Using GPO to manage local accounts

I've heard GPO an be used to manage local accounts.  Appreciate if anyone can share links
& info on:

Q1:
Need to enforce 60days password expiry & complex password of local accounts

Q2:
Login history dates that local accounts are used & login to which PCs & servers
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Q1.
Password complexity
https://technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx

Password expiry
https://technet.microsoft.com/en-us/library/hh994573(v=ws.11).aspx

Q2.
Enable Audit Policy for logon/logoff (both successful and failure) activity
https://technet.microsoft.com/en-us/library/dd277403.aspx
But the“logoff” events may not be generated for cases such as, if the user did not log off his machine by hibernating the machine, network connectivity issues, power failure, force shutdown etc.
1
MaheshArchitectCommented:
one can create / delete local accounts through GPO or can manage another aspects such as adding domain users to local group via GPO, however you cannot set local password policy for domain joined machines as domain password policy (default domain policy) will always override and win over local password policy
0
btanExec ConsultantCommented:
Just to add on, the order of processing policies is as follow:
1. Local
2. Site
3. Domain
4. OU
The later override the first one (it is general rule), some exceptions exists for example (specifying No override for GPO). If affecting only a group of computer then consider to make a computer group and use that group to either exclude your custom computers from the password complexity policy (for example) or assemble a new policy that'll override these defaults, filtered to only apply to this group.
https://technet.microsoft.com/en-us/library/cc978255.aspx
Also good to run: GPRESULT /H GPReport.html
And check the file GPReport.html that it generates.  Look through it to see the policy deployed.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

arnoldCommented:
Seems strange that you have a domain setup, but also allow for local accounts?

In an AD there should only be a limited set of local accounts, in particular only for local "administrator" in the event access/issues with the system access to the AD.
There should not be no other local accounts for any reason for a regular use.
You could use local computer GPO to set the local password policy.

Local user accounts created with password never expires will not have the password policy either local or domain applied.......

Please provide the context to your question, perhaps another/better approach to achieve what you want might become .....

Computer GPO, security settings, restricted groups.
you can either limit which accounts can exist in a specific group on the system to which this GPO applies, restrictive, accounts that you do not specify if present will be kicked out as members of the group.
i.e. administrators may only have domain admins, enterprise admins, some_admin_user
anything else present in the builtin Administrators group will be kicked out.

The other is you add domain users to a specific group, this way if the user is not a member of the local group, it will be added.

This combines insight from prior comments.....

Once you clarify what the issue is that you wish to address, others and I might have other suggestions...
0
sunhuxAuthor Commented:
> Seems strange that you have a domain setup, but also allow for local accounts?
In some UAT/test servers, apps teams wanted local accounts to do installation of apps and possibly restart services:
I'm unclear of the history as to why they can't use domain accounts
0
arnoldCommented:
Please define your "local account management" needs.
Using a script and wmi/powershell, Vbscrip that connects to each... But that could ran into issues if Windows firewall is enabled and restricts access to port 445.
0
btanExec ConsultantCommented:
For author advice.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.