Disable the Power users Group to create User Permissions

1.Solution 1: you cannot create a new user by deleting the registry key value.

Implementation Method:

Run regedt32.exe to open the registry and open the DirectoryHKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Groups

This Groups is responsible for creating users. If you delete it, the system will not be able to establish a user, let alone escalate it to the Administrator. Therefore, before this operation, you must back up the data and restore the data if necessary.

Backup method: Right-click Groups and select "Export" to give the exported file a name. Save the name.

Note:

If you enter the registry, you can only seeHKEY_LOCAL_MACHINE \ SAM levelDirectory. None of the others can be seen. This is because you do not have sufficient permissions. Right-click the corresponding directory and select "permission" to set the current logon user to "allow full control. And so on, until the Groups directory is found. However, this method completely eliminates the concept of group. Before restoring the registry, the user group cannot be operated. Therefore, this method is not recommended.

2.Group Policy CooperationNETCommandNTFSPermission implementation

There are three ways to create an account:

1. Call the net command through the command line

2. users and groups in Computer Management

3. Create a user account through the control panel

Implementation Method:

1. Using the user policy in the policy to hide users and groups in computer management and user accounts in the control panel,

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/233Q52192-0.png "title =" 1.png" alt = "223754333.png"/>

Figure 1 disable local users and group attributes

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/233Q55428-1.png "title =" 2.png" alt = "223799698.png"/>

Figure 2 User Logon System Computer Management menu

2. Hide the user account in the control panel using the user policy in the Policy

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/233Q52E2-2.png "title =" 3.png" alt = "223824872.png"/>

Figure 3 disable a user account in the control panel

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/233Q53143-3.png "title =" 4.png" alt = "223836332.png"/>

Figure 4 interface displayed after the user logs on to the system

3.pass the NTFS permission of net.exe so that the permission of the power users Group to access the net.exe file in the C: \ Windows \ system32directory of the system disk is denied,

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/233Q52330-4.jpg "title =" 5.jpg" alt = "223791279.jpg"/>

Figure 5. net File Permission settings

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/233Q54O6-5.png "title =" 6.png" alt = "223914690.png"/>

Figure 6 effect of using the net command

Conclusion:In this way, the three paths created by the user are successfully disabled, and both the policy and NTFS permission are set for the user. If the computer encounters a fault, you need to call the relevant program, you can log on to the computer as a local Administrator without being affected by policies and NTFS permissions.

This article from the "Ghost King" blog, please be sure to keep this source http://ghostlan.blog.51cto.com/5413429/1301848