I'm currently managing a Windows Server 2019 environment as a domain controller. I've been considering the possibility of removing the Built-in Administrators group and the BUILTINAdministrator accounts from the operating system's Group Policy Object (GPO). I want to know if doing this could lead to any negative consequences. If anyone has insights or experiences with this, their guidance would be greatly appreciated!
5 Answers
There’s really no good reason to completely remove them. There are established frameworks suggesting safer alternatives instead.
Honestly, if it ain't broken, don't try to fix it. Trying to remove those accounts might end up breaking something critical.
Here’s a note from Microsoft:
The 'Act as part of the operating system' permission is quite powerful, allowing users to take full control of a device. It’s advised to restrict this permission to as few accounts as possible. Typically, it shouldn’t even include the Administrators group. Instead, when a service needs this privilege, you should configure it to run under the Local System account, which already has the necessary rights. Removing those accounts shouldn’t have much impact since the 'Act as part of the operating system' is rarely needed by anything other than Local System.
Did you do a quick search online? Sometimes, a simple Google search can yield some great insights!
I really wouldn’t recommend doing that. Instead of removing them, it’s better to secure these accounts. You can refer to Microsoft's guidelines on securing built-in administrator accounts for best practices.
Totally agree! In my experience, messing with built-in accounts can lead to unexpected issues that are tough to troubleshoot. Best stick to Microsoft's recommendations.