none
ReEnable BuiltIn\Administrator via GPO

    Question

  • Hi,

    We implemented LAPS about an year back and now want to make some changes. We used CorpAdmin as a user to be controlled by LAPS and decided to disable BuiltIN\Administrator and everything was successful. But what we noticed is that, the users who have admin rights on their PCs accidently/intentionally removes the CorpAdmin or the staff forget to create it or add it to BuiltIN\AdministratorS (So many reasons). So we decided to remove this CorpAdmin from every computer and enable our Builtin\Administrator (The Hero) back as no one can remove him from Builtin\AdministratorS.

    We have Windows 7/8/8.1/10/2008 R2 & 2012R2. We want to achieve it via group policy.

    I tried below but didnt worked.

    http://tompopov.blogspot.in/2011/03/enable-windows-7-administrator-account.html

    Any suggestions ?


    Thanks, Rishi Pandit.

    Friday, June 03, 2016 5:58 PM

Answers

All replies

  • Hi,
     
    Am 03.06.2016 um 19:58 schrieb Rishi Pandit:
    > We want to achieve it via
    > group policy.
     
    Computer Configuration \ Preferences \ ...\ Local Users and Groups
    - New Item User -> Update
    - Dropdown Administrator (Built In)
    - uncheck "Account is Disabled"
    - uncheck "USer must change ..."
     
    Optional
    Tab Common : Apply only once and do not reapply
     
    Done.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Saturday, June 04, 2016 10:39 AM
  • I tried below but didnt worked.

    http://tompopov.blogspot.in/2011/03/enable-windows-7-administrator-account.html

    Any suggestions ?


    Thanks, Rishi Pandit.

    Hi  Rishi ,
    Have you checked if the GPO is applied successfully on clients? You could run gpresult /h command to see the result.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 06, 2016 6:03 AM
    Moderator
  • Yes, I tried the same. GPO Shows in "gpresult /r /scope computer" but this part dosent work. Other things such of this gpo works fine. Also didnt found any thing like "Preferences" in RSOP as well.

    Thanks, Rishi Pandit.

    Monday, June 06, 2016 9:00 AM
  • Yes, GPO Shows in "gpresult /r /scope computer" but this part dosent work. Other things such of this gpo works fine. Also didnt found any thing like "Preferences" in RSOP as well.

    Thanks, Rishi Pandit.

    Monday, June 06, 2016 9:00 AM
  • Am 06.06.2016 um 11:00 schrieb Rishi Pandit:
    > Also
    > didnt found any thing like "Preferences" in RSOP as well.
     
    Thats simple because of the fact, that preferences are not reported
    locally. Only the GPO itself will be reported, bbut not the content.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, June 06, 2016 10:33 AM
  • Okay Thanks for the info.

    I did a new thing but that even is not working -

    Moved 1 pc to test OU, and copied the same policy and renamed to test and applied to this test OU.

    Editing the GPO i just removed the checkbox from "Account is Disabled" and also confirmed that "Apply only once and do not reapply" is Unchecked.

    Still it didnt worked. Whereas before this when i was enabling the BuiltIN\Administrator it was getting disabled again. Any Guesses ??

    Everyone is expecting, that it should be so simple and should not take this much of time but no clue, why its not working -


    Thanks, Rishi Pandit.

    Monday, June 06, 2016 10:59 AM
  • Am 06.06.2016 um 12:59 schrieb Rishi Pandit:
    > Everyone is expecting, that it should be so simple
     
    it is :-)
     
    Just to make sure, there is no conflicting GPO:
    - create new OU
    - move computer to OU, wait for replication
    - disable inheritance on the new OU (just for test, avoid conflicting
    GPOs or scripts)
    - create new GPO
    - do NOT touch security filtering, WMI or anything else
    - edit GPO -> COMPUTER Configuration as said before
     
    run gpupdate, the Preference can be applied in background. No reboot or
    gpupdate /force nessessary.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Monday, June 06, 2016 12:17 PM