Re: Remove Administrator Account from Administrators Group

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Just for your information, renaming the administrator account is not really
a security option since it will still have same SID.

--
G Johansson
fantomen@xxxxxxxxxxxxxxx
http://GPfaq.se


"Thomas M." <NoEmailReplies@xxxxxxxxxx> skrev i meddelandet
news:%23iWcSTQ6HHA.1208@xxxxxxxxxxxxxxxxxxxxxxx
Yep. That part I got. I was just not seeing where to find the policy to
rename the local Administrator account. I'm trying Mathieu's suggestion
for that, and will post back here once I have tested it.

--Tom

"Paul O" <polson@xxxxxxxxx> wrote in message
news:ui9eVvP6HHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
I use GPMC Computer Config>Windows Settings>Security Settings>Restricted
Groups to add or remove local groups from the local admin group.
Look up 'Restricted Groups' on MS or the web for more info.

PaulO

"Thomas M." <NoEmailReplies@xxxxxxxxxx> wrote in message
news:u7zTcgM6HHA.3716@xxxxxxxxxxxxxxxxxxxxxxx
We are in the process of creating a group policy that will limit user
rights on the desktop. A major element of our group policy is that it
will push down the local Administrators group, which will contain a
domain group for Network Administrators so that we will have
administrator rights to all machines. Currently, the local
Administrator account is a member of the Administrators group that is
pushed down by the group policy. Our security officer would like us to
either remove the local Administrator account from the group policy, or
push it down under a different name. In other words, if you were to
logon to a PC that gets the group policy, and check the local
Administrators group, you would not see the local Administrator account
listed as a member, but you might see an account called something like
"SecureDesktop" that would be the local Administrator account under a
different name.

Given that you can't manually remove the local Administrator account
from the local Administrators group (you get a message akin to, "This
action is not allowed for built-in accounts"), I would say that what our
security officer is asking may not be possible. However, I am very new
to group policies and thought that I should seek some expert advice on
whether or not this can be achieved through a group policy.

Is there a way through a group policy to remove the local Administrator
account from the local Administrators group, or to push it down under a
different name?

--Tom







.

Relevant Pages

  • Re: Renaming the local Administrator account on Windows XP Pro
    ... >> the local Administrator account with a randomly generated name. ... >> This will generate a random strong password for the local Administrator ... > The script below will generate a 15 characters long random user name ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Possible security issue??
    ... Does it work when the built in local administrator account is used which is ... Are there and errors/warnings in the logs that you can ...
    (microsoft.public.win2000.security)
  • Administrator password during WinXP installation?
    ... password when WinXP Professional boots up to the WinXP ... Professional installation for the Administrator account ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Remove Administrator Account from Administrators Group
    ... Accounts: Rename administrator account ... A major element of our group policy is that it ...
    (microsoft.public.windows.group_policy)
  • Re: Help - administrator locked out!
    ... a DC the local administrator account 'goes away'. ... pretty sure I should be able to remember the local admin password. ... The Administrator account shouldn't have it's password set to expire ... I'm not knocking your career choice but it's your practices that got ...
    (microsoft.public.windows.server.general)