In this article, Desai demonstrates how to rename the administrator account using GPO (Group Policy). He walks through the process of creating a GPO and linking it to an OU to rename the local administrator account on domain-joined computers.
During the installation of any Windows operating system, the default administrator account is disabled. It is recommended not to log in with the built-in administrator account and to use an individual administrative account instead. Though it is possible to enable the administrator account through various methods, it is generally not advised unless absolutely necessary.
Renaming the administrator account can help decrease the likelihood of brute force attacks and improve security in an Active Directory network. Group Policy makes it easy to rename the administrator account on all computers in the AD domain.
Before delving further, here are some useful articles related to GPO:
- How to Block Disable USB devices using Group Policy
- Enable Remote Desktop Using Group Policy (GPO)
- Disable Check for Updates using Group Policy (GPO)
- Configure PUA Protection using Group Policy
- How to Disable Internet Explorer 11 using Group Policy
Why should the Local Administrator Account be renamed?
Administrator accounts are present on all Windows 10 and Windows 11 desktop editions (Home, Pro, Enterprise, and Education) and have privileged access to systems. As a recommended security practice, renaming the account can make it more challenging for attackers to guess the username and password combination.
Steps to Rename the Administrator Account using GPO
To rename the administrator account using Group Policy, first, launch the Group Policy Management console on the server. Domain administrators can log in to either the domain controller or a member server with GPMC installed.
Two important points that Desai highlights are:
- Do not edit the default domain policy in this case, as the settings will apply to the entire AD domain.
- The best practice in many organizations is to create a new GPO and apply it to a selected OU.
In the Group Policy Management console, expand the domain and navigate to Group Policy Objects. First, create a new GPO that will rename the built-in administrator account and then link this GPO to an OU. Right-click Group Policy Objects and select New.
Enter the GPO name as “Rename Local Administrator” and click OK.
The newly created GPO should be found under Group Policy Objects. Right-click the Rename Local Administrator GPO and select Edit.
In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. In the right pane, look for the policy Accounts: Rename administrator account. Right-click this policy setting and select Properties.
Accounts: Rename administrator account: This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. The BUILTIN\Administrator account always has a relative identifier (RID) of 500. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged username and password combination.
On the rename administrator account properties window, check the option “Define this policy setting” and enter the local administrator name. Ensure the administrator name doesn’t include any symbols or special characters. Click Apply and OK. Close the group policy management editor.
Link the Group Policy Object to OU
It is necessary to apply or link the GPO created in the previous step to an OU. It’s best to test the policy on a small group of computers before expanding it to a larger group, though it can be linked to the entire domain if necessary. Right-click an OU in the Group Policy Management console and select “Link an Existing GPO.”
Select the GPO to link it to the OU. In this case, choose “Rename Local Administrator” and link it to the OU. Click OK.
The scope of the GPO is applied to authenticated users.
Update Group Policy and Verify the GPO on Client Computers
In this step, the group policy on computers will be refreshed, and it will be verified if the GPO has renamed the administrator account. By default, the Group Policy update interval is 90 minutes for AD domain-joined computers, and the Group Policy Refresh Interval can be modified if required.
Run the command “gpupdate /force” on the client computer to force a group policy update. Desai has written an article on different methods to update group policy on remote computers, which can be helpful here. On the Windows computer, launch the command prompt as an administrator and run the command “gpupdate /force.” This will force an update of all policies applicable to the computer.
To find the administrator account, the Local Users and Groups console can be opened, or simply run the command “lusrmgr.msc.” Select the Users folder, and all the accounts created on the computer, including the renamed administrator account, will be displayed. The guide on how to rename the administrator account using GPO is now complete.