Using GPO to manage local accounts

I've heard GPO an be used to manage local accounts.  Appreciate if anyone can share links
& info on:

Q1:
Need to enforce 60days password expiry & complex password of local accounts

Q2:
Login history dates that local accounts are used & login to which PCs & servers
sunhuxAsked:
Who is Participating?
 
btanExec ConsultantCommented:
Just to add on, the order of processing policies is as follow:
1. Local
2. Site
3. Domain
4. OU
The later override the first one (it is general rule), some exceptions exists for example (specifying No override for GPO). If affecting only a group of computer then consider to make a computer group and use that group to either exclude your custom computers from the password complexity policy (for example) or assemble a new policy that'll override these defaults, filtered to only apply to this group.
https://technet.microsoft.com/en-us/library/cc978255.aspx
Also good to run: GPRESULT /H GPReport.html
And check the file GPReport.html that it generates.  Look through it to see the policy deployed.
1
 
btanExec ConsultantCommented:
Q1.
Password complexity
https://technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx

Password expiry
https://technet.microsoft.com/en-us/library/hh994573(v=ws.11).aspx

Q2.
Enable Audit Policy for logon/logoff (both successful and failure) activity
https://technet.microsoft.com/en-us/library/dd277403.aspx
But the“logoff” events may not be generated for cases such as, if the user did not log off his machine by hibernating the machine, network connectivity issues, power failure, force shutdown etc.
1
 
MaheshArchitectCommented:
one can create / delete local accounts through GPO or can manage another aspects such as adding domain users to local group via GPO, however you cannot set local password policy for domain joined machines as domain password policy (default domain policy) will always override and win over local password policy
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
arnoldCommented:
Seems strange that you have a domain setup, but also allow for local accounts?

In an AD there should only be a limited set of local accounts, in particular only for local "administrator" in the event access/issues with the system access to the AD.
There should not be no other local accounts for any reason for a regular use.
You could use local computer GPO to set the local password policy.

Local user accounts created with password never expires will not have the password policy either local or domain applied.......

Please provide the context to your question, perhaps another/better approach to achieve what you want might become .....

Computer GPO, security settings, restricted groups.
you can either limit which accounts can exist in a specific group on the system to which this GPO applies, restrictive, accounts that you do not specify if present will be kicked out as members of the group.
i.e. administrators may only have domain admins, enterprise admins, some_admin_user
anything else present in the builtin Administrators group will be kicked out.

The other is you add domain users to a specific group, this way if the user is not a member of the local group, it will be added.

This combines insight from prior comments.....

Once you clarify what the issue is that you wish to address, others and I might have other suggestions...
0
 
sunhuxAuthor Commented:
> Seems strange that you have a domain setup, but also allow for local accounts?
In some UAT/test servers, apps teams wanted local accounts to do installation of apps and possibly restart services:
I'm unclear of the history as to why they can't use domain accounts
0
 
arnoldCommented:
Please define your "local account management" needs.
Using a script and wmi/powershell, Vbscrip that connects to each... But that could ran into issues if Windows firewall is enabled and restricts access to port 445.
0
 
btanExec ConsultantCommented:
For author advice.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.