Delete or disable all local users by script or policy

We would likk to delete or disable all local users' accounts on all our laptops. I know I can use net user command to delete or disable a user. However, we don't know and don't want to know all local usernames. We just want to disable all of them and the user should logon their laptops using domain credentails. Is there a group policy or can we create a script to do that?
LVL 7
blin2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

neopumpkinCommented:
blin2000,

Yep, group policy will certainly make your job easier here.  You won't be able to disable or delete any local accounts necessarily, but you can use Restricted Groups or Account Rights to control whether those local accounts can login or not.

If you use Restricted Groups you can define all of the built-in groups and they will over write whatever is configured locally.  Or you can set Account Rights to only allow the local admin and domain groups to login.

Its not quite the same, but it would disable the local users from being able to do anything.

more info here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23047109.html
0
AmericomCommented:
You may want to just use GPO to prevent users to logon to their PCs with local account and only allow domain account to logon.

This will be a Computer GPO where you can configure as:
Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment>Allow log on Locally

DoubleClick on Allow log on locally and assign Groups like Administrators and or Domain Admins and Domain Users. If there are local users as a part to the Administrator group, then you should use Domain Admins as Domain Admins is by default a member of the local Administrators group. For some company, there are group such as Temp or Consultant which created with primary group set to some other group an removed from the Domain Users group, then you need to either take these users' PC out the OU that you are applying to or just create a separate GPO by assigning the related group to the Allow log on Locally of the GPO. In other words, you need to organize those PCs by OUs then apply the appropriate GPO to the respect OU to avoid unexpected issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blin2000Author Commented:
Thank you for the tip. I thought the doamin policy is for computers logon to the domain. Can the policy apply to local computer logon at home?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

neopumpkinCommented:
it sure can.  instead of configuring a GPO in a domain environment, you would configure it locally by going to start > run > gpedit.msc and by following the directions already lain out here, you should be good to go.

let us know if you have any questions!

0
blin2000Author Commented:
Sorry, I mean whether the domain group policy will apply to laptop when logon at home. For example, we create the domain group policy and it applies to the laptop when the laptop connect to the domain. If the user takes the laptop to home and logon the laptop using his local username (if we created onefor him before), can he logon using the local username?

We don't want to create local policy on each laptop.
0
AmericomCommented:
once the domain GPO applied to the PCs, the GPO remain applied to the PCs even it's not connected the network. Unless you remove it from the domain and redefined the local policy on those machines. Otherwise, it will still be applied.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.