Yesterday on my Advanced Security for Server and Clients Webcast there was a question about local administrator accounts and I promised to address it here.
Question: How can I disable all of the local Administrator accounts on the various client machines throughout my network?
The question is interesting because it reveals a larger issue that is paramount in any discussion of Windows Security. The built in Administrator account has significant powers(maybe too much) associated with it, especially when it is the domain administrator account. Many articles have been written discussing everything from the ease of enumerating these accounts because of their identifying 500 SID’s, to the risk of running them without passwords, to discussions of creating decoy accounts. I will not attempt to summarize them here. I will recommend however 2 resources that I consider Authoritative as resources for valid information and recommendations on this issue. First I would read Jesper Johanssens Blog. Jesper is a great security resource! His opinions and discussion on this topic are right on point. Second I would read the information in this document for Securing Administrative groups and accounts from the TechNet site.
Lets get to the final point and answer the question that was posed.
Answer: To disable local administrative accounts throughout the domain I would use group policy to accomplish the task. The GPO can be created by using the Computer Policy | Windows Settings | Security Settings | Local policies | Security Options and then using the Accounts:Administrator account status setting. If this setting is GPO is linked to the domain level it can effective disable all of the local admin accounts.
There is a huge discussion around what the best solution is. I personally prefer disable the accounts including the domain Administrator account and using a decoy like the TechNet guide suggests. Do what works best for you!