How to disable all the admins accounts except built-in administrator on a domain?

Suppose that an administrator for a domain is fired and you are now the new administrator of a windows 2012 server. While managing the network, something tells you that some people are using local accounts with administrative rights to log on to the computers (they may have gotten this users from the previous admin). Now what you want to do is disabling all local Administrators EXCEPT the built-in administrator with group policy.

I have tried to change the "Allow log on locally" in:

Computer Configuration
 * Policies
   * Windows Settings
     * Security Settings
       * Local Policies
         * User Rights Assignment

But the thing is that windows only allows you to do this if you add the "Administrators Group" to the allowed list and by doing that, we will be back at square one.

Solution 1:

Maybe you're asking the wrong question. Instead of trying to disable a bunch of local user accounts on a bunch of different computers, perhaps instead you should use Restricted Groups in Group Policy to define exactly who is allowed to be a member of the Administrators group on the computers. It will strip out all accounts who are in the local Administrators group on all the machines, except for the accounts (or groups) you specify.

https://technet.microsoft.com/en-us/library/cc756802(v=ws.10).aspx

But if for some reason you actually wanted to leave the local user accounts in the local Administrators group on all the clients, but just disable them, then you will have to develop a script to do that.

Edit: Because it's a lazy Saturday afternoon, I wrote a script that does what you described. It disables all user local user accounts that are members of the Administrators group except for the built-in Administrator. It's not the most efficient way, but I am too lazy to optimize it. Again, for the record, my recommendation is using Group Policy Restricted Groups, but I just felt like doing some scripting.

# Author: Ryan Ries
# This script disables all local user accounts who are members of the Administrators group,
# except for the built-in Administrator (sid-500).
# Use at your own risk.
Set-StrictMode -Version Latest

[Int]$DomainRole = (Get-WmiObject Win32_ComputerSystem).DomainRole

# Don't run if we are a domain controller.
If (($DomainRole -EQ 4) -OR ($DomainRole -EQ 5))
{
    Write-Error "This script cannot be run on a domain controller."
    Return
}

# We need to be an elevated administrator.
$CurrentUser = New-Object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())

If (-Not($CurrentUser.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)))
{
    Write-Error "$($CurrentUser.Identity.Name) is not currently an Administrator. (Need UAC elevation?)"
    Return
}

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

$ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Machine

$Context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ContextType, $Env:COMPUTERNAME

$IDType = [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName

$Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($Context, $IDType, 'Administrators')

Foreach ($Member In $Group.Members)
{
    If ($Member.Sid.Value.EndsWith('-500'))
    {
        # This is the built-in local administrator, so we'll skip it.
        Continue
    }

    $User = [ADSI]"WinNT://./$($Member.SamAccountName)"

    $User.UserFlags = 2

    $User.CommitChanges()

}