none
Renaming the Local Admin Account

    Question

  • Hello,
    I have a Windows server 2008 R2 environment and I would like to rename the Local Administrators account on newly joined AD machines. Seems easy, but here is where it becomes a challenge: The local Administrator account is already created on the target computer before it joins the domain.

    I have also tried using Restricted Groups and “Accounts:rename Administrator account” under local Policies/Security Options, to my already created admin user, but; I get an error on Event Viewer: 4098 “Group Policy did not apply because the account already exists”.
    The GPO I created does not update the local admin account instead it now has 3 accounts under the Adminstrators group: Domain Admins, "localadmin", Administrator.
    Thus, I am seeking to only have 2 accounts under the Administrators group and rename the Local Admin account, not add the existing account as a third user in that group. I would also like to mention that I dabbled a bit with GPPreferences without success, seems that the above keys give me a more desired result, but not exactly what I need.  Not sure if this is even possible.  
    Hope this makes sense, any assistance is appreciated.

    Tuesday, June 2, 2015 4:42 PM

Answers

  • > 1-I want to be able to remove all users on the "Administrators" group
    > except our Domain admins and the oneadmin account.
     
    You cannot remove the builtin Administrator, nor can you delete it :)
     
    > 2-  The Builtin Administators account needs to be renamed to "oneadmin".
     
    Then delete this "oneadmin" (GPP "local users and groups" can do this
    for you). If you afterwards renamed the builtin "Administrator" to
    "oneadmin" and your deletion happens again, it will not work, because -
    see above :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by prisoner107 Thursday, June 4, 2015 2:15 PM
    Wednesday, June 3, 2015 2:05 PM

All replies

  • > The local Administrator account is already created on the target
    > computer before it joins the domain.
     
    Which account is "already created"? What do you want to achieve? Each
    windows computer already has a builtin, undeletable and unlockable
    administrator account S-1-5-21-xxxx-500. This is the one you can rename
    through GPO.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, June 3, 2015 1:20 PM
  • I apologize if I wasn't so clear.

    The account that I mentioned that is already created is a "new account" that we create on all our new Windows 7 machines, we can call it "oneadmin" for now.

    1-I want to be able to remove all users on the "Administrators" group except our Domain admins and the oneadmin account.

    2-  The Builtin Administators account needs to be renamed to "oneadmin".

    I don't want to delete the Builtin admin account, just need to rename it, but since oneadmin already exists on the machine when we join it to the domain, my GPO errors out saying “Group Policy did not apply because the account already exists”.

    I was hoping someone can guide me and let me know what steps to take to create a working GPO that doesn't error out, and like I said, the GPOs that I have created leaves 3 accounts on the Administrators group on each machines Local Users and Groups. Which is not what I want to achieve.

    Renaming the Builtin Admin account is simple via GPO but not when the account already exists under an already existing user on that machine, at least that's how I understood the error message I mentioned before (Event Viewer: 4098).  

    Wednesday, June 3, 2015 1:45 PM
  • > 1-I want to be able to remove all users on the "Administrators" group
    > except our Domain admins and the oneadmin account.
     
    You cannot remove the builtin Administrator, nor can you delete it :)
     
    > 2-  The Builtin Administators account needs to be renamed to "oneadmin".
     
    Then delete this "oneadmin" (GPP "local users and groups" can do this
    for you). If you afterwards renamed the builtin "Administrator" to
    "oneadmin" and your deletion happens again, it will not work, because -
    see above :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by prisoner107 Thursday, June 4, 2015 2:15 PM
    Wednesday, June 3, 2015 2:05 PM
  • Martin,

    "Then delete this "oneadmin" (GPP "local users and groups" can do this
    for you)."

    Don't know why I just didn't do that first..

    Perfect, I got it working now. Here are the results:

    1. delete "oneadmin" (GPpreference)

    2. Rename the Builtin Admin account with "oneadmin" (GPreference)

    3. REmove all Administator Members except "oneadmin" and Domain Admins (restricted Groups)

    Got my desired results! thank you!

    Thursday, June 4, 2015 2:15 PM