- Using an account that has privileges to create new Group Policy Objects (GPOs), open the Group Policy Management Console on Windows 8 or Server 2012.
- Open the Group Policy Objects folder for the domain in which you would like to restrict the linking of Microsoft accounts.
- Create a new GPO and navigate to the following location in the GPO editor: Computer Configuration > Policies >Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click Accounts: Block Microsoft accounts. In the Properties dialog window, check Define this policy setting. Click the dropdown menu and select Users can’t add or log in with Microsoft accounts and then click OK.
- After the GPO has been created, right-click the domain or an OU and select Link an Existing GPO here to choose and enforce the GPO that was just created.
- Run the gpupdate /force command from the command line to update Group Policy, or just simply wait for the Policy to propagate on its own. The end result is that users can no longer link Microsoft accounts to computers under the Group Policy and all PC Sync settings will be disabled.
What about doing it during image deployment? Yep- you can do that too. Let’s say you don’t have a Windows 2012 server, or Windows 8 machine. The easy way would be to build one, do the above steps, and import that policy to your domain, but there are obviously scenarios where I can’t do that. You may be thinking “Registry!”, but Microsoft says this is not a registry change in the GPO Reference… Well if we wanted to do something during imaging we’ll have to figure something out! Good news- it is actually a registry setting. While it may or may not be exactly what the GPO does, the REG_DWORD value NoConnectedUser located atHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is the key we’ve seen for security policy “Accounts: Block Microsoft accounts”.
The 3 acceptable settings: