Problem solve Get help with specific problems with your technologies, process and projects.

Restrict ordinary users to create local accounts

It is not a good idea to allow users to create additional accounts for themselves on their desktop machines. Here's a workaround to solve this problem.

Please let us know how useful you find this tip by rating it below! If you have a useful Windows tip, timesaver...

or workaround to share, submit it to our tip contest and you could win a prize!


By default, ordinary users on Windows 2000 Professional workstations can use Computer Management to create new local user accounts on their machines. All they need to do is right-click on My Computer, select Manage to open Computer Management, locate Local Users and Groups under System Tools, right-click on Users, and select New User. This procedure lets them create ordinary user accounts only, not administrator accounts, but it still represents an undesirable loophole for most administrators. After all, it's usually not a desirable feature for users to create additional accounts for themselves on their desktop machines.

There is a workaround to solve this problem. To disable a user's ability to create new local accounts on his machine do the following:

  • Log on locally to the machine as a member of the Administrators group and open Computer Management.
  • Select Groups under Local Users and Groups to display all local groups on the machine.
  • Double-click on the Users group to display its members and you should see NT AUTHORITYINTERACTIVE as a member of this group. Select this account and click Remove to remove it from the group. This action removes the ability for logged-on users to create new local accounts on their systems.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close