Cloud

Change local username and password via Group Policy

For Windows administrators, a common practice is to have a local username and password for administration when cached credentials are not available. Learn how to change an existing configuration.

In a previous TechRepublic tip, I showed how to deploy a local account via Group Policy. While deploying an account is a common activity for Windows administrators, the next most frequent task is changing existing accounts.

Windows administrators have many approaches to addressing the local administrator user account. Default installations provide Windows servers with a username called Administrator, and I have been asked many times about what to do with this username. Common configuration options are to leave the username as-is with a complex password, disable it, rename it, and remove it.

In most situations, I see a use case for a local administrative account when an Active Directory domain is in place, primarily for troubleshooting. Working with the default installation of Windows, I consider the best way to address this is via Group Policy. You could also use security templates, but Group Policy is a central way to manage the single setting, and it can be applied to match various Organizational Unit (OU) configurations.

To rename the local Administrator account, Group Policy offers a user and group configuration tool in the Computer Configuration | Preferences | Control Panel Settings | Local Users And Groups section of the Group Policy Editor. The update action will rename the Administrator user (Figure A) for a Windows Server 2008 R2 domain. Figure A

In this dialog box, you can: set a password for the local account, enter a description, set the password expiration, or set the password to change at the next logon. For computer settings, the Group Policy refresh interval is every 90 minutes for default configurations. This can be reset immediately with the gpupdate /force entry from the command line.

This area of Group Policy also permits multiple rules to be applied. There is an order that is applied, and some consideration should be given to the sequencing of these types of tasks. The first action should be to rename the default Administrator account, and subsequent tasks, such as a password change, would be rolled out as an additional action in this section of Group Policy. Figure B shows a password change only being applied to the user who was renamed in the previous example. Figure B

Click the image to enlarge.

If the Windows server were to move out of this OU, these changes are retained in the local Windows account manager.

How do you use Group Policy to manage local passwords? Let us know in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

10 comments
mhennessey0
mhennessey0

Will this work if you have a 2003 DC and a 2008 R2 DC and you make the change on the 2008?

mike.panagos
mike.panagos

Does this let you update existing accounts?

scott
scott

Is there a way to build a GPO for Server 2003 that will work with XP workstations?

Malcolm R
Malcolm R

You need the 2008 AD extensions and a Windows 7 machine to manage the policies, but the DCs can remain at 2003.

Malcolm R
Malcolm R

You'll also need to install the Group Policy Preferences extensions from Microsoft on any pre-Vista/2008 clients (XP, Server 2003).

bwgordon
bwgordon

From MS Help: Password Type the password used when creating, replacing, or updating a local user. Type the same password in the Confirm Password box Security Note This password is stored as part of the GPO in SYSVOL and is discoverable, although obscured. If you choose to store passwords in preference items, you should consider creating dedicated accounts for this purpose, and never store administrative passwords in preference items.

Editor's Picks