Skip navigation

JSI Tip 4188. How do I prevent ordinary users from creating user accounts on their Windows 2000 Professional computer?

An ordinary user of a Windows 2000 Professional computer can use My Computer / Manage / Local Users and Groups / New User to add a local new user to their computer.

In a company environment, this is NOT desirable.

To prevent this ability:

1. Log on locally as a member of the Administrators group.

2. Open a CMD prompt and type:

        net localgroup users "NT AUTHORITY\INTERACTIVE" /DELETE

NOTE: You can create a batch that contains this command and use PsExec:

PsExec \\RemoteComputer -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName.

NOTE: To do this on all the workstations in your Windows 2000 domain, use the following batch file:

@echo off
For /f "Skip=1 Tokens=1" %%i in ('netdom query /domain WORKSTATION') do call :computer "%%i" 
goto :EOF
set machine=%1
set machine=%machine:"=%
if "%machine%" EQU "The" goto :EOF
if "%machine%" EQU "Directory" goto :EOF
PsExec \\%machine% -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.