3

I know some folks out there recommend not to rename the built-in administrator in Windows Server 2003. Instead, create another admin account with the same privileges and disable the built-in administrator account. But what if the situation is that I need to rename the administrator account? What would be the best procedure to do this without affecting my Exchange Server 2007, Other Member File Servers and Blackberry Enterprise Server? We've been using the administrator account to login to our windows servers as well as the other servers we have. What would be the step by step approach I need to do to ensure that the moment the administrator's name is renamed, my remaining servers will not crash. For sure there are certain situations where some software's installed as a service in windows would be affected and perhaps after the administrator name has been renamed, I probably need to go into each services on every windows server I have and start editing any software service that uses the administrator name when logging in before restarting each server? I appreciate everyone's advice. Thank you.

GeePee
  • 81
  • 7

2 Answers2

5

Group Policy.

Open Group Policy Management, and the setting is found at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

It's named Accounts: Rename administrator account. (At least at a 2008 R2 FL. The option exists on a 2003 domain, but might be named slightly differently, but I don't recall off the top of my head.)

I can't think of any reason to not rename it on the Exchange server, but you can always create an OU that excludes Group Policy Inheritance and put the Exchange server in there, or use WMI filtering on the Group Policy to specifically exclude the Exchange server.

As far as installed software and services running as the Administrator account, that's both very bad, and not a default behavior on anything I'm familiar with. So, hopefully, you're worrying about nothing... and if not, it might be worth breaking that just so you can find and correct services running as the Administrator - create and use service accounts instead.

enter image description here

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • Thanks for the insight HopelessN00b. On GPO, will it rename the domain administrator account? Or it will only rename the local administrator account on each server? – GeePee Jan 17 '14 at 03:02
  • @GeePee [It depends, basically, on whether the domain controllers have the group policy applied to them](http://support.microsoft.com/kb/259576/en-us) (provided they're 2003 or above). So, unless you're stuck with a 2000 or lower domain, you can choose whether or not this applies to the domain admin account by controlling if it applies to DCs or not. You can change the domain admin account separately from the local admin account (which is a good idea), either via GPO or manually. If all you're worried about is the domain admin, doing it manually is easier than setting up a GPO. – HopelessN00b Jan 17 '14 at 10:05
3

Nothing you've described will crash. Internally, Windows uses the SID, not the display name. That name is just there to be human-readable and friendly.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Hi MDMarra. Do you mean all I need to do is just simply go to Active Directory Users and Computers, find the built-in Administrator user object and just simply right click and rename it? If so, what would be my next steps after doing that? Proceed on the rest of the server farm and look into each windows service and rename all login entries to the new administrator name before restarting each member server? – GeePee Jan 17 '14 at 01:02
  • Are you talking about your domain administrator account or the local administrator account on each server? They're two different things. – MDMarra Jan 17 '14 at 02:45
  • It's the domain administrator account. When we log into any of our member servers, whether it's Exchange, Blackberry Enterprise Server..etc, we always use the domain administrator account. – GeePee Jan 17 '14 at 03:01
  • Wait, you run a large number of services on your member servers as the built-in domain administrator? That's terrible. – MDMarra Jan 17 '14 at 03:06
  • Yup...and that is the reason on why I wanted to at least correct everything that was previously configured by other admins before me. There are a couple of member servers such as Warehousing Server where during the proprietary software installation on the member server, a user object was created on the ADUC and that particular user object was placed on the Administrators group on the member server. So on the services itself, its not using the domain administrator to connect to that software. – GeePee Jan 17 '14 at 03:15
  • In a way, only IT department are the only one's who can access the server farm. The reason why we wanted to rename the domain administrator is because of the recommendation by an external IT audit firm. – GeePee Jan 17 '14 at 03:18
  • @GeePee Well, having everyone use a single admin account is bad policy (as you seem to know), and you should work on getting separate admin accounts set up for each admin, if you haven't already. – HopelessN00b Jan 17 '14 at 10:01
  • @HopelessN00b Yes, you are absolutely right. Anyway, any recommendations/steps on how should I proceed on renaming the domain administrator name? I sure would want to do this carefully to avoid future problems. Highly appreciate your advice on this. – GeePee Jan 17 '14 at 11:46
  • 1
    @GeePee Honestly, the easiest way would be to just right click and rename the account in ADUC (Active Directory Users and Computers). Of course, the services using this account will break after the next reboot or service restart. Unfortunately, there's no way around that, except through it. You need to collect an inventory of the services and applications relying on using that account and reconfigure them. So, **before** renaming the domain admin, I would inventory these services and apps, create service accounts, and configure the services and apps to use the service account. Then rename. – HopelessN00b Jan 17 '14 at 11:52
  • 1
    If your "external IT audit firm" is recommending that you rename the built-in domain Administrator account but isn't "shitting gold bricks" that you're running a bunch of services as that account then, respectfully, I think your "external IT audit firm" needs to be fired and you need to get a real auditor ASAP. – Evan Anderson Jan 18 '14 at 05:27
  • @HopelessN00b: Services using that account will be fine if you rename the account. The SID is stored, not the account's name. Having said that, you're right in saying that the OP should create individual service accounts. – Evan Anderson Jan 18 '14 at 05:27