Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

Need assistance with disabling accounts that are members of local admin group

Do you happen to know if you can disable an account on multiple machines via a script? We have a few accounts that are local adminstrators on the machines, they all are the same name, and we just need to make sure these are disabled but they can remain admins. Let me know. Thanks.

System Info: WinXP platform, Active Directory (Windows 2003) PC count that these accounts are set up on 500+
0
tonyenor
Asked:
tonyenor
  • 3
  • 3
  • 2
  • +1
1 Solution
 
jkjacksonCommented:
Are these domain accounts that are added to the local admin groups of the pc's? If so, when you disable the account in AD it is disabled accross the all machines on the domain. When you delete the accounts it will delete them from the local admins group of the pc's.
0
 
js479Commented:
Just to back up jkjackson -
In your system info you stated these are XP machines using Active Directory, so disabling them in Active Directory Users and Computers will disable them on every computer in the domain.
I'm not sure what you meant by "we just need to make sure these are disabled but they can remain admins." You can't disable an account and have it remain an admin account.

If you're not on a domain and it's just a user account with the same name on several computers then your best bet to disable the account it to make a script that does it and run it on each machine.

Either way you need to divulge a little more info for a better answer.
0
 
jkjacksonCommented:
js, thanks for clearing up a bit, but if you disable the account it will remain an admin account, you can disable an account reguardless of the permission level and it will maintain that level.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
js479Commented:
My mistake there, you are correct jkjackson.
0
 
qz8dswCommented:
If in your logon script you used
net user username /active:no
that should also do the trick.

0
 
tonyenorAuthor Commented:
These are all local accounts that were created that need to be disabled not domain accounts. Which presents the tedious task at hand.. :-)
0
 
qz8dswCommented:
But the net use command in a login script will indeed disable the local machines account, not a domain one.
Or are the machines concerned not running a login script?
0
 
tonyenorAuthor Commented:
Yes we are using login scripts, I will try that script and see if this works. Thanks so much.
0
 
tonyenorAuthor Commented:
Thanks so much this worked GREAT!! I was able to create a job in Altiris that just ran the script automatically and I can now apply this to all of my machines. Thanks so much for your prompt assistance.
0
 
qz8dswCommented:
No worries,
Glad to help.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now