How to Rename Local Admin and Change Password Using GPO

This step-by-step tutorial explains how to rename the local admin account and change administrator password on client computers using Group Policy (GPO). This may be useful if you want to change the name of the administrator or guest user accounts. This way you can minimize the chances of misuse of these accounts.

In this tutorial, we will use two Group Policy Objects to Rename local Administrator account and Changing Administrator’s password respectively. You can also do both using single GPO.

So, first we will be creating a GPO for renaming Administrator account. Settings for changing Administrator and Guest account names lies on the same location. So, you can use both of them or only the administrator one. However on Windows 10 clients, Administrator and Guest accounts are disabled by default. You can enable both of them or any one using Group Policy.

SEE ALSO: How to Get the List of Local User Accounts from Domain Computers?

A) Rename Local Admin Account Using GPO

To create a Group Policy object (GPO) to change the administrator and guest account names, follow the steps shown below:

Step 1: Create a New GPO

Start the Group Policy Management snap-in. To do so, go to Run, type gpmc.msc and press Enter. This will open Group Policy Management Console.

In the console tree, right-click on Group Policy Objects and select New to create a new Group Policy Object. This object will not be linked to any Organizational Unit by default. We will link this GPO to desired OU later.

Create a New Group Policy Object
Create a New Group Policy Object

Give a name to your newly created GPO. You can give name as per your convenience and naming policy used in your organization. In this tutorial, we have named this GPO as ‘RenameAdminAccount‘.

Name the GPO as Rename AdminAccount
Name the GPO as RenameAdminAccount

Step 2: Define GPO Settings to Rename Administrator Account

After creating the GPO, it’s time to define it’s settings. To edit the Group Policy Object’s settings, right-click on it and select Edit…

Edit Group Policy Object's Settings
Edit Group Policy Object’s Settings

Now, you can define settings for your newly created GPO. Go to following path in Group Policy Editor:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Here on the right side, you will find settings for changing names of Administrator and Guest accounts. To rename local admin account using GPO, double-click on the policy setting with name ‘Accounts: Rename Administrator account‘.

Go to Security Options in Computer Configuration
Go to Security Options in Computer Configuration

In Policy settings window, go to Security Policy Setting tab. Here, check the box next to Define this policy setting. Next, in the text box under it provide new name for Administrator account. Click on Apply and OK to close.

Define Policy Settings with New Name for Administrator account
Define Policy Settings with New Name for Administrator account

You can follow same process for renaming Guest account as well. Double-click ‘Accounts: Rename guest account‘ policy settings, click to select the Define this policy setting check box. And then, type the new name that you want to use for the guest account. Click OK.


Step 3: Enable the Administrator Account

There is one more settings that we need to change. In order to use Administrator account on client computers, we must enable it first. It may be possible that Administrator account is disabled on client computers. We will use ‘Accounts: Administrator account status‘ policy to change the status of Administrator account to Enabled.

Select the Policy to Enable Administrator Account
Select the Policy to Enable Administrator Account

Double-click ‘Accounts: Administrator account status’ setting and check the box next to Define this policy setting. Then, click on radio button next to Enabled. Finally, click Apply and OK to save the settings.

Define Policy Setting to Enable Administrator Account
Define Policy Setting to Enable Administrator Account

Now you can close the Group Policy Editor snap-in. In Group Policy Management Console, select newly created policy. Next, click on Settings tab in the right-pane to see the settings defined for policy.

Check Policy Settings in GPO Console
Check Policy Settings in GPO Console

Now our GPO to rename local admin account is ready for deployment. Right-click on the OU that contains computers (PCs in our case) and select Link an Existing GPO…

Right-click on OU and select Link an Existing GPO
Right-click on OU and select Link an Existing GPO

In the next window, you can select from the list of available GPOs. Select recently created ‘RenameAdminAccount‘ GPO and click OK to link it to selected OU.

Select and link RenameAdminAccount GPO
Select and link RenameAdminAccount GPO

Now ‘RenameAdminAccount‘ GPO has been linked to the selected OU (PCs). Policy will update on clients during next GPUpdate cycle. This policy doesn’t require the client PC to be restarted. For testing purpose, you can manually update the policy on client computer by using gpupdate command.

Manually Update Policy on Client Computer
Manually Update Policy on Client Computer

You can see after updating the policy on client computer, the name of Administrator account has been changed to what we defined in Group Policy Object, Super_user in our case.

SEE ALSO: How to Create Local Account on Windows 10 During Setup?


B) Reverting the Changes (Rename local Admin account to default)

If you clear the Define this policy setting check box in the Rename administrator account, the name of local admin account will not be changed to default (administrator). It will remain the same as we defined in the policy (Super_user). To fix this issue, we need to rename local admin account to default (administrator) using GPO first. And then, we will remove the Policy.

Step 1: Restore Default Name of Admin Account

  1. Right-click on RenameAdminAccount policy and select Edit. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  2. Double-click on Accounts: Rename administrator account policy in the right pane.
  3. Make sure Define this policy setting box is checked. Then remove Super_user and type Administrator in the text box and click OK.
  4. Now update the policy on client computers. You can run gpupdate on client computer and check local admin account’s name by using net user command.

Similarly you can rename Guest account to default by using Accounts: Rename guest account policy setting.


After successfully restoring admin account name to default, you can now unlink or delete RenameAdminAccount policy. You can also keep the policy for future use and make it ineffective by unlinking it.

  1. In Group Policy Management Console, right-click on RenameAdminAccount Policy and select Edit.
  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  3. Double-click Accounts: Rename administrator account in the right pane. Next, clear the Define this policy setting check box. Finally, click OK to save.
  4. Next, click OK and quit the Group Policy Object Editor (GP Editor) console.

SEE ALSO: Switch to Local Account from Microsoft Account on Windows 10?


C) Change Local Administrator Account’s Password Using GPO

There are no native and fully secure methods to change Administrator password in Active Directory. However, there are several third party software that provide this facility but most of them are paid.

Any method that claims to be more secure for changing Administrator password, requires Schema Modifications. And this is not recommended for AD beginners. However, if you have small AD setup with users with little or no understanding of IT, then you can use following script method to change Local Administrator password.

However, this method is very vulnerable. Because the the script used for changing the password, stores password in plain text format. And script is available in SYSVOL folder. SYSVOL folder is shared and accessible to everyone over the domain. Use this method at your own risk.

Step 1: Create Policy to Change Local Admin Password

Open Group Policy Management console and select Group Policy Objects. Right-click on it and select New to create a new Group Policy Object. Provide the name for this new GPO. We have used ‘ChangeLocalAdminPassword‘ name in this tutorial.

Create New GPO to Change Local Admin's Password
Create New GPO to Change Local Admin’s Password

Right-click on newly created policy object and select Edit.

Edit the Newly Created GPO
Edit the Newly Created GPO

Step 2: Define Policy Settings

Now in Group Policy Editor snap-in go to following path.

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).

On the right pane, you will to options to run scripts on Startup and Shutdown.

Double-click on Startup to Add Startup Script
Double-click on Startup to Add Startup Script

Double-click on Startup to add script to Windows Startup. In Startup properties, click on Add.. button.

Click on Add button to browse for Startup Script
Click on Add button to browse for Startup Script

New Add a Script snippet will open, click on Browse button next to Script Name:

Click on Browse
Click on Browse

Step 3: Create New Script in Startup Scripts Folder

Remember we still don’t have any scripts created for changing Administrator password. After you click on Browse button, it will open Browse window in default policy scripts folder. We can easily create a batch script here. Then, we will add that script to Startup.

Right-click on blank space in Browse window and select New > Text Document.

Create New Text Document in Startup Script Folder
Create New Text Document in Startup Script Folder

Name this new text document as ‘ChangeAdminPassword.txt‘. You can name it anything, we have used this name to make it relevant to Change Local Admin password.

Name the Text file as Change Local Admin Password
Name the Text file as ChangeAdminPassword

Step 4: Edit Text File and Create Batch Script

Right-click and select Edit to edit this text document. DON’T DOUBLE-CLICK ON IT AS IT WILL BE SELECTED AS STARTUP SCRIPT WITHOUT ANYTHING IN IT.

Edit Newly Created Text File
Edit Newly Created Text File

In the text document type following lines to change Administrator password.

@echo off
net user Super_user [email protected]!23$
exit

SEE ALSO: A to Z list of all Windows CMD Commands.

net user is command for managing user accounts. Super_user is Administrator username as we have changed it. And [email protected]!23$ is new password for administrator account.

Write Script to Change Local Admin Password and Save it
Write Script to Change Admin Password

Save this document by pressing Ctrl + S. Also change the name of script from ‘ChangeAdminPassword.txt‘ to ‘ChangeAdminPassword.bat‘. This will make it an executable batch script which will be used to change local admin password on client computers.

Change File Extension from .txt to .bat
Change File Extension from .txt to .bat

When you change file extension from .txt to .bat, it will give you a warning click on Yes continue.

Click Yes to Change File Extension
Click Yes to Change File Extension

Now our script is ready. Select this newly created script from Browse window and click Open.

Select Newly Created Script and Click Open
Select Newly Created Script and Click Open

The script name will show up in Add a Script snippet. Click OK to close it.

Click Add to add this Script to Startup
Click Add to add this Script to Startup

Now you can see that newly selected script is showing in Startup Properties. Click Apply and OK to continue.

Click Apply and the OK
Click Apply and the OK

Now our Group Policy Object to change local admin password is ready for deployment. Right-click on OU that contains the computers and select Link an Existing GPO…

Right-click on OU and select Link an Existing GPO
Right-click on OU and select Link an Existing GPO

Select ‘ChangeLocalAdminPassword‘ GPO and click on OK.

Select Newly Created GPO to Computers OU
Select Newly Created GPO to Computers OU

GPO for changing Local Administrator password has been linked successfully to selected OU. Now it’s time for testing it.

Step 6: Update Policy on Client Computers

Go to Client computer and run gpupdate command in command prompt. Alternatively, simply press Windows + R keys and type gpupdate and press Enter. Group policy will be updated on that client.

After updating Group Policy on client computer, it’s time to check if password has been changed or not. As defined in the GPO, the script to change password is a startup script and runs only when Windows boots up. So, to get this policy executed, we need to reboot client machine. Now, restart the client computer.

Restart Your Computer
Restart Your Computer

After successful reboot, you will see login screen asking for username and password. Enter the new name of Administrator account which we have changed using previous Group Policy. In this tutorial, we used the GPO to rename local admin account to Super_user. So, we have used .\Super_user as username and the password defined in the script to login.

Login to Local Admin Account with New Credentials
Login to Local Admin Account with New Credentials

Rename Local Admin Account and Change It’s Password Using GPO

Above tutorial explained how to rename local Administrator and Guest accounts on computers in domain. It is a good idea to minimize security risks by misuse of these default accounts. However, the script method to change local Admin password is not very much recommended. But something is better than nothing. And the location at which startup script is kept is shared but the path is not known to everyone. So, it won’t be easy to find for normal users.

Hope you find this tutorial helpful. In case you have any troubles following the tutorial or have any queries/suggestions, feel free to drop them in comment section down below. You may also want to subscribe to our news letter to get latest tutorials directly into your inbox.

Editorial Staff

Hi there, we are the editorial staff at HELLPC Tutorials. We are a team of funny and technical people. Feel free to get in touch with us via Contact-Us page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button