The best way to handle this is going to be to delete the local user accounts from the affected client computers. If the users know the local "Administrator" password on those machines, change it.
If the users' domain accounts have "Administrator" rights on the client computers, though, they can just create more local user accounts.
You could do this via a startup script if you don't want to perform this work manually. Here's a script to delete local user accounts:
Option Explicit
Dim dictUsersToIgnore, objNetwork
Dim colSourceAccounts, objSourceUser
' Debugging
Const DEBUGGING = True
' Source and destination computers
Const SOURCE_COMPUTER = "."
' Constants for comparison of accounts to ignore list
Const MATCH_EXACT = 1
Const MATCH_LEFT = 2
' Accounts to ignore during copying
Set dictUsersToIgnore = CreateObject("Scripting.Dictionary")
dictUsersToIgnore.Add "SUPPORT_", MATCH_LEFT
dictUsersToIgnore.Add "IUSR_", MATCH_LEFT
dictUsersToIgnore.Add "IWAM_", MATCH_LEFT
dictUsersToIgnore.Add "Administrator", MATCH_EXACT
dictUsersToIgnore.Add "Guest", MATCH_EXACT
dictUsersToIgnore.Add "HelpAssistant", MATCH_EXACT
dictUsersToIgnore.Add "ASPNET", MATCH_EXACT
' Should this account be ignored
Function IgnoreObject(Name, dictNames)
Dim strToIgnore
IgnoreObject = False
For Each strToIgnore in dictNames
' Match Exact
If (dictNames.Item(strToIgnore) = MATCH_EXACT) and (UCase(Name) = UCase(strToIgnore)) Then
IgnoreObject = True
Exit Function
End If
' Match left
If (dictNames.Item(strToIgnore) = MATCH_LEFT) and (Left(UCase(Name), Len(strToIgnore)) = UCase(strToIgnore)) Then
IgnoreObject = True
Exit Function
End If
Next' strToIgnore
End Function
Set objNetwork = CreateObject("Wscript.Network")
' Get accounts on source computer and loop through them, copying as necessary
Set colSourceAccounts = GetObject("WinNT://" & SOURCE_COMPUTER)
colSourceAccounts.Filter = Array("user")
For Each objSourceUser In colSourceAccounts
If IgnoreObject(objSourceUser.Name, dictUsersToIgnore) = False Then
If (DEBUGGING) Then WScript.Echo "Deleting account: " & objSourceUser.Name
colSourceAccounts.Delete "user", objSourceUser.Name
Else
If (DEBUGGING) Then WScript.Echo "Ignoring account: " & objSourceUser.Name
End If
Next ' objSourceUser
Add any usernames that should not be deleted to the dictUsersToIgnore list. MATCH_EXACT means that the username is matched exactly. MATCH_LEFT means that only the leftmost portion of username will be matched (i.e. imagine that the name match has a "*" after it).
This script is suitable for assiging as an AD startup script. Be careful how you scope it-- it can really ruin your day if you run it in the wrong place.