How to remove unwanted local user accounts

by Mitch Tulloch [Published on 10 April 2007 / Last Updated on 10 April 2007]

How to get rid of those pesky local user accounts on your workstations, or at least mitigate their unwanted presence.

Say your network of Windows computers used to be a workgroup and you changed it to a domain. Now you have a bunch of workstations that can be accessed by both local user accounts (from their time as part of a workgroup) and domain user accounts (stored in Active Directory). Is there any way you can prevent users from continuing to log on using their old local user accounts stored on their machines?

The preferred solution is to delete the local user accounts from each workstation that has them. A possible alternative is to use Group Policy to manipulate the Log On Locally user right to prevent anyone except domain users from logging on to desktop computers targeted by such policy. The Log On Locally user right is found under Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment. But the Log On Locally approach should be carefully tested on a test network before using it on your product network to ensure no unpredictable effects result from implementing it in your environment.

Another approach worth exploring is to use a script to delete unwanted local user accounts from your computers. A sample script that does this and which you can customize further if needed can be found at http://www.microsoft.com/technet/scriptcenter/scripts/ds/local/users/default.mspx?mfr=true on the Windows Script Repository. By deploying this script to targeted desktop computers using Group Policy, you should be able to remove all unnecessary local accounts from these computers.

Finally, here’s a social engineering way of doing it—configure password policies on the OU where the machines reside that have such local user accounts. Configure the policy so that users have to enter a long, complex password and they have to change it every day to something new (and enforce password history using its maximum value to prevent them from re-using their old passwords). GPOs that have password policies configured and which are linked to OUs will affect only local user accounts for machines in that OU, so users who try to use their old local user accounts will have to frequently change their passwords and will likely get tired of doing so after a while!

***

Mitch Tulloch was the lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more about Mitch, visit his website www.mtit.com

See Also

Featured Links