To improve security in your Active Directory domain, you should rename the administrator account because this lowers the risk of brute force attacks. Renaming the administrator account and resetting its password on all computers in your AD domain can be easily done via Group Policy.
Avatar

Open the Active Directory Group Policy Management console, create a new GPO, and link it to your desired OU. Of course, you can also work with an existing GPO.

Linking a GPO to an OU

Linking a GPO to an OU

Right-click the new GPO or an existing GPO and select Edit. This will launch the Group Policy editor. Now, browse to the following Group Policy setting: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.

Renaming the administrator account

Renaming the administrator account

As you can see in the screenshot above, right-click Local Users and Groups and then navigate to New > Local User.

On the next screen, you select the user name you would like to use for the administrator account:

Selecting the user name

Selecting the user name

Select the following:

Action – Select Update.

User name – Select Administrator (built-in).

Rename to – Enter the new user name.

Full name – Enter your desired name.

Description – Add a description (optional).

Password – Set a new password (optional).

Check boxes – Verify that the check boxes comply with your company policies.

The GPO is now configured and can be deployed in your network. The refresh interval for computer settings is 90 minutes. If you want to apply the GPO immediately on a client computer, open a command prompt and type gpupdate /force at the command line.

Alternatively, you can reboot the computer. If you are finding that a computer isn’t applying the policy, simply run gpresult /r at a command line to see whether your new GPO is listed:

 Checking if the GPO has been applied

Checking if the GPO has been applied

If it’s not listed or if you see a permission error message, go back to Active Directory Users and Computers and check the OU to which you have the policy applied. Also check whether the computer contains that OU. Perhaps the computer is in a different OU and therefore doesn’t pick up the policy.

Also check the GPO settings. In the Security Filtering section, ensure that the GPO is applied to Authenticated Users; in the Links section, verify that the correct OU is linked to the GPO :

GPO security filtering

GPO security filtering

If the policy is still not applied to some of your computers and you have checked all the above, then your domain controllers might not replicate the GPO properly.

3 Comments
  1. Avatar

    If you’ve installed the updates for MS14-025, the password option is going to be grayed out in the GPMC’s password field for Group Policy Preferences. Also, renaming the local Admin is a big bone of contention in the IT world. In having done some Red Team work, dealing with a renamed Administrator is usually a minor annoyance more than anything else. If you have local console access, you can run “net user” and see all the local users on the system. I prefer having the account disabled or on a rotating password with LAPS.

    • Avatar
      Arno Lutter 7 years ago

      We take the same measures, but added a few extras like adding a dummy admin account as a sinkhole, and renaming the disabled account anyway.

  2. Avatar
    Stuart 1 year ago

    Use the Local Users and Groups method if you want to avoid a 4098 events with “0x80070524 The specified account already exists.” every time GPO applies after the initial rename. Sure you can check the box to only apply once, but then if someone subsequently renames that account, it won’t rename it back to the desired name.

    The clean way is via Local Policy/Security Options:- Account: Rename administrator account … oh, and remember to use LAPS as mentioned by another to rotate that password routinely.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account