|
|
|
|
@ -1,5 +1,5 @@
|
|
|
|
|
---
|
|
|
|
|
ms.date: 09/06/2024
|
|
|
|
|
ms.date: 04/07/2025
|
|
|
|
|
title: Local Accounts
|
|
|
|
|
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
|
|
|
|
|
ms.topic: concept-article
|
|
|
|
|
@ -225,33 +225,33 @@ The following table shows the Group Policy and registry settings that are used t
|
|
|
|
|
#### To enforce local account restrictions for remote access
|
|
|
|
|
|
|
|
|
|
1. Start the **Group Policy Management** Console (GPMC)
|
|
|
|
|
1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
|
|
|
|
|
1. In the console tree, expand <*Forest*>\Domains\<*Domain*>, and then **Group Policy Objects** where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
|
|
|
|
|
1. In the console tree, right-click **Group Policy Objects > New**
|
|
|
|
|
1. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
|
|
|
|
|
1. In the details pane, right-click <**gpo\_name**>, and > **Edit**
|
|
|
|
|
1. In the **New GPO** dialog box, type <**gpo_name**>, and > **OK** where *gpo_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer
|
|
|
|
|
1. In the details pane, right-click <**gpo_name**>, and > **Edit**
|
|
|
|
|
1. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
|
|
|
|
|
|
|
|
|
|
- Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and > **Security Options**
|
|
|
|
|
- Double-click **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
|
|
|
|
|
- Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
|
|
|
|
|
- Navigate to the **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**
|
|
|
|
|
- Select **User Account Control: Run all administrators in Admin Approval Mode** > **Enabled** > **OK**
|
|
|
|
|
- Select **User Account Control: Admin Approval Mode for the Built-in Administrator account** > **Enabled** > **OK**
|
|
|
|
|
|
|
|
|
|
1. Ensure that the local account restrictions are applied to network interfaces by following these steps:
|
|
|
|
|
|
|
|
|
|
- Navigate to *Computer Configuration\Preferences and Windows Settings*, and > **Registry**
|
|
|
|
|
- Right-click **Registry**, and > **New** > **Registry Item**
|
|
|
|
|
- Right-click **Registry**, and > **New** > **Registry Item**
|
|
|
|
|
- In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**
|
|
|
|
|
- Ensure that the **Hive** box is set to **HKEY_LOCAL_MACHINE**
|
|
|
|
|
- Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
|
|
|
|
|
- Select (**…**), browse to the following location for **Key Path** > **Select** for: `SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`
|
|
|
|
|
- In the **Value name** area, type `LocalAccountTokenFilterPolicy`
|
|
|
|
|
- In the **Value type** box, from the drop-down list, select **REG_DWORD** to change the value
|
|
|
|
|
- In the **Value data** box, ensure that the value is set to **0**
|
|
|
|
|
- Verify this configuration, and > **OK**
|
|
|
|
|
- Verify this configuration, and > **OK**
|
|
|
|
|
|
|
|
|
|
1. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
|
|
|
|
|
|
|
|
|
|
- Navigate to the `*Forest*\<Domains>\*Domain*\*OU*` path
|
|
|
|
|
- Right-click the **Workstations > Link an existing GPO**
|
|
|
|
|
- Select the GPO that you created, and > **OK**
|
|
|
|
|
- Select the GPO that you created, and > **OK**
|
|
|
|
|
|
|
|
|
|
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
|
|
|
|
|
1. Create links to all other OUs that contain workstations
|
|
|
|
|
@ -278,23 +278,23 @@ The following table shows the Group Policy settings that are used to deny networ
|
|
|
|
|
#### To deny network logon to all local administrator accounts
|
|
|
|
|
|
|
|
|
|
1. Start the **Group Policy Management** Console (GPMC)
|
|
|
|
|
1. In the console tree, expand <*Forest*>\\Domains\\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
|
|
|
|
|
1. In the console tree, right-click **Group Policy Objects**, and > **New**
|
|
|
|
|
1. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
|
|
|
|
|
1. In the details pane, right-click <**gpo\_name**>, and > **Edit**
|
|
|
|
|
1. In the console tree, expand <*Forest*>\Domains\<*Domain*>, and then **Group Policy Objects**, where *forest* is the name of the forest, and *domain* is the name of the domain where you want to set the Group Policy Object (GPO)
|
|
|
|
|
1. In the console tree, right-click **Group Policy Objects**, and > **New**
|
|
|
|
|
1. In the **New GPO** dialog box, type <**gpo_name**>, and then > **OK** where *gpo_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer
|
|
|
|
|
1. In the details pane, right-click <**gpo_name**>, and > **Edit**
|
|
|
|
|
1. Configure the user rights to deny network logons for administrative local accounts as follows:
|
|
|
|
|
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and > **User Rights Assignment**
|
|
|
|
|
1. Navigate to the Computer Configuration\Windows Settings\Security Settings\, and > **User Rights Assignment**
|
|
|
|
|
1. Double-click **Deny access to this computer from the network**
|
|
|
|
|
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
|
|
|
|
|
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
|
|
|
|
|
1. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
|
|
|
|
|
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**
|
|
|
|
|
1. Navigate to Computer Configuration\Policies\Windows Settings and Local Policies, and then select **User Rights Assignment**
|
|
|
|
|
1. Double-click **Deny log on through Remote Desktop Services**
|
|
|
|
|
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
|
|
|
|
|
1. Select **Add User or Group**, type **Local account and member of Administrators group**, and > **OK**
|
|
|
|
|
1. Link the GPO to the first **Workstations** OU as follows:
|
|
|
|
|
|
|
|
|
|
- Navigate to the <*Forest*>\\Domains\\<*Domain*>\\OU path
|
|
|
|
|
- Right-click the **Workstations** OU, and > **Link an existing GPO**
|
|
|
|
|
- Select the GPO that you created, and > **OK**
|
|
|
|
|
- Navigate to the <*Forest*>\Domains\<*Domain*>\OU path
|
|
|
|
|
- Right-click the **Workstations** OU, and > **Link an existing GPO**
|
|
|
|
|
- Select the GPO that you created, and > **OK**
|
|
|
|
|
|
|
|
|
|
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
|
|
|
|
|
1. Create links to all other OUs that contain workstations
|
|
|
|
|
|
Paolo Matarazzo