none
fail to rename local administrator

    Question

  • i have a computer policy that renames the local administrator account to "something." the same policy has an "update" preference to change the password of "something." i don't know if that's relevant. but the policy is failing to rename the local administrator account. it's actually creating a separate account named "something" instead of renaming Administrator. in winlogon.log, i see

     

    Error 1316: The specified account already exists.
      Error renaming administrator account.

     

    even if i delete the 'something' account from the machine.

    Tuesday, August 02, 2011 3:49 PM

Answers

  • ahhh.  discovered something. if i change the policy that renames the administrator account so that it names it "something1," it works. AND a new user named "something" gets created.

    so assuming i want it to be "something" instead:

    i had a *policy* to rename the local administrator account to "something."

    i had a policy *preference* to UPDATE the password of the "something" account.

    i always thought "update" meant "if x exists, make this change to x" and that only create and replace would actually make an account. but reading the Windows Help file , i guess "If the local user does not exist, then the Update action creates a new local user."

    so it appears that the preference is CREATing the user "something" first and then the POLICY is trying to rename administrator to "something," which of course fails because there's already a user named "something."

    so i should probably use a preference to both rename administrator to "something" and reset the password of "something."

     

     

     

    Tuesday, August 02, 2011 7:58 PM

All replies

  • Hi,

    Just to make sure, delete the existing policy and create a new one with the steps mentioned here. It is straightforward.

    http://technet.microsoft.com/en-us/library/cc747484(WS.10).aspx 

    This link has got an  excellent explanation.. http://www.techrepublic.com/blog/datacenter/change-local-username-and-password-via-group-policy/3185 

     


    Regards, Mohan R Sr. Administrator - Server Support
    • Proposed as answer by Sukhwin08 Wednesday, August 03, 2011 7:15 AM
    Tuesday, August 02, 2011 4:04 PM
  • made a brand new gpo. its only setting is computer configuration/windows settings/security settings/local policies/security options/Accounts:rename local administrator account.

    deleted local user "something." gpupdate/force. new user "something" created, administrator account stays. rsop.msc shows an error on that setting. "the policy...resulted in the following error An unknown error occured when attempting to open the database... for more information see %windir%\security\logs\winlogon.log on the target machine."

    winlogon.log still says "Error 1316: The specified account already exists."

     

    ----Configure Security Policy...
      Start processing undo values for 7 settings.
      There is already an undo value for group policy setting <MinimumPasswordLength>.
      There is already an undo value for group policy setting <PasswordHistorySize>.
      There is already an undo value for group policy setting <MaximumPasswordAge>.
      There is already an undo value for group policy setting <MinimumPasswordAge>.
      There is already an undo value for group policy setting <PasswordComplexity>.
      There is already an undo value for group policy setting <RequireLogonToChangePassword>.
      There is already an undo value for group policy setting <ClearTextPassword>.
     Configure password information.
      Start processing undo values for 3 settings.
      There is already an undo value for group policy setting <LockoutBadCount>.
      There is already an undo value for group policy setting <ResetLockoutCount>.
      There is already an undo value for group policy setting <LockoutDuration>.
      There is already an undo value for group policy setting <NewAdministratorName>.
    Error 1316: The specified account already exists.
      Error renaming administrator account.
      There is already an undo value for group policy setting <EnableAdminAccount>.
     Administrator account is enabled.

     System Access configuration was completed with one or more errors.

    Tuesday, August 02, 2011 6:29 PM
  • also if i manually rename the local administrator account to "something" and gpupdate, winlogon.log says "rename the administrator account to something" where it used to say "error 1316: the specified account already exists." is there some permission issue...?

    but if i rename the administrator account to "something else" and run gpupdate, it fails again saying "the specified account already exists."

     


    this is happening on windows 7 and windows xp clients.
    Tuesday, August 02, 2011 6:41 PM
  • ahhh.  discovered something. if i change the policy that renames the administrator account so that it names it "something1," it works. AND a new user named "something" gets created.

    so assuming i want it to be "something" instead:

    i had a *policy* to rename the local administrator account to "something."

    i had a policy *preference* to UPDATE the password of the "something" account.

    i always thought "update" meant "if x exists, make this change to x" and that only create and replace would actually make an account. but reading the Windows Help file , i guess "If the local user does not exist, then the Update action creates a new local user."

    so it appears that the preference is CREATing the user "something" first and then the POLICY is trying to rename administrator to "something," which of course fails because there's already a user named "something."

    so i should probably use a preference to both rename administrator to "something" and reset the password of "something."

     

     

     

    Tuesday, August 02, 2011 7:58 PM
  • Excellent.. You sort that out.. :) 

    Thanks for posting your findings too.. It is helpful to the ppl who read this thread.. 


    Regards, Mohan R Sr. Administrator - Server Support
    Wednesday, August 03, 2011 4:34 AM
  • Did the preference to both rename administrator to "something" and reset the password of "something" work?  Its funny how you have this posted.  I was working on the same GPO and I actually tested it on a test OU and had no problem.  That was because at first i made a GPO to only rename the account using the 2003 GPO template.  I then altered the GPO in 2008 Group policy to add the preference of changing the password.   This was after the local admin account was renamed.

    When i moved the policy to production, that is when i began to scratch my head.  I then stumbled upon your post to realize it was recent.  I had to alter my GPO to remove that account that was created.  I then proceeded to change the policy to have 2 preferences, 1 for rename and 2 for reset of password but it is still creating the account.  I am going to test again to make sure.

    Please let me know if it works for you.

    Wednesday, August 03, 2011 4:13 PM
  • having the name change and password change in the same preference seems to be "working," that is, if the local administrator is named anything but "something," it's changing the name to "something." the awesome thing, thanks microsoft, good thinking, is that if the local administrator is already named "something," the application event log is showing an error because the account already exists. however winlogon.log is not showing an error. i'm using the "update" action. i am wary of using the "replace" action on the local administrator account....

    the event log error when trying to change the built in administrator account to "something" when it's already named "something" is:

    "The computer 'Administrator (built-in)' preference item in the 'SI Workstation {56236870-4E2D-4973-90FF-613BC2D2C8EA}' Group Policy object did not apply because it failed with error code '0x80070524 The specified account already exists.' This error was suppressed."

    so i'm getting this with every policy refresh.

    i also have a second problem, in that every computer that applied my previous, broken, "policy changes the username, preference changes the password" setup now has an additional user named "something." so the specified account really *does* already exist on those machines. so i'm somehow going to need to go out and find every machine that has an Administrator account and a "something" account, then delete all the "something" accounts from those machines so i can rename administrator to "something."

    Thursday, August 04, 2011 5:21 PM
  • sorry to resurrect this, but I noticed same trouble... for a long time I was using GPO to rename default admin account in our domain, but just recently started using another GPO with preference to change that account's password ... then I altered the account name to something else (and password for it) both at same time in our domain ... and the effect is unbelievably ridiculous, especially that it's different between xp vs 7x64 ...

    on XPSP3 the old "altered administrator" account still belongs to Administrators group while new one was created, but doesn't belong anywhere

    on 7x64 it's the exact opposite (new one works and belongs to Administrators group while old one is not attached anywhere) ...

    I guess I will have to remove both accounts (yeah, there are two now) and start over ... need to test it before applying though ... what a mess ...

    Thursday, October 11, 2012 9:09 PM