How to remove unwanted local user accounts

Written by on Wednesday, February 27, 2008 5:01 - 0 Comments

How to get rid of those pesky local user accounts on your workstations, or at least mitigate their unwanted presence.

Say your network of Windows computers used to be a workgroup and you changed it to a domain. Now you have a bunch of workstations that can be accessed by both local user accounts (from their time as part of a workgroup) and domain user accounts (stored in Active Directory). Is there any way you can prevent users from continuing to log on using their old local user accounts stored on their machines?

The preferred solution is to delete the local user accounts from each workstation that has them. A possible alternative is to use Group Policy to manipulate the Log On Locally user right to prevent anyone except domain users from logging on to desktop computers targeted by such policy. The Log On Locally user right is found under Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment. But the Log On Locally approach should be carefully tested on a test network before using it on your product network to ensure no unpredictable effects result from implementing it in your environment.

Another approach worth exploring is to use a script to delete unwanted local user accounts from your computers. A sample script that does this and which you can customize further if needed can be found at on the Windows Script Repository. By deploying this script to targeted desktop computers using Group Policy, you should be able to remove all unnecessary local accounts from these computers.

Finally, here’s a social engineering way of doing it—configure password policies on the OU where the machines reside that have such local user accounts. Configure the policy so that users have to enter a long, complex password and they have to change it every day to something new (and enforce password history using its maximum value to prevent them from re-using their old passwords). GPOs that have password policies configured and which are linked to OUs will affect only local user accounts for machines in that OU, so users who try to use their old local user accounts will have to frequently change their passwords and will likely get tired of doing so after a while! ')}

Article written by

Leave a Reply

You must be logged in to post a comment.

2003 server - Sep 30, 2008 22:34 - 0 Comments

instant messaging srv records

More In Computers & PC

Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments

Outlook: Duplicates in Mailbox

More In Computers & PC