How to Rename Local Admin and Change Password using GPO

This step-by-step tutorial explains how to rename the local admin account and change the administrator password on client computers using Group Policy (GPO). You can minimize the chances of misuse of these accounts by renaming them.

So, in this tutorial, we will use two Group Policy Objects to Rename the local Administrator account and Change the Administrator’s password respectively. You can also do both using a single GPO.

So, first, we will be creating a GPO for renaming the Administrator account. Settings for changing Administrator and Guest account names lie in the same location. So, you can use both of them or only the administrator one. However, on Windows 10 clients, Administrator and Guest accounts are disabled by default. You can enable both of them or anyone using Group Policy.

SEE ALSO: How to Get the List of Local User Accounts from Domain Computers?

A) Rename Local Admin Account Using GPO

First of all, we will have to create a new GPO for renaming the local admin account. So, to create a Group Policy object (GPO) to change the administrator and guest account names, follow the steps shown below:

Step 1: Create a New GPO

Start the Group Policy Management snap-in. To do so, go to Run, type gpmc.msc, and press Enter. This will open the Group Policy Management Console.

In the console tree, right-click on Group Policy Objects and select New to create a new Group Policy Object. This GPO will not be linked to any Organizational Unit by default. We will link this GPO to the desired OU later.

Create a New Group Policy Object
Create a New Group Policy Object

Now, type a suitable name for your newly created GPO. You can give any name as per your convenience and the naming policy used in your organization. In this tutorial, we have named this GPO ‘RenameAdminAccount‘.

Name the GPO as Rename AdminAccount
Name the GPO as RenameAdminAccount

SEE ALSO: How to solve the Shell Infrastructure issue in Windows caused by misconfigured GPO?

Step 2: Define GPO Settings to Rename Administrator Account

After creating the GPO, it’s time to define its settings. To edit the Group Policy Object’s settings, right-click on it and select Edit…

Edit Group Policy Object's Settings
Edit Group Policy Object’s Settings

Now, you can define settings for your newly created GPO. Go to the following path in Group Policy Editor:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Here on the right side, you will find settings for changing the names of Administrator and Guest accounts. To rename the local admin account using GPO, double-click on the policy setting with the name ‘Accounts: Rename Administrator account‘.

Go to Security Options in Computer Configuration
Go to Security Options in Computer Configuration

In the Policy settings window, go to the Security Policy Setting tab. Here, check the box next to Define this policy setting. Next, in the text box under it provide a new name for the Administrator account. Click on Apply and OK to close.

Define Policy Settings with New Name for Administrator account
Define Policy Settings with New Name for the Administrator account

INFO: You can follow the same process for renaming the Guest account as well. Double-click ‘Accounts: Rename guest account‘ policy settings, and click to select the Define this policy setting check box. After that, type the new name that you want to use for the guest account. Click OK.


Step 3: Enable the Administrator Account

There is one more setting that we need to change. To use the Administrator account on client computers, we must enable it first. It may be possible that the Administrator account is disabled on client computers. So, we will use the ‘Accounts: Administrator account status‘ policy to change the status of the Administrator account to Enabled.

Select the Policy to Enable Administrator Account
Select the Policy to Enable Administrator Account

Double-click the ‘Accounts: Administrator account status’ setting and check the box next to Define this policy setting. Then, click on the radio button next to Enabled. Finally, click Apply and OK to save the settings.

Define Policy Setting to Enable Administrator Account
Define Policy Setting to Enable Administrator Account

Now you can close the Group Policy Editor snap-in. In the Group Policy Management Console, select the newly created policy. Next, click on the Settings tab in the right pane to see the settings defined for the policy.

Check Policy Settings in GPO Console
Check Policy Settings in the GPO Console

Now our GPO to rename the local admin account is ready for deployment. Right-click on the OU that contains computers (PCs in our case) and select Link an Existing GPO…

Right-click on OU and select Link an Existing GPO
Right-click on OU and select Link an Existing GPO

In the next window, you can select from the list of available GPOs. Select the recently created ‘RenameAdminAccount‘ GPO and click OK to link it to the selected OU.

Select and link RenameAdminAccount GPO
Select and link RenameAdminAccount GPO

Now ‘RenameAdminAccount‘ GPO has been linked to the selected OU (PCs). The policy will be updated on clients during the next GPUpdate cycle. This policy doesn’t require the client-PC to be restarted. For testing purposes, you can manually update the policy on the computer by using gpupdate command.

Manually Update Policy on Client Computer
Manually Update Policy on the target computer

You can see after updating the policy on the client computer, the name of the Administrator account has been changed to what we defined in Group Policy Object, Super_user in our case.

SEE ALSO: How to Create a Local Account on Windows 10 During Setup?


B) Reverting the Changes (Rename local Admin account to default)

If you clear the Define this policy setting check box in the Rename administrator account, the name of the local admin account will not be changed to default (administrator). It will remain the same as we defined in the policy (Super_user). To fix this issue, we need to rename the local admin account to default (administrator) using GPO first. And then, we will remove the Policy.

Step 1: Restore the Default Name of the Admin Account

  1. Right-click on the RenameAdminAccount policy and select Edit. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  2. Double-click on Accounts: Rename administrator account policy in the right pane.
  3. Make sure the Define this policy setting box is checked. Then remove Super_user, type Administrator in the text box, and click OK.
  4. Now update the policy on client computers. You can run gpupdate on the client-PC and check the local admin account’s name by using the net user command.

INFO: Similarly you can rename the Guest account to default by using the Accounts: Rename guest account policy setting.


After successfully restoring the admin account name to the default, you can now unlink or delete the RenameAdminAccount policy. You can also keep the policy for future use and make it ineffective by unlinking it.

  1. In the Group Policy Management Console, right-click on RenameAdminAccount Policy and select Edit.
  2. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  3. Double-click the Accounts: Rename administrator account setting in the right pane. Next, clear the Define this policy setting check box. Finally, click OK to save.
  4. Next, click OK and quit the Group Policy Object Editor (GP Editor) console.

SEE ALSO: Switch to Local Account from Microsoft Account on Windows 10?


C) Change the Local Administrator Account’s Password Using GPO

There are no native and fully secure methods to change the Administrator password in Active Directory. However, there are several third-party software that provide this facility but most of them are paid.

Any method that claims to be more secure for changing the Administrator password, requires Schema Modifications (LAPS). And this is not recommended for AD beginners. However, if you have a small AD setup with users with little or no understanding of IT, then you can use the following script method to change the Local Administrator password.

However, this method is very vulnerable. Because the script used for changing the password stores the password in plain text format. The script is available in the SYSVOL folder. The SYSVOL folder is shared and accessible to everyone over the domain. Use this method at your own risk.

Step 1: Create a Policy to Change Local Admin Password

Open the Group Policy Management console and select Group Policy Objects. Right-click on it and select New to create a new Group Policy Object. Provide the name for this new GPO. We have used the ‘ChangeLocalAdminPassword‘ name in this tutorial.

Create New GPO to Change Local Admin Password
Create a New GPO to Change the Local Admin’s Password

Right-click on the newly created policy object and select Edit.

Edit the Newly Created GPO to change local administrator password
Edit the Newly Created GPO

Step 2: Define Policy Settings

Now in the Group Policy Editor snap-in go to the following path.

Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).

On the right pane, you will to options to run scripts on Startup and Shutdown.

Double-click on Startup to Add Startup Script to change local admin password
Double-click on Startup to Add Startup Script

Double-click on Startup to add the script to Windows Startup. In Startup properties, click on the Add.. button.

Click on Add button to browse for Startup Script
Click on the Add button to browse for Startup Script

A new Add a Script snippet will open, click on the Browse button next to Script Name:

Click on Browse
Click on Browse

Step 3: Create a New Script in the Startup Scripts Folder

Remember we still don’t have any scripts created for changing the Administrator password. After you click on the Browse button, it will open a Browse window in the default policy scripts folder. We can easily create a batch script here. Then, we will add that script to Startup.

Right-click on the blank space in the Browse window and select New > Text Document.

Create New Text Document in Startup Script Folder to change local administrator password
Create a New Text Document in the Startup Script Folder

Name this new text document as ‘ChangeAdminPassword.txt‘. You can name it anything, we have used this name to make it relevant to Change Local Admin password.

Name the Text file as Change Local Admin Password
Name the Text file as ChangeAdminPassword

Step 4: Edit the Text File and Create a Batch Script

Right-click and select Edit to edit this text document. DON’T DOUBLE-CLICK ON IT AS IT WILL BE SELECTED AS THE STARTUP SCRIPT WITHOUT ANYTHING IN IT.

Edit Newly Created Text File to change local admin password
Edit Newly Created Text File

In the text document, type the following lines to change the Administrator password.

@echo off
net user Super_user P@ss!23$
exit

SEE ALSO: A to Z list of all Windows CMD Commands.

net user is the command for managing user accounts. Super_user is the Administrator username as we have changed it. P@ss!23$ is the new password for the administrator account.

Write Script to Change Local Admin Password and Save it
Write Script to Change Admin Password

Save this document by pressing Ctrl + S. Also change the name of the script from ‘ChangeAdminPassword.txt‘ to ‘ChangeAdminPassword.bat‘. This will make it an executable batch script that will be used to change the local admin password on client computers.

Change File Extension from .txt to .bat to make it a script to change admin password
Change File Extension from .txt to .bat

When you change the file extension from .txt to .bat, it will give you a warning click on Yes continue.

Click Yes to Change File Extension
Click Yes to Change File Extension

Now our script is ready. Select this newly created script from the Browse window and click Open.

Select Newly Created Script and Click Open
Select Newly Created Script and Click Open

The script name will show up in the Add a Script snippet. Click OK to close it.

Click Add to add this Script to Startup
Click Add to add this Script to the Startup

Now you can see that the newly selected script is showing in Startup Properties. Click Apply and OK to continue.

Click Apply and the OK
Click Apply and the OK

Now our Group Policy Object to change the local admin password is ready for deployment. Right-click on OU which contains the computers and select Link an Existing GPO…

Right-click on OU and select Link an Existing GPO
Right-click on OU and select Link an Existing GPO

Select ‘ChangeLocalAdminPassword‘ GPO and click on OK.

Select and link Change Local Admin Password GPO to Computers OU
Link Newly Created GPO to Computers OU

GPO for changing the Local Administrator password has been linked successfully to the selected OU. Now it’s time to test it.


Step 6: Update Policy on Client Computers

Go to the client computer and run the gpupdate command in the command prompt. Alternatively, simply press the Windows + R keys and type gpupdate and press Enter. Group policy will be updated on that client.

After updating the Group Policy on client computer, it’s time to check if the password has been changed or not. As defined in the GPO, the script to change the password is a startup script and runs only when Windows boots up. So, to get this policy executed, we need to reboot the client machine. Now, restart the client computer.

Restart Your Computer
Restart Your Computer

After a successful reboot, you will see a login screen asking for the username and password. Enter the new name of the Administrator account which we have changed using the previous Group Policy. In this tutorial, we used the GPO to rename the local admin account to Super_user. So, we have used .\Super_user as username and the password defined in the script to log in.

Login to Local Admin Account with New Credentials
Login to Local Admin Account with New Credentials

SEE ALSO: How to Edit the Registry.pol File using the LGPO.exe Tool?

Rename the Local Admin Account and Change Its Password using GPO

The above tutorial explained how to rename local Administrator and Guest accounts on computers in the domain. It is a good idea to minimize security risks by the misuse of these default accounts. However, the script method to change the local Admin password is not very much recommended. But something is better than nothing. And the location where the startup script is kept is shared but the path is not known to everyone. So, it won’t be easy to find for normal users.

Hope you find this tutorial helpful. In case you have any trouble following the tutorial or have any queries and suggestions, feel free to drop them in the comment section down below. You may also want to subscribe to our newsletter to get the latest tutorials directly into your inbox.

Editorial Staff

Hi there, we are the editorial staff at WINDOSPC (former HELLPC). We are a team of funny and technical people. Feel free to get in touch with us via Contact-Us page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.