Stop Windows from switching to local computer for “administrator”?

Posted on

Stop Windows from switching to local computer for “administrator”? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about windows, active-directory, , , .

Modern versions of Windows seem to have a “feature” wherein, at the login screen of a domain-joined machine, if “administrator” is entered as the username, it automatically switches from the domain to the local accounts. If you’re trying to log in as “domainadministrator”, you therefore always have to type in “domain”, whereas this is not necessary for logging into any other domain account.

This is getting very annoying so I’m wondering if there is a way to disable this behaviour. Ideally I’d like to set group policy to stop it on all systems.

Web searches came up dry apart from the occasional mention of this “feature” as an annoyance.

Solution :

I’ve never seen a way to disable this, but then it’s never been that much of an irritaton to me. My genuine answer is to use proper, allocated administration accounts with real user names. Not only is it best practise, but it solves this issue instantly.

In my opinion, the Administrator domain admin account is there to get you started. After that, it should be disabled or given an extremely complicated password and left for emergencies only.

  1. Local Administrator should always be renamed. There’s a GPO setting for this.
    • Optionally you can disable or even delete the local admin account via GPO/GPP too.
  2. Nobody should ever be logging in with a generic Administrator account except for extreme emergencies. Nobody should even know the Domain Administrator password, two or more people should set it, write their portions on paper and seal it in an envelope.
  3. You should either have:
    • Your own user account, who is also a domain administrator (not preferred)
    • A user account, ie kevin. And a domain administrator account ie kevin-admin (preferred).

Leave a Reply

Your email address will not be published.