We have two security groups in Active Directory, and we want to compare the members…
Rename administrator account with Group Policy
The “Accounts: Rename administrator account” is a security policy setting that allows you to change the name of the built-in administrator account on a Windows system. By default, the built-in administrator account is named “Administrator”. Changing its name makes it more difficult for attackers to target this account for unauthorized access. In this article, you will learn how to change the local administrator account using GPO.
Table of contents
How to change local administrator account with GPO
To rename the administrator account using a Group Policy Object (GPO), you can follow these steps:
1. Open the Group Policy Management Console (GPMC) on a Domain Controller or a Management Server with the GPMC installed.
2. In the left pane of the GPMC, expand the domain that contains the target computers, and then select the Organizational Unit (OU) that contains the computers whose administrator account you want to rename.
3. Right-click the selected OU, select Create a GPO in this domain, and Link it here.
In our example, it’s the OU Desktops.
4. Give the new GPO a name.
Is the new Group Policy Object (GPO) a user or computer policy? Or will you place user and computer policy settings in the GPO? If it’s a Computer Policy, we recommend placing a C_ before the group policy name. If it’s a User Policy, make it a U_. Do you want to add computer and user policy settings in a new group policy object? Name it CU_.
- C stands for Computer Policy
- U stands for User Policy
- CU stands for Computer and User Policy
In our example, the GPO is a computer policy, so we give it the name C_RenameAdmin.
5. Right-click the newly created GPO and select Edit to open the Group Policy Editor.
6. In the Group Policy Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
7. In the right pane, find the Accounts: Rename administrator account policy setting, and double-click on it.
8. Enable the policy setting and enter the new name you want to give to the administrator account.
In our example, we will give it the name Operator.
9. Click OK to save the policy setting.
10. Close the Group Policy Editor, and then close the GPMC.
11. Wait for the Group Policy to be applied to the target computers, or run gpupdate /force command on the target computers to force an immediate Group Policy update.
In our example, we run the below command on a Windows computer.
gpupdate /force
Verify rename administrator GPO change
After the Group Policy is applied, the built-in administrator account on the target computers will be renamed with the new name you specified in the GPO. The renamed account will still retain its built-in privileges.
Important: This change only applies to the built-in administrator account, not to any other local or domain accounts on the target computers.
Go on the Windows computer to Computer Management > Local Users and Groups > Users.
Check that the policy successfully renamed the administrator account.
Everything looks great!
Now that you did rename the local administrator account on all computers, configure Windows LAPS for maximum protection.
Conclusion
You learned how to rename the administrator account with a GPO. Start implementing this policy to protect your organization. Attackers that want to sign in as a local administrator account will use the standard “administrator” name. But it will not work this time, and they can’t guess the local admin account if you make it difficult.
Don’t change the “administrator” account name to something easy as “admin” because that’s the next name the attackers will use. Always be ahead and implement every possible manner in the organization to make it safer.
Did you enjoy this article? You may also like Manage Microsoft Office with Group Policy. Don’t forget to follow us and share this article.
Hello ALI TAJRAN, good morning, how are you?
Another great tip, another layer of security for our environment. I have a question: What would be the impact of this change on the environment? Do I have to do this or notify someone or is this completely transparent to the end user?
There is no user impact.
You can always test the GPO on a single computer before applying it to all computers.
Remember to Configure Windows LAPS because that is the most essential configuration.