In a mixed desktop environment with Win7 SP2 and Win10 1709. We are unable to logon Win10 locally.

We are migrating from Win7 SP2 to Win10 1709 GPO. Myself and several other techs started a small group of pilot users for Wind10 testing. Our issue is we are unable to logon the Windows 10 as a local administrator. I receive and error at the logon screen your Admin account is disabled. Please keep in mind we are using DISA STIG baseline. We can logon Wind7 as the local administrator without any issues. I tripled checked the GPO for Wind10 ensured the precedence order was correct inheritance is not active. The admin and users group are added to allow log on locally. We updated our ADMX files within the last two weeks. I'm for certain someone has faced this issue before. Thanks for any help and support.
Demarko LittleSystem EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Our issue is we are unable to logon the Windows 10 as a local administrator. I receive and error at the logon screen your Admin account is disabled.

It is and do not enable it. You apparently enabled it in Windows 7 and should not have done that. Leave disabled Admin accounts alone.

If you need an admin account, make one of your own.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam LeinssServer SpecialistCommented:
John's right.  If you re-enable the local account named "Administrator" it will get disabled the next time you upgrade Windows 10, so it's best to define a new local administrator account or better yet use LAPS: https://technet.microsoft.com/en-us/mt227395.aspx

That way all local administator accounts have unique passwords, are stored in AD, expire periodically and get their password updated and can be looked up by any IT staff and expired on demand if comprised or used.
0
McKnifeCommented:
Demarko, why would you want to use the built-in administrator? Using it for working is considered (very) bad practice.
If you need to install things, any other administrator account that you create may be used as well. The built-in one is the mightiest account (since UAC is off by default) and should not be used for working.
1
Demarko LittleSystem EngineerAuthor Commented:
Evening, you guys are awesome. I really appreciate all the responses. I recently started supporting this client. There Windows7 & Windows10 was already in place. I inherited the two operating systems and GPO's. My lead managed to locate a Windows 10 template build 1709. We were able to spin the machine up. The policy I created is working like we want it. The Admin account is disabled. I'll speak to my lead in regards to sharing the LAPS idea to our client.
0
Adam LeinssServer SpecialistCommented:
John has best answer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.