feat: enabled locking for windows admins (#19145)

> Related issue: #18461

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Manual QA for all new/changed functionality

changes/18461-windows-lock

@@ -0,0 +1 @@
+- Adds the ability to automatically log off and lock out `Administrator` users on Windows hosts.

ee/server/service/embedded_scripts/windows_lock.ps1

@@ -1,10 +1,10 @@
 # PowerShell script to log off all non-administrative users and disable their accounts
 
-# Log off all non-administrative users
+# Log off all users
 $loggedOffUsers = @{}
 Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false } | ForEach-Object {
     $username = $_.LocalPath.Split('\')[-1]
-    if ($username -ne "Administrator" -and $username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) {
+    if ($username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) {
         try {
             $userSessions = query user | Where-Object { $_ -match "\b$username\b" }
             foreach ($session in $userSessions) {
@@ -25,8 +25,8 @@ Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
     }
 }
 
-# Disable all non-administrative local user accounts
-Get-LocalUser | Where-Object { $_.Enabled -eq $true -and $_.Name -ne "Administrator" } | ForEach-Object {
+# Disable all local user accounts
+Get-LocalUser | Where-Object { $_.Enabled -eq $true } | ForEach-Object {
     $username = $_.Name
     Disable-LocalUser -Name $username
     Write-Host "Disabled account for $username"