Home / server / Questions / 500175
Accepted
Kevin
Asked: 2013-04-18 04:57:04 +0800 CST

Stop Windows from switching to local computer for "administrator"?

  • 772

Modern versions of Windows seem to have a "feature" wherein, at the login screen of a domain-joined machine, if "administrator" is entered as the username, it automatically switches from the domain to the local accounts. If you're trying to log in as "domain\administrator", you therefore always have to type in "domain", whereas this is not necessary for logging into any other domain account.

This is getting very annoying so I'm wondering if there is a way to disable this behaviour. Ideally I'd like to set group policy to stop it on all systems.

Web searches came up dry apart from the occasional mention of this "feature" as an annoyance.

windows

2 Answers

  1. Best Answer

    I've never seen a way to disable this, but then it's never been that much of an irritaton to me. My genuine answer is to use proper, allocated administration accounts with real user names. Not only is it best practise, but it solves this issue instantly.

    In my opinion, the Administrator domain admin account is there to get you started. After that, it should be disabled or given an extremely complicated password and left for emergencies only.

    • 5
    1. Local Administrator should always be renamed. There's a GPO setting for this.
      • Optionally you can disable or even delete the local admin account via GPO/GPP too.
    2. Nobody should ever be logging in with a generic Administrator account except for extreme emergencies. Nobody should even know the Domain Administrator password, two or more people should set it, write their portions on paper and seal it in an envelope.
    3. You should either have:
      • Your own user account, who is also a domain administrator (not preferred)
      • A user account, ie kevin. And a domain administrator account ie kevin-admin (preferred).
    • 4