Chris Henley is a fun and energetic representative of Microsoft. He works on the Developer Platform Evangelist team at Microsoft as an IT Professional Evangelist in the western region and is the co-author of Microsoft Windows Server 2008 R2 Administration Instant Reference from Sybex press. Chris is a regular speaker and presenter at user groups, Technet events, and major conferences around the US.
He has extensive experience in the world of computer networks. He is passionate about the way that technology helps people. He has an entertaining and insightful style of communicating technical information and of making difficult concepts easy to understand. He is an expert in server architecture and network design. He loves to push the envelope of what we think about computers, and what software can do. Chris spends his spare time playing XBOX360 with his wife and kids, fly fishing, camping, hiking, and searching for the best chocolate cake on planet earth.
Yesterday on my Advanced Security for Server and Clients Webcast there was a question about local administrator accounts and I promised to address it here.
Question: How can I disable all of the local Administrator accounts on the various client machines throughout my network?
The question is interesting because it reveals a larger issue that is paramount in any discussion of Windows Security. The built in Administrator account has significant powers(maybe too much) associated with it, especially when it is the domain administrator account. Many articles have been written discussing everything from the ease of enumerating these accounts because of their identifying 500 SID’s, to the risk of running them without passwords, to discussions of creating decoy accounts. I will not attempt to summarize them here. I will recommend however 2 resources that I consider Authoritative as resources for valid information and recommendations on this issue. First I would read Jesper Johanssens Blog. Jesper is a great security resource! His opinions and discussion on this topic are right on point. Second I would read the information in this document for Securing Administrative groups and accounts from the TechNet site.
Lets get to the final point and answer the question that was posed.
Answer: To disable local administrative accounts throughout the domain I would use group policy to accomplish the task. The GPO can be created by using the Computer Policy | Windows Settings | Security Settings | Local policies | Security Options and then using the Accounts:Administrator account status setting. If this setting is GPO is linked to the domain level it can effective disable all of the local admin accounts.
There is a huge discussion around what the best solution is. I personally prefer disable the accounts including the domain Administrator account and using a decoy like the TechNet guide suggests. Do what works best for you!