locked
Renaming Server Default Administrator Account Ramifications RRS feed

  • Question

  • Hi

     

    I have a situation here where the server(s) default administrator account was renamed several years ago. Since that time all databases and database applications (sql server and oracle) have been installed with this account. Now the powers that be want to rename the account again. My question is what is the ramification to all my databases and database app installs, if any ?

     

    Thanks

    Jim

     

     

    Thursday, January 12, 2012 10:00 PM

Answers

  • All security principals (like the default administrator account) are identified by SID, which is unchanged when the object is renamed. I know that group memberships, DACLs, etc., are unaffected. I assume the same for SQL Server databases (roles, owners, service accounts), although I'd like to hear an SQL expert chime in here. The exception would be cases like scripts where the user name has been hardcoded.

    Of course, that's why renaming the account doesn't provide much protection. The account is easy to find by well-known SID.

     


    Richard Mueller - MVP Directory Services
    Friday, January 13, 2012 2:13 AM
  • Hi,

    I second Richards response, there should be no ramifications in re-naming the account as there is an underlying ID which will point to the correct account.

     

    Kind Regards,

    Martin

     


    If you find my information useful, please rate it. :-)
    Friday, January 13, 2012 2:15 AM
  • Hi,

     

    Please refer to the following Microsoft KB article:

     

    Well-known security identifiers in Windows operating systems

    http://support.microsoft.com/kb/243330

     

    SID: S-1-5-21domain-500

    Name: Administrator

    Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.

     

    In addition, you may also use script to find out the renamed administrator account.

     

    For more information, please refer to the following Microsoft TechNet blog:

     

    How Can I Determine if the Local Administrator Account has been Renamed on a Computer?

    http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/22/how-can-i-determine-if-the-local-administrator-account-has-been-renamed-on-a-computer.aspx

     

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, January 13, 2012 6:33 AM

All replies

  • All security principals (like the default administrator account) are identified by SID, which is unchanged when the object is renamed. I know that group memberships, DACLs, etc., are unaffected. I assume the same for SQL Server databases (roles, owners, service accounts), although I'd like to hear an SQL expert chime in here. The exception would be cases like scripts where the user name has been hardcoded.

    Of course, that's why renaming the account doesn't provide much protection. The account is easy to find by well-known SID.

     


    Richard Mueller - MVP Directory Services
    Friday, January 13, 2012 2:13 AM
  • Hi,

    I second Richards response, there should be no ramifications in re-naming the account as there is an underlying ID which will point to the correct account.

     

    Kind Regards,

    Martin

     


    If you find my information useful, please rate it. :-)
    Friday, January 13, 2012 2:15 AM
  • Hi,

     

    Please refer to the following Microsoft KB article:

     

    Well-known security identifiers in Windows operating systems

    http://support.microsoft.com/kb/243330

     

    SID: S-1-5-21domain-500

    Name: Administrator

    Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.

     

    In addition, you may also use script to find out the renamed administrator account.

     

    For more information, please refer to the following Microsoft TechNet blog:

     

    How Can I Determine if the Local Administrator Account has been Renamed on a Computer?

    http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/22/how-can-i-determine-if-the-local-administrator-account-has-been-renamed-on-a-computer.aspx

     

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, January 13, 2012 6:33 AM
  • HI Folks

     

    thanks very much for your time and input.

    it as very helpul

    i checked with an sql forum and they also advised there shoul dbe no issues except that and databases created with the account shold be renamed.

    i checked with oracle and they also said it should not be an issue

    I had read some of these articles prior to my post and also confirmed the account to be the default administrator account

    it is my understanding that the default administrator account "CANNOT" be deleted. Is this a true statement ?

     

    Thanks

    Jim

    Wednesday, January 18, 2012 6:41 PM
  • Hi,

     

    Yes, it is not recommended to delete the built-in administrator.

     

    Regards,

     

    Arthur Li

     TechNet Subscriber Support 

    If you are TechNet Subscription  user and have any feedback on our support quality, please send your feedback here .


    Arthur Li

    TechNet Community Support

    Friday, January 20, 2012 2:00 AM