Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

server 2008 disable admin account policy

0 views
Skip to first unread message

lansvcs

unread,
Dec 9, 2008, 2:41:02 PM12/9/08
to

I have a GPO at the domain level to disable the built in Administrator
account on client computers. It is working flawlessly on all the XP and
Server 2003 computers. I noticed it is not working as it should on the W2K8
servers. If i look in the winlogon.log file i find "Administrator account is
not allowed to be disabled." if i create a second local admin account and do
a gpupdate then the built in account becomes disabled but as soon as i delete
the additional account and policy updates the builtin admin account goes back
to enabled. How can i get the policy to disable the built in Admin account
to apply properly?

Lanwench [MVP - Exchange]

unread,
Dec 9, 2008, 7:39:12 PM12/9/08
to

lansvcs <lan...@discussions.microsoft.com> wrote:
> I have a GPO at the domain level to disable the built in Administrator
> account on client computers.

All right, I'm curious - why would you want to do that? Why wouldn't you
just set up really difficult passwords for these accounts and leave them be?

> It is working flawlessly on all the XP
> and Server 2003 computers. I noticed it is not working as it should
> on the W2K8 servers. If i look in the winlogon.log file i find
> "Administrator account is not allowed to be disabled." if i create a
> second local admin account and do a gpupdate then the built in
> account becomes disabled but as soon as i delete the additional
> account and policy updates the builtin admin account goes back to
> enabled. How can i get the policy to disable the built in Admin
> account to apply properly?

I'd try posting in a Windows Server group for more help, as this won't be a
group policy issue. But the above question still stands <g>

Meinolf Weber [MVP-DS]

unread,
Dec 10, 2008, 4:24:15 AM12/10/08
to
Hello lansvcs,

You can logon to the 2008 server and disable it locally. That will work.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

lansvcs

unread,
Dec 10, 2008, 12:20:00 PM12/10/08
to
i want to do that because the built in Administrator account is easily
identified by its SID and is a common point of attack. This is something i
have seen recommended by Microsoft often as a security measure. In fact in a
Vista upgrade as long as there is an additional local admin account on the
server this is default behavior. This account is always enabled in safe mode
and since local SAM database accounts are always less secure than domain
accounts anyone needing admin access should have their domain account added
to the local admins and use the built in admin only when the situation
requires a safe mode boot up. i will post in the server group, thanks for
the suggestion.

lansvcs

unread,
Dec 10, 2008, 12:21:01 PM12/10/08
to
that is true i knew that but it also means someone can log onto that server
who is an admin and enable it. also with servers numbering in the hundreds
and clients in the thousands relying on a manual process on each computer is
far less reliable than applying a GPO.

Meinolf Weber [MVP-DS]

unread,
Dec 11, 2008, 1:47:54 AM12/11/08
to
Hello lansvcs,

Someone who is an admin can also revert the policy. Ofcourse you are right
and it should work as expected and described.

Lanwench [MVP - Exchange]

unread,
Dec 11, 2008, 1:06:54 PM12/11/08
to
lansvcs <lan...@discussions.microsoft.com> wrote:
> i want to do that because the built in Administrator account is easily
> identified by its SID and is a common point of attack.

Yep, but it's a local workstation account, and you can put a really kick-a__
password on it. Your call. I don't bother.

0 new messages