How to Rename Local Admin and Change Password using GPO
This step-by-step tutorial explains how to rename the local admin account and change the administrator password on client computers using Group Policy (GPO). You can minimize the chances of misuse of these accounts by renaming them.
So, in this tutorial, we will use two Group Policy Objects to Rename the local Administrator account and Change the Administrator’s password respectively. You can also do both using a single GPO.
So, first, we will be creating a GPO for renaming the Administrator account. Settings for changing Administrator and Guest account names lie in the same location. So, you can use both of them or only the administrator one. However, on Windows 10 clients, Administrator and Guest accounts are disabled by default. You can enable both of them or anyone using Group Policy.
SEE ALSO: How to Get the List of Local User Accounts from Domain Computers?
A) Rename Local Admin Account Using GPO
First of all, we will have to create a new GPO for renaming the local admin account. So, to create a Group Policy object (GPO) to change the administrator and guest account names, follow the steps shown below:
Step 1: Create a New GPO
Start the Group Policy Management snap-in. To do so, go to Run, type gpmc.msc
, and press Enter. This will open the Group Policy Management Console.
In the console tree, right-click on Group Policy Objects and select New to create a new Group Policy Object. This GPO will not be linked to any Organizational Unit by default. We will link this GPO to the desired OU later.
Now, type a suitable name for your newly created GPO. You can give any name as per your convenience and the naming policy used in your organization. In this tutorial, we have named this GPO ‘RenameAdminAccount‘.
SEE ALSO: How to solve the Shell Infrastructure issue in Windows caused by misconfigured GPO?
Step 2: Define GPO Settings to Rename Administrator Account
After creating the GPO, it’s time to define its settings. To edit the Group Policy Object’s settings, right-click on it and select Edit…
Now, you can define settings for your newly created GPO. Go to the following path in Group Policy Editor:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Here on the right side, you will find settings for changing the names of Administrator and Guest accounts. To rename the local admin account using GPO, double-click on the policy setting with the name ‘Accounts: Rename Administrator account‘.
In the Policy settings window, go to the Security Policy Setting tab. Here, check the box next to Define this policy setting. Next, in the text box under it provide a new name for the Administrator account. Click on Apply and OK to close.
INFO: You can follow the same process for renaming the Guest account as well. Double-click ‘Accounts: Rename guest account‘ policy settings, and click to select the Define this policy setting check box. After that, type the new name that you want to use for the guest account. Click OK.
Step 3: Enable the Administrator Account
There is one more setting that we need to change. To use the Administrator account on client computers, we must enable it first. It may be possible that the Administrator account is disabled on client computers. So, we will use the ‘Accounts: Administrator account status‘ policy to change the status of the Administrator account to Enabled.
Double-click the ‘Accounts: Administrator account status’ setting and check the box next to Define this policy setting. Then, click on the radio button next to Enabled. Finally, click Apply and OK to save the settings.
Now you can close the Group Policy Editor snap-in. In the Group Policy Management Console, select the newly created policy. Next, click on the Settings tab in the right pane to see the settings defined for the policy.
Step 4: Link the GPO to OU and Update the Policy
Now our GPO to rename the local admin account is ready for deployment. Right-click on the OU that contains computers (PCs in our case) and select Link an Existing GPO…
In the next window, you can select from the list of available GPOs. Select the recently created ‘RenameAdminAccount‘ GPO and click OK to link it to the selected OU.
Now ‘RenameAdminAccount‘ GPO has been linked to the selected OU (PCs). The policy will be updated on clients during the next GPUpdate cycle. This policy doesn’t require the client-PC to be restarted. For testing purposes, you can manually update the policy on the computer by using gpupdate
command.
You can see after updating the policy on the client computer, the name of the Administrator account has been changed to what we defined in Group Policy Object, Super_user in our case.
SEE ALSO: How to Create a Local Account on Windows 10 During Setup?
B) Reverting the Changes (Rename local Admin account to default)
If you clear the Define this policy setting check box in the Rename administrator account, the name of the local admin account will not be changed to default (administrator). It will remain the same as we defined in the policy (Super_user). To fix this issue, we need to rename the local admin account to default (administrator) using GPO first. And then, we will remove the Policy.
Step 1: Restore the Default Name of the Admin Account
- Right-click on the RenameAdminAccount policy and select Edit. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click on Accounts: Rename administrator account policy in the right pane.
- Make sure the Define this policy setting box is checked. Then remove Super_user, type Administrator in the text box, and click OK.
- Now update the policy on client computers. You can run
gpupdate
on the client-PC and check the local admin account’s name by using thenet user
command.
INFO: Similarly you can rename the Guest account to default by using the Accounts: Rename guest account policy setting.
Step 2: Unlink and Delete the Policy
After successfully restoring the admin account name to the default, you can now unlink or delete the RenameAdminAccount policy. You can also keep the policy for future use and make it ineffective by unlinking it.
- In the Group Policy Management Console, right-click on RenameAdminAccount Policy and select Edit.
- Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Double-click the Accounts: Rename administrator account setting in the right pane. Next, clear the Define this policy setting check box. Finally, click OK to save.
- Next, click OK and quit the Group Policy Object Editor (GP Editor) console.
SEE ALSO: Switch to Local Account from Microsoft Account on Windows 10?
C) Change the Local Administrator Account’s Password Using GPO
There are no native and fully secure methods to change the Administrator password in Active Directory. However, there are several third-party software that provide this facility but most of them are paid.
Any method that claims to be more secure for changing the Administrator password, requires Schema Modifications (LAPS). And this is not recommended for AD beginners. However, if you have a small AD setup with users with little or no understanding of IT, then you can use the following script method to change the Local Administrator password.
However, this method is very vulnerable. Because the script used for changing the password stores the password in plain text format. The script is available in the SYSVOL folder. The SYSVOL folder is shared and accessible to everyone over the domain. Use this method at your own risk.
Step 1: Create a Policy to Change Local Admin Password
Open the Group Policy Management console and select Group Policy Objects. Right-click on it and select New to create a new Group Policy Object. Provide the name for this new GPO. We have used the ‘ChangeLocalAdminPassword‘ name in this tutorial.
Right-click on the newly created policy object and select Edit.
Step 2: Define Policy Settings
Now in the Group Policy Editor snap-in go to the following path.
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
On the right pane, you will to options to run scripts on Startup and Shutdown.
Double-click on Startup to add the script to Windows Startup. In Startup properties, click on the Add.. button.
A new Add a Script snippet will open, click on the Browse button next to Script Name:
Step 3: Create a New Script in the Startup Scripts Folder
Remember we still don’t have any scripts created for changing the Administrator password. After you click on the Browse button, it will open a Browse window in the default policy scripts folder. We can easily create a batch script here. Then, we will add that script to Startup.
Right-click on the blank space in the Browse window and select New > Text Document.
Name this new text document as ‘ChangeAdminPassword.txt‘. You can name it anything, we have used this name to make it relevant to Change Local Admin password.
Step 4: Edit the Text File and Create a Batch Script
Right-click and select Edit to edit this text document. DON’T DOUBLE-CLICK ON IT AS IT WILL BE SELECTED AS THE STARTUP SCRIPT WITHOUT ANYTHING IN IT.
In the text document, type the following lines to change the Administrator password.
@echo off net user Super_user P@ss!23$ exit
SEE ALSO: A to Z list of all Windows CMD Commands.
net user
is the command for managing user accounts. Super_user
is the Administrator username as we have changed it. P@ss!23$
is the new password for the administrator account.
Save this document by pressing Ctrl + S. Also change the name of the script from ‘ChangeAdminPassword.txt‘ to ‘ChangeAdminPassword.bat‘. This will make it an executable batch script that will be used to change the local admin password on client computers.
When you change the file extension from .txt to .bat, it will give you a warning click on Yes continue.
Now our script is ready. Select this newly created script from the Browse window and click Open.
The script name will show up in the Add a Script snippet. Click OK to close it.
Now you can see that the newly selected script is showing in Startup Properties. Click Apply and OK to continue.
Step 5: Link the GPO to Computers OU
Now our Group Policy Object to change the local admin password is ready for deployment. Right-click on OU which contains the computers and select Link an Existing GPO…
Select ‘ChangeLocalAdminPassword‘ GPO and click on OK.
GPO for changing the Local Administrator password has been linked successfully to the selected OU. Now it’s time to test it.
Step 6: Update Policy on Client Computers
Go to the client computer and run the gpupdate
command in the command prompt. Alternatively, simply press the Windows + R keys and type gpupdate
and press Enter. Group policy will be updated on that client.
After updating the Group Policy on client computer, it’s time to check if the password has been changed or not. As defined in the GPO, the script to change the password is a startup script and runs only when Windows boots up. So, to get this policy executed, we need to reboot the client machine. Now, restart the client computer.
After a successful reboot, you will see a login screen asking for the username and password. Enter the new name of the Administrator account which we have changed using the previous Group Policy. In this tutorial, we used the GPO to rename the local admin account to Super_user. So, we have used .\Super_user
as username and the password defined in the script to log in.
SEE ALSO: How to Edit the Registry.pol File using the LGPO.exe Tool?
Rename the Local Admin Account and Change Its Password using GPO
The above tutorial explained how to rename local Administrator and Guest accounts on computers in the domain. It is a good idea to minimize security risks by the misuse of these default accounts. However, the script method to change the local Admin password is not very much recommended. But something is better than nothing. And the location where the startup script is kept is shared but the path is not known to everyone. So, it won’t be easy to find for normal users.
Hope you find this tutorial helpful. In case you have any trouble following the tutorial or have any queries and suggestions, feel free to drop them in the comment section down below. You may also want to subscribe to our newsletter to get the latest tutorials directly into your inbox.