script mentioned in above is exactly what you need.


    '************************************************* ' File: Disable Local User Accounts.vbs ' Author: Andrew Barnes ' version: 1.0 Date: 07 September 2009 By : Andrew D Barnes ' Lists local accounts and disables all except local admin and ASPNET '************************************************* Set objShell = CreateObject("Wscript.Shell") Set objNetwork = CreateObject("Wscript.Network") strComputer = objNetwork.ComputerName

    Set colAccounts = GetObject("WinNT://" & strComputer & "") colAccounts.Filter = Array("user") Message = Message & "Local User accounts:" & vbCrLf & vbCrLf For Each objUser In colAccounts If objUser.Name <> "Administrator" AND objUser.Name <> "ASPNET" Then Message = Message & objUser.Name If objUser.AccountDisabled = TRUE then Message = Message & " is currently disabled" & vbCrLf Else Message = Message & " was enabled" & vbCrLf objUser.AccountDisabled = True objUser.SetInfo End if End If Next ' Initialize title text. Title = "Local User Accounts By Andrew Barnes" objShell.Popup Message, , Title, vbInformation + vbOKOnly

    Save the script to a .vbs file and deploy it to a startup script or user logon script. You can configure it at: GPO-->Computer Configuration-->Windows Settings-->Script-->Startup Or GPO-->User Configuration-->Windows Settings-->Script-->Logon For more information please refer to following MS articles:
    Startup, shutdown, logon, and logoff scripts http://technet.microsoft.com/en-us/library/cc739591(v=WS.10).aspx Create System Startup / Shutdown and User Logon / Logoff Scripts http://technet.microsoft.com/en-us/magazine/dd630947.aspx

    You might also like