• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 49
  • Last Modified:

In a mixed desktop environment with Win7 SP2 and Win10 1709. We are unable to logon Win10 locally.

We are migrating from Win7 SP2 to Win10 1709 GPO. Myself and several other techs started a small group of pilot users for Wind10 testing. Our issue is we are unable to logon the Windows 10 as a local administrator. I receive and error at the logon screen your Admin account is disabled. Please keep in mind we are using DISA STIG baseline. We can logon Wind7 as the local administrator without any issues. I tripled checked the GPO for Wind10 ensured the precedence order was correct inheritance is not active. The admin and users group are added to allow log on locally. We updated our ADMX files within the last two weeks. I'm for certain someone has faced this issue before. Thanks for any help and support.
0
Demarko Little
Asked:
Demarko Little
1 Solution
 
JohnBusiness Consultant (Owner)Commented:
Our issue is we are unable to logon the Windows 10 as a local administrator. I receive and error at the logon screen your Admin account is disabled.

It is and do not enable it. You apparently enabled it in Windows 7 and should not have done that. Leave disabled Admin accounts alone.

If you need an admin account, make one of your own.
1
 
Adam LeinssServer SpecialistCommented:
John's right.  If you re-enable the local account named "Administrator" it will get disabled the next time you upgrade Windows 10, so it's best to define a new local administrator account or better yet use LAPS: https://technet.microsoft.com/en-us/mt227395.aspx

That way all local administator accounts have unique passwords, are stored in AD, expire periodically and get their password updated and can be looked up by any IT staff and expired on demand if comprised or used.
0
 
McKnifeCommented:
Demarko, why would you want to use the built-in administrator? Using it for working is considered (very) bad practice.
If you need to install things, any other administrator account that you create may be used as well. The built-in one is the mightiest account (since UAC is off by default) and should not be used for working.
1
 
Demarko LittleSystem EngineerAuthor Commented:
Evening, you guys are awesome. I really appreciate all the responses. I recently started supporting this client. There Windows7 & Windows10 was already in place. I inherited the two operating systems and GPO's. My lead managed to locate a Windows 10 template build 1709. We were able to spin the machine up. The policy I created is working like we want it. The Admin account is disabled. I'll speak to my lead in regards to sharing the LAPS idea to our client.
0
 
Adam LeinssServer SpecialistCommented:
John has best answer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now