none
Disable Local Administrator GPO works on Win2K8 not Win2K3?

    Question

  • I created a new GPO which has one particular action- to disable the Local Administrator account on all scoped servers.

    Here is it:

    APAC - Disable local Administrator account 
    Data collected on: 16/04/2015 3:56:50 PM show all 
    
    General
    Details
    Domain mydomain.com 
    Owner mydomain\Domain Admins 
    Created 1/04/2015 11:17:14 AM 
    Modified 16/04/2015 2:55:20 PM 
    User Revisions 0 (AD), 0 (SYSVOL) 
    Computer Revisions 41 (AD), 41 (SYSVOL) 
    Unique ID {16F72210-CAC0-408D-AD6A-4CDE4351F8D8} 
    GPO Status User settings disabled 
    
    Links
    Location Enforced Link Status Path 
    Test System Engineers No Enabled mydomain.com/MyOU/Test System Engineers 
    
    This list only includes links in the domain of the GPO.
    Security Filtering
    The settings in this GPO can only apply to the following groups, users, and computers:Name 
    NT AUTHORITY\Authenticated Users 
    
    Delegation
    These groups and users have the specified permission for this GPOName Allowed Permissions Inherited 
    mydomain\Domain Admins Edit settings, delete, modify security No 
    mydomain\Enterprise Admins Edit settings, delete, modify security No 
    NT AUTHORITY\Authenticated Users Read (from Security Filtering) No 
    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No 
    NT AUTHORITY\SYSTEM Edit settings, delete, modify security No 
    
    Computer Configuration (Enabled)
    Policies
    Administrative Templates
    Policy definitions (ADMX files) retrieved from the local computer.System/Group Policy/Logging and tracing
    Policy Setting Comment 
    Configure Local Users and Groups preference logging and tracing Enabled  
    Event logging Informational, Warnings and Errors 
    Tracing On 
    User trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\User.log 
    Computer trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Computer.log 
    Planning trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Planning.log 
    Maximum size of trace file (KB) 1024 
     
    
    Preferences
    Control Panel Settings
    Local Users and Groups
    User (Name: MyUser-ADM)
    MyUser-ADM (Order: 1)
    Local User
    Action Update 
    Properties
    User name MyUser-ADM 
    Full name MyDomain Infrastructure Local Admin Account 
    Description Add MyDomain Infrastructure Local Admin Account to server 
    User cannot change password True 
    Password never expires True 
    Account is disabled False 
    Account expires Never 
    
    Common
    Options
    Stop processing items on this extension if an error occurs on this item No 
    Remove this item when it is no longer applied No 
    Apply once and do not reapply No 
    
    User (Name: Administrator (built-in))hide
    Administrator (built-in) (Order: 2)hide
    Local User
    Action Update 
    Properties
    User name Administrator (built-in) 
    Description Disable the local Administrator account 
    User must change password at next logon False 
    User cannot change password False 
    Password never expires False 
    Account is disabled True 
    Account expires Never 
    
    Common
    Options
    Stop processing items on this extension if an error occurs on this item No 
    Remove this item when it is no longer applied No 
    Apply once and do not reapply No 
    

    It works great on Win2K8 servers but fails on Win2K3 servers with the following error in the Application Event Log:

    Event Type:	Warning
    Event Source:	Group Policy Local Users and Groups
    Event Category:	(2)
    Event ID:	4098
    Date:		16/04/2015
    Time:		3:50:42 PM
    User:		NT AUTHORITY\SYSTEM
    Computer:	MyServer
    Description:
    The computer 'Administrator (built-in)' preference item in the 'APAC - Disable local Administrator account {16F72210-CAC0-408D-AD6A-4CDE4351F8D8}' Group Policy object did not apply because it failed with error code '0x80070057 The parameter is incorrect.' This error was suppressed.
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    

    Can anyone suggest why this is happening?

    Thanks.

    Thursday, April 16, 2015 6:05 AM

Answers

All replies

  • I am sorry, but I don't know why your GPO fails, you can try change some parameters, like Password never expires to True.

    But there is possible way, if you have enabled another account with administrator privilege (in your case MyUser-ADM), then you can use Security Policy: Accounts:Administrator account status setting

    Accounts: Administrator account status

    Disabling the Local Adminstrators Account

    This policy disable built-in administrator account, if you have enabled at least one local account which is member of Administrators group.

    I hope by combining these two policies, you can success.

    If nothing doesn't help, last chance can be use net user administrator /active:no, you can run it like startup script, or like scheduled task, but it is clumsy.

    Net user

    Disabling Local Administrators through GPO on Server 2008

    Hope this helps.

    Regards,

    thennet.


    Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and recognises useful contributions. Thank you!

    Thursday, April 16, 2015 8:12 AM
  • > User name Administrator (built-in)
     
    Instead of "picking" the account, simply type in its localized name. For
    builtin accounts, this CSE behaves inpredictably :)
     Or alternately, play around with different settings for these options:
     
    > User must change password at next logon False
    > User cannot change password False
    > Password never expires False
     
    There is no documentation on "which work and which don't", but for sure
    there ARE combinations that do NOT work although they are possible in
    the UI.
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, April 17, 2015 8:45 AM
  • I found the solution. I was using Group Policy Preferences (Computer Settings\Preferences\Control Panel\Local Users & Computers to disable the local administrator account which does not work on "un-modified" Windows 2003 server.

    I thus changed the GPO to use "Computer Settings\Policies\Windows Settings\Security Settings\Local Policies\Accounts: Administrator Account Status" and I set it to "Disabled". This works for Win2K3 and Win2K8.

    I suppose I cannot use GPP for Windows 2003 servers as we do not want to modify the OS.

    Thanks guys.

    Monday, April 20, 2015 12:21 AM
  • > the local administrator account which does not work on "un-modified"
    > Windows 2003 server.
     
    Yepp - you need to install
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, April 20, 2015 10:19 AM