Re: Group Policy setting for restricting creation of local user accounts

From: "B.E. Jorgenson" <jorgenson.b@xxxxxxxxx>
Date: 2 Oct 2006 08:56:09 -0700

Here's the problem.... I have domain administrators that I do not want
creating local users on computers. Would I have to create a restricted
group that mimics domain admins rights minus the right to create local
users?

Roger Abell [MVP] wrote:

"B.E. Jorgenson" <jorgenson.b@xxxxxxxxx> wrote in message
news:1159560514.691170.269170@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Right, but I am looking for a group policy, security template, or local
security policy.

You could use a restricted group definintion in a GPO applied at an
OU level (not to DC OU or to Domain) that carries definition for
Administrators naming only what you want included in them all.
It is often convenient for that GPO to also had a rename policy set
renaming the built-in Administrator

KenB wrote:

Restricting the users to non-administrator access will prevent them from
being able to create accounts on the computers.

Ken

"B.E. Jorgenson" <jorgenson.b@xxxxxxxxx> wrote in message
news:1159380582.077768.320930@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Is there a way through group policy to restrict any user from creating
local computer user accounts when the computer is joined to the domain?
This has nothing to do with logon locally but actually creating a local
user account.

Thanks,
Brian

Follow-Ups:
- Re: Group Policy setting for restricting creation of local user accounts
  - From: Roger Abell [MVP]

References:
- Re: Group Policy setting for restricting creation of local user accounts
  - From: B.E. Jorgenson
- Re: Group Policy setting for restricting creation of local user accounts
  - From: Roger Abell [MVP]

Prev by Date: Re: Adding User ID in Local Admin Group using Group Policy
Next by Date: AD 2003 + 2000 and criteri di protezione
Previous by thread: Re: Group Policy setting for restricting creation of local user accounts
Next by thread: Re: Group Policy setting for restricting creation of local user accounts
Index(es):
- Date
- Thread

Relevant Pages

Re: Remote Desktop Users and Least User Rights
... the Administrators group, the list of authorized remote users (My Computer ... Remote tab> Select Remote Users) gets wiped out. ... or you could create a simple startup script assigned via GPO to add them. ... You can create/link a new GPO at the appropriate OU where your computers ...
(microsoft.public.windowsxp.security_admin)
Re: Group Policy setting for restricting creation of local user accounts
... if DA was not in each machine's local Administrators ... group that mimics domain admins rights minus the right to create local ... being able to create accounts on the computers. ... local computer user accounts when the computer is joined to the ...
(microsoft.public.windows.group_policy)
Re: Anyone not part of admin group cant log in
... Check that the user accounts have Full control granted to ... > I have a small network of 5 computers going and ... I added "Administrators" to thier ID and they ...
(microsoft.public.windowsxp.security_admin)
IE Hangs for non-Admin users
... 5000+ Windows XP Service Pack 1 desktops. ... Our Helpdesk reports that by far the biggest call they are getting is to do ... - The problem does not happen on all computers and can't easily be replicated ... - The problem does not occur with users in the Administrators group ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Rights Issues (i think) with domain pcs
... Quickbooks is the same and requires admin privileges on the local ... eh admin group on the local computers. ... I inherited this network also other wise i would have set up ... >> You probably know that a member of the domain administrators grp by ...
(microsoft.public.windows.server.general)