Share via

Administrator Account

Roger Roger 6,041 Reputation points
2024-09-21T15:33:43.6133333+00:00

Hi All

If I disable the group policy listed below, can any locally created user still log in to any of the member servers(i.e during troubleshooting if any server is moved out of the domain or any issue with the member server)? How will it behave for Domain Controllers? Since the Local Administrator account on a DC becomes the Domain Administrator account, will I still be able to log in with the Administrator account on the Domain Controller

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options->Accounts: Administrator account status

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,743 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,504 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,040 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,515 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,832 questions
0 comments
Accepted answer
  1. Yanhong Liu 9,450 Reputation points Microsoft Vendor
    2024-09-23T02:46:05.07+00:00

    Hello,

    When you disable the policy "Accounts: Administrator account status," it affects the default Administrator account on the local machine. Here's what happens in different scenarios:

    1. Member Servers:

    If Disjoined from Domain: If a member server is moved out of the domain (becomes a standalone server), the local Administrator account will be disabled if this policy is set to "Disabled." This means you will not be able to log in using the local Administrator account. If you have other local user accounts, you could log in with those, provided they have the necessary permissions.

    If Still in Domain: As long as the server is joined to the domain, domain accounts with appropriate permissions can still log in. The policy affects only the local Administrator account.

    1. Domain Controllers:

    On domain controllers, the local Administrator account essentially does not exist in the same form as on member servers; it's replaced by the Domain Administrator account.

    You will still be able to log in with the Domain Administrator account on a domain controller, as this policy does not disable domain accounts.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.