This step-by-step tutorial explains how to change the administrator account name and password on client machines by using Group Policy in Windows Server 2012. This may be useful if you want to change the name of the administrator or guest user accounts to minimize the chance of misuse of these accounts.
In this tutorial, we will be using two Group Policy Objects each for Renaming Administrator account and Changing Administrator’s password. You can also do both using single GPO. First we will be creating a GPO for renaming Administrator account. Settings for changing Administrator and Guest accounts lies on the same location, so, you can use both of them or only administrator one. However on Windows 10, Administrator and Guest accounts are disabled by default, you can enable both of them or any one of them by using Group Policy.
1. How to Rename Administrator Account Using GPO?
To create a Group Policy object (GPO) to change the administrator and guest account names, follow the steps shown below:
Start the Group Policy Management snap-in. To do so, go to Run, type gpmc.msc and press Enter. This will open Group Policy Management Console.
In the console tree, right-click on Group Policy Objects and select New to create a new Group Policy Object. This object will not be linked to any Organizational Unit by default. We will link this GPO to desired OU later.
Give a name to your newly created GPO. You can give name as per your convenience and naming policy used in your organization. In this tutorial, we have named this GPO as ‘RenameAdminAccount‘.
After creating the GPO, it’s time to define it’s settings. To edit the Group Policy Object’s settings, right-click on it and select Edit…
Now, you can define settings for your newly created GPO. Go to following path in Group Policy Editor:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Here on the right side, you will find settings for changing names of Administrator and Guest accounts. To rename Administrator account using GPO, double-click on the policy setting with name ‘Accounts: Rename Administrator account‘.
In Policy settings window, on Security Policy Setting tab, check the box next to Define this policy setting and in the text box under it provide new name for Administrator account. Click on Apply and OK to close.
You can follow same process for renaming Guest account as well. Double-click ‘Accounts: Rename guest account‘ policy settings, click to select the Define this policy setting check box, and then type the new name that you want to use for the guest account. Click OK.
There is one more settings that we need to change. In order to use Administrator account on client computers, it must be enabled first. It may be possible that Administrator account is disabled on client computers. We will use ‘Accounts: Administrator account status‘ to change the status of Administrator account to Enabled.
Double-click ‘Accounts: Administrator account status’ setting, check the box next to Define this policy setting and click on radio button next to Enabled. Click Apply and OK to save the settings.
Now you can close the Group Policy Editor snap-in. In Group Policy Management Console, select newly created policy and on the right pane, click on Settings tap to see the settings you defined in steps above.
Now Our policy for renaming Administrator account is ready for deployment. In the Group Policy management console, right-click on the OU that contains computer accounts (in this tutorial OU name is PCs) and select Link an Existing GPO…
In the next window, you can select from the list of available GPOs. Select the GPO that we created recently ‘RenameAdminAccount‘ and click OK to link it to selected OU.
Now ‘RenameAdminAccount‘ GPO has been linked to the selected OU (PCs). Policy will be updated on client during next GPUpdate cycle. This policy doesn’t require the client PC to be restarted. For testing purpose, you can manually update the policy on client computer by using gpupdate command.
You can see after updating the policy on client computer, the name of Administrator account has been changed to what we defined in Group Policy Object, Super_user in our case.
2. Reversing the Changes (Changing the Admin account name to default)
If you try to reverse the changes to the administrator or guest account names by clearing the Define this policy setting check box in the Rename guest account or Rename administrator account dialog boxes, you may not be able to log on to the domain by using the default account names. Because that policy won’t make any changes to accounts. To resolve this issue, first restore the default account names using Group Policy, and then clear the Define this policy setting check box:
- Select and edit same policy that you used to change name of Administrator and Guest accounts, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
- In the right pane, double-click Accounts: Rename administrator account.
- Click to select the Define this policy setting check box, and then type Administrator in the text box where you typed new name for admin account earlier and click OK.
- Similarly you can rename Guest account to default by using Accounts: Rename guest account policy setting and then quit the Group Policy Object Editor snap-in.
- Now go to client computer, run gpupdate on it and check Administrator account name by using net user command.
After restoring account names to default, you can now go and unlink or delete that policy. In case you want to keep that policy but make it ineffective, you can follow these steps:
- Open the Group Policy Management Console, right-click the Group Policy object that you want, and then click Edit.
- Expand Computer Configuration, expand
Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
- In the right pane, double-click Accounts: Rename administrator account. Click to clear the Define this policy setting check box, and then click OK.
- Similarly double-click Accounts: Rename guest account. Click to clear the Define this policy setting check box, and then click OK.
- Click OK, and then quit the Group Policy Object Editor snap-in.
3. How to Change Administrator’s Password Using GPO?
There are no simple, easy to implement and fully secure methods for changing Administrator’s password in Active Directory by default. However there are several third party software that provide this facility but most of them are paid. Any method that claims to be more secure for changing Administrator password requires Schema Modifications which is not recommended for AD beginners. However if you have small AD with users with little or no understanding of IT, then you can use following Script method to change Local Administrator password. However, this method is very vulnerable and the script that is used for changing password, stores password in text format and is kept in SYSVOL folder which is shared and accessible to everyone over the domain. To continue with this method, follow these steps:
Open Group Policy Management console and select Group Policy Objects. Right-click on it and select New to create a new Group Policy Object. You can name this GPO as ‘ChangeLocalAdminPassword‘.
Right-click on newly created policy object and select Edit
Now in Group Policy Editor snap-in go to following path:
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown)
On the right pane, you will to options to run scripts on Startup and Shutdown.
Double-click on Startup to add script to Windows Startup.
In Startup properties, click on Add.. button.
New Add a Script snippet will open, click on Browse button next to Script Name:
Remember we still don’t have any scripts created for changing Administrator password. After you click on Browse button, it will open Browse window in default policy scripts folder. We can simply create a batch script here and we will add that script to Startup. Right-click on blank space in Browse window and select New > Text Document.
Name this new text document as ‘ChangeAdminPassword.txt‘
Right-click and select Edit to edit this text document. DON’T DOUBLE-CLICK ON IT AS IT WILL BE SELECTED AS STARTUP SCRIPT WITHOUT ANYTHING IN IT
In the text document type following lines to change Administrator password.
@echo off net user Super_user [email protected]!23$ exit
These are simple commands used for changing passwords of local users on a computer. ‘net user‘ is command for managing user accounts, ‘Super_user‘ is Administrator username as we have changed it and ‘[email protected]!23$‘ is new password for administrator account.
Save this document by pressing Ctrl + S. Also change the name of script from ‘ChangeAdminPassword.txt‘ to ‘ChangeAdminPassword.bat‘. This will make it an executable batch script.
When you change file extension from .txt to .bat, it will give you a warning click on Yes continue.
Now our script is ready. Select this newly created script from Browse window and click Open.
The script name will show up in Add a Script snippet. Click OK to close it.
Now you can see that newly selected script is showing in Startup Properties. Click Apply and OK to continue.
Now our Group Policy Object for changing Administrator password is ready for deployment. Right-click on OU that contains the computers and select Link an Existing GPO…
Select ‘ChangeLocalAdminPassword‘ GPO and click on OK.
GPO for changing Local Administrator password has been linked successfully to selected OU. Now it’s time for testing it.
Go to Client computer and run gpupdate command in command prompt or simply press Windows + R keys and type gpupdate and press Enter. Group policy will be updated on that client.
After updating Group Policy on client computer, it’s time to check if password has been changed or not. As defined in the GPO, the script to change password is a Startup script and runs only when Windows boots up. So, to get this policy executed, we need to reboot client machine. Restart client computer using power button on Start menu.
After successful reboot, you will see login screen asking for username and password. Enter the name of Administrator account which you have changed using previous Group Policy. In this tutorial, we have changed the name of Administrator to ‘Super_user‘, so, we have used “.\Super_user” as username and the password defined in the script to login. (The . [dot] before “\” in the username indicates that we are logging into local account on that client computer). If your script has executed successfully, you will be able to login to Administrator account using new password.
Renaming Administrator and Guest accounts on computers in domain is a good idea to minimize security risks by misuse of these default accounts. However script method for changing Administrator password is not very much recommended. But something is better than nothing. And the location at which startup script is kept is shared but the path is very complex and not so easy to find for normal users. Hope you find this helpful. Enjoy, have fun!