question

39762632 avatar image
0 Votes"
39762632 asked FanFan-MSFT commented

Local user deny in Active Diretory

Hello.
i find docs (https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-h--securing-local-administrator-accounts-and-groups)
i want to apply that.
but i have 100 more local account.
How can I organize it efficiently?

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,
Based on my research, we don't need to do this for all he local accounts.
We did this to protect the local administrator account.

Or if you do need to do this, you can add the local accounts into a group.
Then you can use the GPO to deny the rights to the local group.
106922-6184.jpg

Best Regards,



6184.jpg (108.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

39762632 avatar image
0 Votes"
39762632 answered FanFan-MSFT commented

can i register group "Administrator"?
i register "Administrator" but system occur Error
So i do not there ㅠ.ㅠ

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Do you mean you want to deny the following rights for the local administrator group?
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on through Remote Desktop Services
Yes, you can use the administrator group.
Would you please share a screenshot of the error message here?
Best Regards,

0 Votes 0 ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·