refurbmike said:
We're trying to limit our liability and security holes by restricting the
computers to only one account. At default, Windows requires one account in
addition to the default Administrator account.
Many non-Home versions do not actually require this, but it is very, very
bad practice to either disable the Administrator account or to use it as the
primary - or only - account. The Admin account should only be used for
required maintenance, in order to protect it - and you.
When your one account corrupts, you then have virtually no option but to
remove the drive and scrape the data off it, then put it back, wipe it
during a clean install and then restore the data. Ever timed that?
Instead, you could have just popped by their station, logged into the Admin
account, created a new user account, migrated the data, and had the user
back and working in under an hour.
We'd like to have one or the
other - since we're plugging these computers into a domain, multiple local
accounts on a computer are wasted loopholes.
I'm not sure that's really correct. You'll perhaps note that Linux and
Unix machines also use multiple accounts, and while the built-in Root
accounts certainly exist, they aren't regarded as "wasted loopholes".
Is there a way to disable one or the other? Preferably the user accounts.
As noted here and elsewhere, this is a very bad idea. You're asking for
real problems and time-consuming solutions later,
Here's the thing: when these problems arise, and they will, it's *you* that
will look bad because the user is forced to do nothing for a day instead of
an hour. If that user is high-ranking, they will be concerned about
this.
Instead, establish a quality password routine for the Admin accounts. Use
strong passwords, don't give them out, and change them regularly. Visit
the account occasionally and check for last login time.
HTH
-pk