Disabling Local Admin Account! What are the best practices that need to follow?

Hello!,

Our company partnership has changed and now I have to apply new policy changes I am required to disable everyone’s local admin access to their computers and any local computer account on the desktop or laptop. All the computers and laptops are windows 10 running with mixed windows 10 version from Windows 10 version 1709 to Windows 10 version 1909.

Before proceeding I was asked what would we do if there is a trust relationship problem and we can’t log into it with the admin account?, normally I’d say replace the computer and we’ll refresh the “untrusted” one.

Any thoughts on best practices? Looking for your valuable answers

3 Likes

Some of best practices is when you add the Administrator account to these settings, you specify whether you are configuring a local Administrator account or a domain Administrator account by how you label the accounts. For example, to add the TAILSPINTOYS domain’s Administrator account to these deny rights, you would browse to the Administrator account for the TAILSPINTOYS domain, which would appear as TAILSPINTOYS\Administrator. If you type Administrator in these user rights settings in the Group Policy Object Editor, you will restrict the local Administrator account on each computer to which the GPO is applied, as described earlier

1 Like

Hi @Addison,

Download Microsoft Local Administrator Password Solution is a password manager that utilizes Active Directory to manage and rotate passwords for local Administrator accounts across all of your Windows endpoints.

You can clean up any other local admin accounts than those that you set up on LAPS. Renew the Trust relationship which can be sometimes renewed by reboot or you can use PS Reset-ComputerMachinePassword to renew. RDC or remote PS.

I hope these steps help.

Thanks

2 Likes

In my opinion disabling the default admin account adds a bit of security in that if someone wants to take the account over, they can’t just brute force their way in with it being disabled. If anyone is trying to hack your PC they have to figure out which account is an admin and break in that way. Thinking about it though, I don’t know if it adds any security anymore.

Generally don’t go out of my way to do so, and looking at my Windows 10 computer, it’s disabled by default already and replace with what account I used to do the initial setup. Especially in a typical business setting, I doubt there are many local accounts and at least with the tools I have, it’s trivial to figure out which account has admin access. I guess it would be harder on a home computer or in a network without AD.