Which group policy to rename Administrator account?

[Guest]

We used the "Default Domain Policy" to rename the Administrator account for the domain. That worked fine and well. However, that trickeld down to the local Administrator accounts of ALL the workstations. I went crazy trying to figure out why I couldn't log on locally to a workstation that I knew the administrator password to. I finally figured out that it was the policy. My question is, if I revert my "Default Domain Policy" to "not defined", then make the policy change at he "Default Domain Controllers" policy level, would this then ONLY change the Administrator name at the Domain controller level? I do not want my workstations to have the same local Administrator account name as the domain controllers. I have instances where I have to log on as the local administrator of certain PC's.

Anyway, if I am wrong about this, can someone tell me how I can accomplish my task of keeping my workstation local administrator accounts as they are, while changing my domain administrator account name?

Thank you,
Vinny Hahn

 

[Guest]

I believe you are correct with the "Default Domain Controllers" setting

But if you want to be 100% sure, just change the local policy on the DCs

 

[Guest]

Hi Steve and thanx for the reply. In case my first idea dosen't work, I checked the local policy of one of my DC's. Under the "local setting" column it says "not defined", under the "Effective Setting" column it has the new administrator name. Do you think that if I defined the setting here to the new new name, then went back to my "Default Domain Policy" and changed that back to "Not Defined", that would fix this issue for me? And would I have to reat this process on all of my DC's

Thanx
Vinny

 

[Guest]

The local policy change will apply to that machine only and will have to be done on each machine. a bit of a pain, but the next logical step if the "defaul domain controller" policy setting doesnt' work.

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?VmlubnkgSA==?=

My question is, if I revert my "Default Domain Policy" to "not defined",
then make the policy change at he "Default Domain Controllers" policy level,
would this then ONLY change the Administrator name at the Domain controller
level? I do not want my workstations to have the same local Administrator
account name as the domain controllers. I have instances where I have to log
on as the local administrator of certain PC's.

Yes, that will work, however, you need to be aware that setting the
policy to "Not Defined" at the domain level will not revert the
workstation Administrator accounts back to what they were before.

 

[Guest]

Thanx Paul. I just made this change and we'll see what happens. I'm keeping my fingers crossed

You mentioned that the workstations would not revert back to "Administrator". Is there a way to do this across the board without hitting every PC? What if I defined rename Administrator account in the "Default Domain" policy to "Administrator"? I'm sure that would change them back, but would it leave my DC's new admin account name alone since it is defined in the "Defaul Domain Controllers" policy? Which one would take precidence for the Administrator account on the DC's

Thanx
Vinny Hahn

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?VmlubnkgSA==?=

Thanx Paul. I just made this change and we'll see what happens. I'm keeping my fingers crossed.

You mentioned that the workstations would not revert back to "Administrator".
Is there a way to do this across the board without hitting every PC? What if I
defined rename Administrator account in the "Default Domain" policy to
"Administrator"?

That will work. However, since this is really a "one time" change,
you're likely better off creating a new GPO and linking it to the domain
in order to push this change out. You really want to avoid messing with
the default GPOs as much as is possible.

I'm sure that would change them back, but would it leave
my DC's new admin account name alone since it is defined in the "Defaul
Domain Controllers" policy? Which one would take precidence for the
Administrator account on the DC's?

You may want to read some of the excellent GP white papers on the MS web
site, but in a nutshell, the GPOs that are linked closest to the targets
take precedence. So, in your case, your DCs would not be affected.

 

[Guest]

Thanx Paul. This is a big help. I'll try creating a new GPO and define the Administrator account there. After I feel that the new policy has been pushed to all the workstations, I should be able to remove this new GPO. Correct

I'll look at the white papers too

Thanx
Vinny

 

[Paul Adare]

microsoft.public.win2000.security news group, =?Utf-8?B?VmlubnkgSA==?=

Thanx Paul. This is a big help. I'll try creating a new GPO and define the Administrator account there. After I feel that the new policy has been pushed to all the workstations, I should be able to remove this new GPO. Correct?

Absolutely, and you're welcome!