Hack 34 Prevent Ordinary Users from Creating Local Accounts


Here's a quick hack that will
let you prevent users from creating new local user accounts on their
desktop computers.
By default, ordinary users on Windows 2000 Professional
workstations can use Computer Management to create new local user
accounts on their machines. All they need to do is right-click on My
Computer, select Manage to open Computer Management, locate Local
Users and Groups under System Tools, right-click on Users, and select
New User. This procedure lets them create ordinary user accounts
only, not administrator accounts, but it still represents an
undesirable loophole for most administrators. After all,
it's usually not a desirable feature for users to
create additional accounts for themselves on their desktop machines.
Here's a workaround to solve this problem. To
disable a user's ability to create new local
accounts on his machine, log on locally to his machine as a member of
the Administrators group and open Computer Management. Select Groups
under Local Users and Groups to display all local groups on the
machine. Double-click on the Users group to
display its members (see Figure 3-6), and you
should see NT AUTHORITY\INTERACTIVE as a member of
this group. Select this account and click Remove to remove it from
the group (this doesn't delete the account; it only
removes it from the group).
Figure 3-6. Removing the INTERACTIVE special identity from the Users group

This action removes the ability for logged-on users to create new
local accounts on their systems.
If you don't want to log on interactively to
user's machines using your Administrator account,
you can use the runas command instead. While the
user is logged on to her machine using her ordinary user account,
open a command line and type:
runas /user:MyAdminAcct@MyDomain.com cmd
Type your password when prompted (make sure the user is not looking
at the screen). This opens a new command-prompt window, running under
your Administrator credentials. Now type the following command into
the new window:
net localgroup users "NT AUTHORITY\INTERACTIVE" /DELETE
This removes the INTERACTIVE special identity from
the Users group.
Rod Trent