One of the things a colleague of mine encountered in the past, and which I stumbled upon lately is the following. Sometimes people want to have the Local Administrator account disabled on their servers. There has been a GPO to do this for ages. It’s located below Computer Settings > Windows Settings > Security Settings > Local Policies > Security Options. The setting is “Accounts: Administrator Account Status”: Disabled.
The screenshot shown below is from the security policy on a server which has the policy (Administrator Status: disabled) applied. You can see that A group policy is setting the setting to enabled. Which is in fact the opposite of what I have configured through the GPO.
One could think I have another GPO being applied later. But using gpresult /H:report.html I can clearly see “my” GPO is winning and that the setting in fact should be set to disabled…
Also a regular Resultant Set Of Policy shows the setting as disabled…
But the account is Active and remains in this state…
So, Group Policy Preferences to the rescue! It’s not a real answer as to why things are going wrong, but it’s definitely a doable workaround. This policy works flawless.
You can’t always get to the bottom of things…
3 Response to Windows 2008 R2: Accounts: Administrator Account Status Not Working
I think I found the reason the local Administrator account does not get disabled when the GPO is set at the domain level: It's the only valid local Administrator account:
http://msdn.microsoft.com/en-us/library/jj852165(v=ws.10).aspx
Matt
I stumbled across this issue recently (all servers 2012 r2) and it's because you must have a local admin account active. If you follow best practice and create a second local administrator (manually as you can't do this via GPO anymore) and control that with LAPS you can then use this policy setting to disable the built-in administrator (500 SID) account afterwards (we also rename as well as disable). The disable admin GPO setting then works but if you don't create the second local admin account first this setting won't apply.
I believe somewhere in the last year I've learned that as well :) The GPO indeed doesn't apply if there's no active Administrator account.
Thanks for taking the time to post!
Add Your Comment