One admin task that is usually more of a pain than it’s worth is temporary account provisioning. Active Directory accounts are the way to go, but what about when something requires a local account? In this situation, Group Policy can help more than you might think.
Group Policy can create an account with some of the management aspects, such as an account expiration date, to be applied locally to computer accounts. Local accounts that are to be pushed to computer accounts are configured in Group Policy in the Computer Configuration | Preferences | Control Panel Settings | Local Users And Groups section (Figure A).
Click the image to enlarge.
It’s beneficial to provision this through Group Policy if you have to deploy a large number of local accounts. Another advantage to provisioning the local accounts through Group Policy is that it allows you to delete the accounts as easily as you created the accounts.
Group Policy offers a variety of local account provisioning options, which include disabling the account disabled, deleting the account, and resetting the account’s password (Figure B).
For all practical purposes, this is a more difficult use case compared to time sensitive domain accounts. In my TechRepublic post about provisioning account access for non-employees, the common theme is to make the access not last forever. Most administrators want to reduce the amount of local accounts in play, yet the best way to administer them is the same way we do for Active Directory accounts.
The other practical use case is to re-create the local administrator account to an obscure username. Most administrators still leave a local account as an administrator with a changed username.
How do you use local account provisioning through Group Policy? Share your administrative practices in the discussion.
Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.