How to disable the Power Users group to establish user rights

1. Scenario One: Users cannot create new user by deleting registry key values

Implementation method:

Run Regedt32.exe open the registry and open the directory hkey_local_machine\sam\sam\domains\account\groups

This is the groups is responsible for the establishment of users. Delete it, the system can not establish users, not to mention promoted to administrators. So, before you do this, you have to make a backup and you can restore it if necessary.

Backup method: Right click groups Select "Export", give the exported file a name, save good, it can be.

Description

If you enter the registry, you can only see the hkey_local_machine\sam level of the directory, the others are not visible. That is because you have insufficient authority, right click on the corresponding directory to select "Permissions", the current logged-in user set to "Allow Full Control" on it. And so on, until you find the groups directory. However, this approach completely eliminates the concept of group, and is not recommended until the registry is restored and the user group cannot be manipulated.

2. NTFS permissions implementation through Group Policy with net command

From the path to account creation, there are three ways to create accounts:

1, invoking the net command from the command line

2. Users and groups in the Computer Management

3. Create via Control Panel user account

Implementation method:

1. Through the user policy in the strategy to hide Computer Management users and groups in the Control Panel and user accounts, as shown in figure:

Figure one policy disables local user and group properties

Figure two user Login system Computer Management menu