Skip to main content

The “Accounts: Rename administrator account” is a security policy setting that allows you to change the name of the built-in administrator account on a Windows system. By default, the built-in administrator account is named “Administrator”. Changing its name makes it more difficult for attackers to target this account for unauthorized access. In this article, you will learn how to change the local administrator account using GPO.

 

How to change local administrator account with GPO

To rename the administrator account using a Group Policy Object (GPO), you can follow these steps:

1. Open the Group Policy Management Console (GPMC) on a Domain Controller or a Management Server with the GPMC installed.

2. In the left pane of the GPMC, expand the domain that contains the target computers, and then select the Organizational Unit (OU) that contains the computers whose administrator account you want to rename.

3. Right-click the selected OU, select Create a GPO in this domain, and Link it here.

In our example, it’s the OU Desktops.

Create rename administrator GPO

4. Give the new GPO a name.

Is the new Group Policy Object (GPO) a user or computer policy? Or will you place user and computer policy settings in the GPO? If it’s a Computer Policy, we recommend placing a C_ before the group policy name. If it’s a User Policy, make it a U_. Do you want to add computer and user policy settings in a new group policy object? Name it CU_.

  • C stands for Computer Policy
  • U stands for User Policy
  • CU stands for Computer and User Policy

In our example, the GPO is a computer policy, so we give it the name C_RenameAdmin.

Name the GPO

5. Right-click the newly created GPO and select Edit to open the Group Policy Editor.

Edit RenameAdmin GPO

6. In the Group Policy Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

7. In the right pane, find the Accounts: Rename administrator account policy setting, and double-click on it.

Open Accounts:Rename administrator account policy setting

8. Enable the policy setting and enter the new name you want to give to the administrator account.

In our example, we will give it the name Operator.

9. Click OK to save the policy setting.

Change local account administrator policy name

10. Close the Group Policy Editor, and then close the GPMC.

11. Wait for the Group Policy to be applied to the target computers, or run gpupdate /force command on the target computers to force an immediate Group Policy update.

In our example, we run the below command on a Windows computer.

gpupdate /force

Verify rename administrator GPO change

After the Group Policy is applied, the built-in administrator account on the target computers will be renamed with the new name you specified in the GPO. The renamed account will still retain its built-in privileges.

Important: This change only applies to the built-in administrator account, not to any other local or domain accounts on the target computers.

Go on the Windows computer to Computer Management > Local Users and Groups Users.

Check that the policy successfully renamed the administrator account.

Verify local account administrator

Everything looks great!

Now that you did rename the local administrator account on all computers, configure Windows LAPS for maximum protection.

 

Leave a Reply