Windows Server

Deploy local accounts via Group Policy

Admins sometimes need to provision local accounts on Windows Servers. One disadvantage to local accounts is the lack of central management. Learn how to manage these accounts with Group Policy.

One admin task that is usually more of a pain than it's worth is temporary account provisioning. Active Directory accounts are the way to go, but what about when something requires a local account? In this situation, Group Policy can help more than you might think.

Group Policy can create an account with some of the management aspects, such as an account expiration date, to be applied locally to computer accounts. Local accounts that are to be pushed to computer accounts are configured in Group Policy in the Computer Configuration | Preferences | Control Panel Settings | Local Users And Groups section (Figure A). Figure A

Click the image to enlarge.

It's beneficial to provision this through Group Policy if you have to deploy a large number of local accounts. Another advantage to provisioning the local accounts through Group Policy is that it allows you to delete the accounts as easily as you created the accounts.

Group Policy offers a variety of local account provisioning options, which include disabling the account disabled, deleting the account, and resetting the account's password (Figure B). Figure B

For all practical purposes, this is a more difficult use case compared to time sensitive domain accounts. In my TechRepublic post about provisioning account access for non-employees, the common theme is to make the access not last forever. Most administrators want to reduce the amount of local accounts in play, yet the best way to administer them is the same way we do for Active Directory accounts.

The other practical use case is to re-create the local administrator account to an obscure username. Most administrators still leave a local account as an administrator with a changed username.

How do you use local account provisioning through Group Policy? Share your administrative practices in the discussion.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

6 comments
Bogdan Peste
Bogdan Peste

Great for updating the local Administrator account password. Use it in production, great setting.

psutsos
psutsos

Use the Group Policy Management console available in the RSAT tools for Windows 7, Windows 2008, or 2008 R2. With those tools, you can create Group Policy Preferences, which can be hosted on Windows 2003 domains and up (maybe 2000 domains, don't know). Preferences are not available to be created with the 2003 or 2003 R2 tool but that doesn't mean your 2003 domain can't host them in the \Sysvol directory. It can.

b4real
b4real

I've moved on my friend!

Richard Noel
Richard Noel

I haven't been able to make the jump to Windows 2008 yet, but I do have Windows 7 with RAST installed. Thanks to your input I was able to implement this very useful tip. Now I can not only make sure that I have local access to the PC's on our domain, but I can change that password very quickly should a System Administrator decide to leave our group.

Editor's Picks