How to set up a computer that does not allow others to create and delete local accounts?

Question

Hi,

The computer is Windows 10 LTSC Enterprise Edition, 21H2. There is only one computer, no server.

How to set up a computer to prevent unauthorized group users entering computer management to create local accounts and delete accounts?

Answer 1

Hello Zhang,

Thank you for your question and for reaching out with your question today.

To prevent unauthorized group users from accessing Computer Management and creating/deleting local accounts on a Windows 10 LTSC Enterprise Edition computer, you can use Group Policy settings to restrict access to these administrative tools. Here's how you can do it:

1. **Open Local Group Policy Editor**:
   - Press Win + R to open the Run dialog.
   - Type `gpedit.msc` and press Enter to open the Local Group Policy Editor.

2. **Navigate to Computer Management Settings**:
   - In the Local Group Policy Editor, go to: `Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment`.

3. **Modify "Manage auditing and security log" Policy**:
   - Double-click on the "Manage auditing and security log" policy.
   - By default, this policy is usually assigned to the "Administrators" group. Remove any other groups or users that you want to prevent from creating/deleting local accounts. Ensure that only necessary administrative users or groups are listed here.

4. **Modify "Manage user accounts" Policy**:
   - Double-click on the "Manage user accounts" policy.
   - By default, this policy is usually assigned to the "Administrators" group. Remove any other groups or users that you want to prevent from creating/deleting local accounts. Ensure that only necessary administrative users or groups are listed here.

5. **Modify "Profile single process" Policy**:
   - Double-click on the "Profile single process" policy.
   - By default, this policy is usually assigned to the "Administrators" group. Remove any other groups or users that you want to prevent from creating/deleting local accounts. Ensure that only necessary administrative users or groups are listed here.

6. **Modify "Restore files and directories" Policy**:
   - Double-click on the "Restore files and directories" policy.
   - By default, this policy is usually assigned to the "Administrators" group. Remove any other groups or users that you want to prevent from creating/deleting local accounts. Ensure that only necessary administrative users or groups are listed here.

7. **Apply Changes**:
   - After making the necessary changes, close the Local Group Policy Editor.

8. **Update Group Policy**:
   - Open a Command Prompt with administrative privileges (right-click on Start and choose "Windows Terminal (Admin)").
   - Run the following command to apply the updated Group Policy settings immediately:
     ```
     gpupdate /force
     ```

By configuring the User Rights Assignment policies as described above, you are restricting the ability to perform account management tasks to only authorized users. Other users or groups that you have removed from these policies will no longer be able to create or delete local accounts through Computer Management or other administrative tools.

Please note that making changes to Group Policy can have significant effects on system behavior, so make sure you thoroughly understand the consequences of your actions before applying any modifications. Always create a backup or snapshot of your system before making major changes to Group Policy. If you are not familiar with Group Policy settings, it's recommended to test these changes in a controlled environment first to ensure they work as intended for your specific use case.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.

Best regards.

Answer 2

I didn't find the "Manage user accounts" Policy**,

but all other policies have been modified, and then I run "gpupdate /force ", showing that the update successful, and the administrator was not in the group of the above policies, then I tried to create accounts and delete accounts, which was still ok.