Hack 34 Prevent Ordinary Users from Creating Local Accounts

figs/moderate.gif figs/hack34.gif

Here's a quick hack that will let you prevent users from creating new local user accounts on their desktop computers.

By default, ordinary users on Windows 2000 Professional workstations can use Computer Management to create new local user accounts on their machines. All they need to do is right-click on My Computer, select Manage to open Computer Management, locate Local Users and Groups under System Tools, right-click on Users, and select New User. This procedure lets them create ordinary user accounts only, not administrator accounts, but it still represents an undesirable loophole for most administrators. After all, it's usually not a desirable feature for users to create additional accounts for themselves on their desktop machines.

Here's a workaround to solve this problem. To disable a user's ability to create new local accounts on his machine, log on locally to his machine as a member of the Administrators group and open Computer Management. Select Groups under Local Users and Groups to display all local groups on the machine. Double-click on the Users group to display its members (see Figure 3-6), and you should see NT AUTHORITY\INTERACTIVE as a member of this group. Select this account and click Remove to remove it from the group (this doesn't delete the account; it only removes it from the group).

Figure 3-6. Removing the INTERACTIVE special identity from the Users group

This action removes the ability for logged-on users to create new local accounts on their systems.

If you don't want to log on interactively to user's machines using your Administrator account, you can use the runas command instead. While the user is logged on to her machine using her ordinary user account, open a command line and type:

runas /user:MyAdminAcct@MyDomain.com cmd

Type your password when prompted (make sure the user is not looking at the screen). This opens a new command-prompt window, running under your Administrator credentials. Now type the following command into the new window:


This removes the INTERACTIVE special identity from the Users group.

?Rod Trent