- How to rename the local administrator with Group Policy - Mon, Nov 2 2015
- Active Directory authoritative restore with Windows Server Backup (wbadmin) - Fri, Oct 9 2015
- Best practices for securing Active Directory - Fri, Oct 2 2015
Open the Active Directory Group Policy Management console, create a new GPO, and link it to your desired OU. Of course, you can also work with an existing GPO.
Linking a GPO to an OU
Right-click the new GPO or an existing GPO and select Edit. This will launch the Group Policy editor. Now, browse to the following Group Policy setting: Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.
Renaming the administrator account
As you can see in the screenshot above, right-click Local Users and Groups and then navigate to New > Local User.
On the next screen, you select the user name you would like to use for the administrator account:
Selecting the user name
Select the following:
Action – Select Update.
User name – Select Administrator (built-in).
Rename to – Enter the new user name.
Full name – Enter your desired name.
Description – Add a description (optional).
Password – Set a new password (optional).
Check boxes – Verify that the check boxes comply with your company policies.
The GPO is now configured and can be deployed in your network. The refresh interval for computer settings is 90 minutes. If you want to apply the GPO immediately on a client computer, open a command prompt and type gpupdate /force at the command line.
Alternatively, you can reboot the computer. If you are finding that a computer isn’t applying the policy, simply run gpresult /r at a command line to see whether your new GPO is listed:
Checking if the GPO has been applied
If it’s not listed or if you see a permission error message, go back to Active Directory Users and Computers and check the OU to which you have the policy applied. Also check whether the computer contains that OU. Perhaps the computer is in a different OU and therefore doesn’t pick up the policy.
Also check the GPO settings. In the Security Filtering section, ensure that the GPO is applied to Authenticated Users; in the Links section, verify that the correct OU is linked to the GPO :
GPO security filtering
If the policy is still not applied to some of your computers and you have checked all the above, then your domain controllers might not replicate the GPO properly.
If you’ve installed the updates for MS14-025, the password option is going to be grayed out in the GPMC’s password field for Group Policy Preferences. Also, renaming the local Admin is a big bone of contention in the IT world. In having done some Red Team work, dealing with a renamed Administrator is usually a minor annoyance more than anything else. If you have local console access, you can run “net user” and see all the local users on the system. I prefer having the account disabled or on a rotating password with LAPS.
We take the same measures, but added a few extras like adding a dummy admin account as a sinkhole, and renaming the disabled account anyway.
Use the Local Users and Groups method if you want to avoid a 4098 events with “0x80070524 The specified account already exists.” every time GPO applies after the initial rename. Sure you can check the box to only apply once, but then if someone subsequently renames that account, it won’t rename it back to the desired name.
The clean way is via Local Policy/Security Options:- Account: Rename administrator account … oh, and remember to use LAPS as mentioned by another to rotate that password routinely.