This step-by-step tutorial explains how to rename the local admin account and change administrator password on client computers using Group Policy (GPO). You can minimize the chances of misuse of these accounts by renaming them.
So, in this tutorial, we will use two Group Policy Objects to Rename local Administrator account and Change Administrator’s password respectively. You can also do both using single GPO.
So, first we will be creating a GPO for renaming Administrator account. Settings for changing Administrator and Guest account names lies on the same location. So, you can use both of them or only the administrator one. However on Windows 10 clients, Administrator and Guest accounts are disabled by default. You can enable both of them or any one using Group Policy.
A) Rename Local Admin Account Using GPO
First of all, we will have to create a new GPO for renaming local admin account. So, to create a Group Policy object (GPO) to change the administrator and guest account names, follow the steps shown below:
Step 1: Create a New GPO
Start the Group Policy Management snap-in. To do so, go to Run, type
gpmc.msc and press Enter. This will open Group Policy Management Console.
In the console tree, right-click on Group Policy Objects and select New to create a new Group Policy Object. This GPO will not be linked to any Organizational Unit by default. We will link this GPO to desired OU later.
Now, type a suitable name for your newly created GPO. You can give name as per your convenience and naming policy used in your organization. In this tutorial, we have named this GPO as ‘RenameAdminAccount‘.
Step 2: Define GPO Settings to Rename Administrator Account
After creating the GPO, it’s time to define it’s settings. To edit the Group Policy Object’s settings, right-click on it and select Edit…
Now, you can define settings for your newly created GPO. Go to following path in Group Policy Editor:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Here on the right side, you will find settings for changing names of Administrator and Guest accounts. To rename local admin account using GPO, double-click on the policy setting with name ‘Accounts: Rename Administrator account‘.
In Policy settings window, go to Security Policy Setting tab. Here, check the box next to Define this policy setting. Next, in the text box under it provide new name for Administrator account. Click on Apply and OK to close.
INFO: You can follow same process for renaming Guest account as well. Double-click ‘Accounts: Rename guest account‘ policy settings, click to select the Define this policy setting check box. And then, type the new name that you want to use for the guest account. Click OK.
Step 3: Enable the Administrator Account
There is one more settings that we need to change. In order to use Administrator account on client computers, we must enable it first. It may be possible that Administrator account is disabled on client computers. We will use ‘Accounts: Administrator account status‘ policy to change the status of Administrator account to Enabled.
Double-click ‘Accounts: Administrator account status’ setting and check the box next to Define this policy setting. Then, click on radio button next to Enabled. Finally, click Apply and OK to save the settings.
Now you can close the Group Policy Editor snap-in. In Group Policy Management Console, select newly created policy. Next, click on Settings tab in the right-pane to see the settings defined for policy.
Step 4: Link the GPO to OU and Update Policy
Now our GPO to rename local admin account is ready for deployment. Right-click on the OU that contains computers (PCs in our case) and select Link an Existing GPO…
In the next window, you can select from the list of available GPOs. Select recently created ‘RenameAdminAccount‘ GPO and click OK to link it to selected OU.
Now ‘RenameAdminAccount‘ GPO has been linked to the selected OU (PCs). Policy will update on clients during next GPUpdate cycle. This policy doesn’t require the client PC to be restarted. For testing purpose, you can manually update the policy on client computer by using
You can see after updating the policy on client computer, the name of Administrator account has been changed to what we defined in Group Policy Object, Super_user in our case.
B) Reverting the Changes (Rename local Admin account to default)
If you clear the Define this policy setting check box in the Rename administrator account, the name of local admin account will not be changed to default (administrator). It will remain the same as we defined in the policy (Super_user). To fix this issue, we need to rename local admin account to default (administrator) using GPO first. And then, we will remove the Policy.
Step 1: Restore Default Name of Admin Account
- Right-click on RenameAdminAccount policy and select Edit. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click on Accounts: Rename administrator account policy in the right pane.
- Make sure Define this policy setting box is checked. Then remove Super_user and type Administrator in the text box and click OK.
- Now update the policy on client computers. You can run
gpupdateon client computer and check local admin account’s name by using net user command.
INFO: Similarly you can rename Guest account to default by using Accounts: Rename guest account policy setting.
Step 2: Unlink and Delete the Policy
After successfully restoring admin account name to default, you can now unlink or delete RenameAdminAccount policy. You can also keep the policy for future use and make it ineffective by unlinking it.
- In Group Policy Management Console, right-click on RenameAdminAccount Policy and select Edit.
- Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click Accounts: Rename administrator account in the right pane. Next, clear the Define this policy setting check box. Finally, click OK to save.
- Next, click OK and quit the Group Policy Object Editor (GP Editor) console.
C) Change Local Administrator Account’s Password Using GPO
There are no native and fully secure methods to change Administrator password in Active Directory. However, there are several third party software that provide this facility but most of them are paid.
Any method that claims to be more secure for changing Administrator password, requires Schema Modifications. And this is not recommended for AD beginners. However, if you have small AD setup with users with little or no understanding of IT, then you can use following script method to change Local Administrator password.
However, this method is very vulnerable. Because the the script used for changing the password, stores password in plain text format. And script is available in SYSVOL folder. SYSVOL folder is shared and accessible to everyone over the domain. Use this method at your own risk.
Step 1: Create Policy to Change Local Admin Password
Open Group Policy Management console and select Group Policy Objects. Right-click on it and select New to create a new Group Policy Object. Provide the name for this new GPO. We have used ‘ChangeLocalAdminPassword‘ name in this tutorial.
Right-click on newly created policy object and select Edit.
Step 2: Define Policy Settings
Now in Group Policy Editor snap-in go to following path.
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
On the right pane, you will to options to run scripts on Startup and Shutdown.
Double-click on Startup to add script to Windows Startup. In Startup properties, click on Add.. button.
New Add a Script snippet will open, click on Browse button next to Script Name:
Step 3: Create New Script in Startup Scripts Folder
Remember we still don’t have any scripts created for changing Administrator password. After you click on Browse button, it will open Browse window in default policy scripts folder. We can easily create a batch script here. Then, we will add that script to Startup.
Right-click on blank space in Browse window and select New > Text Document.
Name this new text document as ‘ChangeAdminPassword.txt‘. You can name it anything, we have used this name to make it relevant to Change Local Admin password.
Step 4: Edit Text File and Create Batch Script
Right-click and select Edit to edit this text document. DON’T DOUBLE-CLICK ON IT AS IT WILL BE SELECTED AS STARTUP SCRIPT WITHOUT ANYTHING IN IT.
In the text document type following lines to change Administrator password.
@echo off net user Super_user [email protected]!23$ exit
SEE ALSO: A to Z list of all Windows CMD Commands.
net user is command for managing user accounts.
Super_user is Administrator username as we have changed it. And
[email protected]!23$ is new password for administrator account.
Save this document by pressing Ctrl + S. Also change the name of script from ‘ChangeAdminPassword.txt‘ to ‘ChangeAdminPassword.bat‘. This will make it an executable batch script which will be used to change local admin password on client computers.
When you change file extension from .txt to .bat, it will give you a warning click on Yes continue.
Now our script is ready. Select this newly created script from Browse window and click Open.
The script name will show up in Add a Script snippet. Click OK to close it.
Now you can see that newly selected script is showing in Startup Properties. Click Apply and OK to continue.
Step 5: Link the GPO to Computers OU
Now our Group Policy Object to change local admin password is ready for deployment. Right-click on OU that contains the computers and select Link an Existing GPO…
Select ‘ChangeLocalAdminPassword‘ GPO and click on OK.
GPO for changing Local Administrator password has been linked successfully to selected OU. Now it’s time for testing it.
Step 6: Update Policy on Client Computers
Go to Client computer and run
gpupdate command in command prompt. Alternatively, simply press Windows + R keys and type
gpupdate and press Enter. Group policy will be updated on that client.
After updating Group Policy on client computer, it’s time to check if password has been changed or not. As defined in the GPO, the script to change password is a startup script and runs only when Windows boots up. So, to get this policy executed, we need to reboot client machine. Now, restart the client computer.
After successful reboot, you will see login screen asking for username and password. Enter the new name of Administrator account which we have changed using previous Group Policy. In this tutorial, we used the GPO to rename local admin account to Super_user. So, we have used
.\Super_user as username and the password defined in the script to login.
Rename Local Admin Account and Change It’s Password Using GPO
Above tutorial explained how to rename local Administrator and Guest accounts on computers in domain. It is a good idea to minimize security risks by misuse of these default accounts. However, the script method to change local Admin password is not very much recommended. But something is better than nothing. And the location at which startup script is kept is shared but the path is not known to everyone. So, it won’t be easy to find for normal users.
Hope you find this tutorial helpful. In case you have any troubles following the tutorial or have any queries and suggestions, feel free to drop them in comment section down below. You may also want to subscribe to our news letter to get latest tutorials directly into your inbox.