• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 804
  • Last Modified:

Disable local admin account on domain

Hi Experts

I manage a domain where all users are local admin, I would like to change this as we are getting a lot of viruses. However we are using software which needs to be constantly updated, it wont be practical to keep on having to go and enter the domain admin account details for each user as they need to update, is there a way around this issue?
6 Solutions
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
There are two options:

1. Group Policy:  Security Groups options where you choose the group memberships (this does not allow users to be added manually and GPO must be used to change group memberships)
2. Group Policy:  Computer startup group where you could add/remove local admin group members via a script
coreccAuthor Commented:
Hi, thanks, option 2 sounds good but the issue is how do I allow a third party application to install updates if the user isn't local admin?
Jason WatkinsIT Project LeaderCommented:
Does the software have to be run as an administrator? If not, you could make the user's account regular account and give them a second administrative account, which they could use to update the software. If you are using Windows Vista, 7 or 8 you UAC could be used to run the software as an administrator without having to login as such.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

you can deploy software/updates through group policies. Then all your users could be standard users
Nagendra Pratap SinghCommented:
You can use WSUS + SCUP. Or perhaps something larger like SCCM/Altiris.

There are thousands of pages explaining the functioning of these tools on the net.
SandeshdubeySenior Server EngineerCommented:
I will recommend to rename the local administrator account and reset the password to complex instead of disabling the same.As if the clients cannot login to domain an in case if the secure channel of client is broken you need to login locally and perform disjoin opretation.http://www.techrepublic.com/blog/the-enterprise-cloud/change-local-username-and-password-via-group-policy/

For software update  by GP see this:http://technet.microsoft.com/en-us/library/cc783421(v=ws.10).aspx
You can remove administrative rights following mnkhawaja comments and you can install the application using GPO or if a manual interaction is required you can use something like RunasSpc from Robotronic.


This is a runas where you can encrypt the admin password
coreccAuthor Commented:
Thanks guys, these are all really useful solutions
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now