?
Solved

Is there a way to remove and/or create local user accounts through gpo?

Posted on 2014-09-27
3
Medium Priority
?
2,375 Views
Last Modified: 2014-10-09
Is there any way to remove or add Local User accounts using your domain's group policy?

I have a bunch of local admin accounts on the network that I would love to delete without doing them one by one as they have no password protection.

Also, I would love to create new ones through GPO as well.
0
Comment
Question by:MJCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40348021
you can use restricted group memberships policy.
This will remove any user account from the administrators group. You can't create or delete accounts via Gpo, but you can control access to wha those accounts can do.
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40348137
It can be done by running a computer account GPO to run a login script.  Below are sample commands:

net user /add jim.smith P@$$w0rd1  (create user jim.smith with password of P@$$w0rd1)
net localgroup administrator jim.smith /add  (add jim.smith to local administrators groups)
net localgroup administrators domain1\user1 (add user1 from domain1 to local administrators group)
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 40348450
Both create and delete are administrative operations and cannot be done by a login script. Use a startup script to delete those accounts.
Net user /delete accountname
As for creating, there are many ways, but some of them should be avoided as they put your whole domain in danger. Don't use a startup script using plain text passwords...the risk is, that those get read out and your machines get owned.
There used to be a way through GPO, but Microsoft has recently closed that road after admitting how dangerous it was. They advise you to use this https://support2.microsoft.com/kb/2962486?wa=wsignin1.0 ->look at the workaround paragraph.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question