There are two admin groups, the netwrok one which you cannot change without hacking the network and the local Windows one which has nothing to do with the network login. It is the latter I am changing.
I dunno if a GPO could be written to check and change the local account settings (wouldn't this in itself be a security flaw in Windows?) but it's never happened on the numerous PCs I've done this on at several major companies.
No I understand perfectly, IT departments spend all say fixing printers and setting up new logins. They aren't wasting their time investigating the users or implementing protection against very rare 'threats'.
As I said above, I have done this "in the big wild world" and never been told off or 'caught'.
Haven't done this for ages now so can't remember the exact tool name but I'll try and dig out the old CD I made (if I can find it). I do remember though that the password extractor only worked if the admin password is less than 14 characters (past 14 Windows uses a different method for storing it), luckily in my case the password was less and the same for every machine in our building.