none
clever(?) way to 'remove' local users on domain pc's?

    Question

  • I was looking to Powershell to disable, and eventually delete local user accounts on my domain pc's - but I think I've found an easier way. I've setup a computer GPP GPO that clears the local Users group, then adds back the legit default members: Domain Users, Authenticated Users, Interactive. Consulting the default User Rights Assignments on Windows 7, it seems to me that without membership in the local Users group, local user accounts will be effectively 'disabled' because they will have no User Rights Assignments. Can anyone think of any problems with this approach?

    born to learn!


    • Edited by AJM Admin Tuesday, June 23, 2015 1:45 PM
    Tuesday, June 23, 2015 1:42 PM

Answers

  • > local user accounts will be effectively 'disabled' because they will
    > have no User Rights Assignments. Can anyone think of any problems with
    > this approach?
     
    There's no problem with this despite that it will not work. At least as
    long as you do not revise all your user privilege assignments and take
    care that you remove all instances of "BUILTIN\Users" and "NT
    AUTHORITY\Authenticated Users".
     
    This local user, although not member of "Users" anymore, can still
    logon, can run programs, is still a member of "BUILTIN\Users" and other
    default groups.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by AJM Admin Tuesday, June 23, 2015 2:47 PM
    Tuesday, June 23, 2015 2:01 PM