STATUS_CANT_DISABLE_MANDATORY 0xC000005D Fix

This usually shows up when you're trying to disable a built-in security group like Everyone, Authenticated Users, BUILTIN\Administrators, or a domain group with the mandatory flag set. You see it in Local Users and Groups (lusrmgr.msc), Active Directory Users and Computers, or as a result from a net localgroup command.

Common triggers:

• You tried to disable Everyone via lusrmgr.msc on a Windows 11 Pro or Windows Server 2022.
• You ran net localgroup Everyone /active:no and got the error.
• You saw it in a security audit log when a script tried to disable a group.

The fix isn't to force-disable the group — you can't. Mandatory groups exist for a reason. Instead, you need to remove the group from where it's causing trouble or change the policy that's enforcing it.

First cause: You're trying to disable a built-in mandatory group directly

This is the most common mistake. Groups like Everyone, Authenticated Users, and BUILTIN\Users are mandatory — Windows won't let you disable or delete them. That's by design. You don't actually need to disable them; you need to stop using them in permissions or policies.

How to fix this: Remove the group from permissions instead

1. Open File Explorer and right-click the folder or file that's using the group.
2. Go to Properties > Security tab.
3. Click Edit to change permissions.
4. Select the mandatory group (like Everyone) from the list.
5. Click Remove — this doesn't delete the group, it just removes it from that object's ACL. After clicking Remove, you should see the group disappear from the list.
6. Click Apply, then OK.
7. Test that your intended users still have access. They will — you just removed an overly broad permission.

If you're trying to disable the group in a Group Policy Object (like “Deny log on locally” includes Everyone), don't disable the group — just remove that group from the policy setting. Here's how:

1. Press Win + R, type gpedit.msc, press Enter.
2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
3. Find the policy that lists the mandatory group (e.g., “Deny log on through Remote Desktop Services”).
4. Double-click it, select the group, click Remove. Click OK.
5. Run gpupdate /force in Command Prompt as admin. After it completes, you should see “Computer Policy update has completed successfully.”

Second cause: The group is marked mandatory in Active Directory or local SAM

This is less common but happens when you've got a domain-joined machine or a server where an admin previously set a group's groupType attribute to include the GROUP_TYPE_MANDATORY flag (value 0x80000000). You can't change that flag through normal UI tools. But you can work around it.

How to fix this: Use PowerShell to unset the mandatory flag

Important: This only works for custom groups you created, not built-in ones like Everyone. If you try it on built-in groups, you'll get an access denied error — that's expected.

1. Open PowerShell as Administrator.
2. Run this command to check the group's flags (replace GroupName with your group's name):

Get-LocalGroup -Name "GroupName" | Select-Object Name, Description, SecurityIdentifier, @{n="GroupType";e={$_.GroupType}}

After running, you should see the GroupType — if it's -2147483648 (decimal for 0x80000000), the mandatory flag is set.

3. To remove the mandatory flag, you need to use the ADSI provider (works on both domain and local SAM):

$group = [ADSI]"WinNT://./GroupName"
$group.Put("groupType", 0x00000002)  # 0x00000002 = SECURITY_GROUP | GLOBAL_SCOPE (typical)
$group.SetInfo()

Replace GroupName with your group. The 0x00000002 value is a standard security group without the mandatory flag. You might need to adjust it based on your group's scope — for local groups, use 0x00000004 (local scope) or check existing groups with Get-LocalGroup.

After running SetInfo(), close PowerShell and reopen it. Then run Get-LocalGroup -Name "GroupName" again — the GroupType should no longer show the mandatory flag.

Caveat: If this is a domain group, use Active Directory Administrative Center (dsac.msc) instead. Open it, find the group, edit its Type from “Security Group – Mandatory” to “Security Group.” Click OK.

Third cause: The group is being enforced by a higher-priority domain Group Policy

If you're on a domain-joined machine, a domain Group Policy Object (GPO) might be re-adding the mandatory group to a setting every time you remove it locally. You remove Everyone from “Deny log on locally,” but after gpupdate, it's back. That's because a GPO is pushing it.

How to fix this: Override or edit the domain GPO

1. Log into a domain controller or a machine with Group Policy Management Console installed.
2. Open Group Policy Management from Start.
3. Find the GPO that's applying the setting (it's usually in the OU where your computer resides).
4. Right-click the GPO, choose Edit.
5. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
6. Find the policy with the mandatory group (like “Deny log on through Remote Desktop Services”). Double-click it.
7. Select the group, click Remove. Click OK.
8. Close the editor, then in Group Policy Management, right-click the GPO and choose Enforced if you want it to apply immediately.
9. On the target machine, run gpupdate /force from an elevated command prompt. After it finishes, wait 10 seconds, then run gpresult /r to verify the policy is no longer applying that group.

If you can't edit the domain GPO (maybe you're not a domain admin), the workaround is to create a local policy that overrides it. But local policies are always lower priority than domain policies — so the real fix is to get the domain GPO changed.

Quick-reference summary table

One last thing: if you're seeing this error in a log file and everything works fine otherwise, you can safely ignore it. The error is just Windows telling you a security boundary is working as designed. But if it's blocking a script or a configuration change, use the steps above to work around it.