3 comments

Windows 2008 R2: Accounts: Administrator Account Status Not Working

Published on Monday, April 4, 2011 in ,

One of the things a colleague of mine encountered in the past, and which I stumbled upon lately is the following. Sometimes people want to have the Local Administrator account disabled on their servers. There has been a GPO to do this for ages. It’s located below Computer Settings > Windows Settings > Security Settings > Local Policies > Security Options. The setting is “Accounts: Administrator Account Status”: Disabled.

The screenshot shown below is from the security policy on a server which has the policy (Administrator Status: disabled) applied. You can see that A group policy is setting the setting to enabled. Which is in fact the opposite of what I have configured through the GPO.

image

One could think I have another GPO being applied later. But using gpresult /H:report.html I can clearly see “my” GPO is winning and that the setting in fact should be set to disabled…

image

Also a regular Resultant Set Of Policy shows the setting as disabled…

image

But the account is Active and remains in this state…

image

image

So, Group Policy Preferences to the rescue! It’s not a real answer as to why things are going wrong, but it’s definitely a doable workaround. This policy works flawless.

image

You can’t always get to the bottom of things…

Related Posts

3 Response to Windows 2008 R2: Accounts: Administrator Account Status Not Working

31 May, 2014 05:25

I think I found the reason the local Administrator account does not get disabled when the GPO is set at the domain level: It's the only valid local Administrator account:
http://msdn.microsoft.com/en-us/library/jj852165(v=ws.10).aspx

Matt

Anonymous
23 February, 2017 08:45

I stumbled across this issue recently (all servers 2012 r2) and it's because you must have a local admin account active. If you follow best practice and create a second local administrator (manually as you can't do this via GPO anymore) and control that with LAPS you can then use this policy setting to disable the built-in administrator (500 SID) account afterwards (we also rename as well as disable). The disable admin GPO setting then works but if you don't create the second local admin account first this setting won't apply.

23 February, 2017 14:14

I believe somewhere in the last year I've learned that as well :) The GPO indeed doesn't apply if there's no active Administrator account.

Thanks for taking the time to post!

Add Your Comment