Group Policy: Create and Lock down Windows Domain Account for Local Administrator access

Microsoft Windows
Comments

This tutorial is written to help administrator create and manage administrator accounts using domain account for Local Administrator on specific computer with central control using Group Policy.


Steps:

  1. Create Domain User Account

lockdownaccount01

  1. On Account tab, click on Log On To button

lockdownaccount02

  1. Enter Computer DNS Name to restrict logon using this account

lockdownaccount03

  1. Open Group Policy Management (Administrative Tools -> Group Policy Management).

  2. Create New GPO SP Local Administrators

In this case, the above servers are group under INFRA_SERVERS\SharePoint group.

lockdownaccount04

  1. Edit New GPO SP Local Administrators and GPO Editor will appear

  2. Navigate Configuration Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups

lockdownaccount05

  1. Click on + button to Add a new item

lockdownaccount06

  1. Set New Local Group Properties Value
Action     : Update
Group Name : Administrators (built-in)
Members    : Domain User

lockdownaccount07

  1. Closed GPO Editor Windows

  2. On New GPO, under Security Filtering, add computers to apply this GPO

lockdownaccount08

12. Right Click on this GPO, and set Enforced

lockdownaccount09

  1. Once Enforced, GPO will have Locked icon

 lockdownaccount10

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.