Change local username and password via Group Policy

For Windows administrators, a common practice is to have a local username and password for administration when cached credentials are not available. Learn how to change an existing configuration.

In a previous TechRepublic tip, I showed how to deploy a local account via Group Policy. While deploying an account is a common activity for Windows administrators, the next most frequent task is changing existing accounts.

Windows administrators have many approaches to addressing the local administrator user account. Default installations provide Windows servers with a username called Administrator, and I have been asked many times about what to do with this username. Common configuration options are to leave the username as-is with a complex password, disable it, rename it, and remove it.

In most situations, I see a use case for a local administrative account when an Active Directory domain is in place, primarily for troubleshooting. Working with the default installation of Windows, I consider the best way to address this is via Group Policy. You could also use security templates, but Group Policy is a central way to manage the single setting, and it can be applied to match various Organizational Unit (OU) configurations.

To rename the local Administrator account, Group Policy offers a user and group configuration tool in the Computer Configuration | Preferences | Control Panel Settings | Local Users And Groups section of the Group Policy Editor. The update action will rename the Administrator user (Figure A) for a Windows Server 2008 R2 domain. Figure A

In this dialog box, you can: set a password for the local account, enter a description, set the password expiration, or set the password to change at the next logon. For computer settings, the Group Policy refresh interval is every 90 minutes for default configurations. This can be reset immediately with the gpupdate /force entry from the command line.

This area of Group Policy also permits multiple rules to be applied. There is an order that is applied, and some consideration should be given to the sequencing of these types of tasks. The first action should be to rename the default Administrator account, and subsequent tasks, such as a password change, would be rolled out as an additional action in this section of Group Policy. Figure B shows a password change only being applied to the user who was renamed in the previous example. Figure B

Click the image to enlarge.

If the Windows server were to move out of this OU, these changes are retained in the local Windows account manager.

How do you use Group Policy to manage local passwords? Let us know in the discussion.

About Rick Vanover

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

Editor's Picks