Recipe 17.3. Renaming the Administrator and Guest Accounts

Previous page
Table of content
Next page

Problem

You want to rename the administrator and guest accounts on your systems. This is a good practice because these two default accounts are often the target of attackers.

Solution

Using a graphical user interface

To rename a domain administrator or guest account, do the following:

  1. From Administrative Tools, open the Active Directory Users and Computers snap-in.

  2. In the left pane, browse to the Users container and click on it.

  3. In the right pane, right-click the administrator or guest account and select Rename.

  4. Type the new name for the account and hit Enter.

To rename a local administrator or guest account, do the following:

  1. From Administrative Tools, open the Computer Management snap-in.

  2. In the left pane, expand System Tools Local Users and Groups Users.

  3. Type the new name for the account and press Enter.

Using a command-line interface

To rename a domain administrator account, use the dsmove.exe command. The following shows the basic syntax:

> dsmove "cn=administrator,cn=users,<DomainDN>" -newname "<NewName>"

For example:

> dsmove "cn=administrator,cn=users,dc=rallencorp,dc=com" -newname "admn"

And this shows how to rename the domain guest account:

> dsmove "cn=guest,cn=users,dc=rallencorp,dc=com" -newname "noguest"

To rename local accounts, use the cusrmgr.exe utility from the Windows 2000 Resource Kit:

> cusrmgr -m \\<SystemName> -u admininstrator -r <NewName>

For example:

> cusrmgr -m \\srv01 -u admininstrator -r admn

And to rename the local guest account:

> cusrmgr -m \\<SystemName> -u guest -r <NewName>

For example:

> cusrmgr -m \\srv01 -u guest -r noguest

Using VBScript
' This code renames a domain account. ' ------ SCRIPT CONFIGURATION ------ strObjectOldName   = "<OldName>"         'e.g. administrator strObjectNewName   = "<NewName>"         'e.g. RallencorpAdmin strCurrentParentDN = "<CurrentParentDN>" 'e.g. cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objCont = GetObject("LDAP://" & strCurrentParentDN) objCont.MoveHere "LDAP://cn=" & strObjectOldName & "," & _                  strCurrentParentDN, "cn=" & strObjectNewName WScript.Echo strAccount & " successfully renamed" ' This code renames a local account. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<SystemName>"   ' e.g. srv01 strOldName = "<OldName>"       ' e.g. Guest strNewName = "<NewName>"       ' e.g. RallencorpGuest ' ------ END CONFIGURATION --------- set objComp = GetObject("WinNT://" & strComputer) set objUser = GetObject("WinNT://" & strComputer & "/" & strOldName & ",user") set objNewUser = objComp.MoveHere(objUser.ADsPath, strNewName) WScript.Echo "Successfully renamed account"

Discussion

You can also rename the administrator and guest accounts using Active Directory Group Policy or the Local Policy. To do so with Group Policy, do the following:

  1. Edit the target GPO with the Group Policy Object Editor.

  2. Navigate to Computer Configuration Windows Settings Security Settings Local Policies Security Options.

  3. Check the box beside Define this policy setting and type in the new name for the account.

  4. Click OK.

If you are worried about using an obscure name for your administrator account like vadar and forgetting what you used later, you can always discover the name by looking up the account by SID. And there is a Joeware tool called sidtoname to help do the job. Simply pass the SID of the account to the sidtoname command as shown here:

D:\>sidtoname S-1-5-21-1801674531-2025429265-839522115-500 SidToName V02.00.00cpp Joe Richards (joe@joeware.net) March 2003 [User]: RALLENCORP\Vadar The command completed successfully.

You can get a complete list of the well-known accounts and their corresponding SIDs in MS KB 243330.

You may be wondering, since you can find out the actual administrator account name by looking up the SID, what the point is of renaming it. Ultimately, attackers can find out the name of well-known accounts, but there are still many viruses and worms that have attempted to access the administrator account by name. So this is still effective against less sophisticated attackers and viruses.

See Also

MS KB 243330, "Well Known Security Identifiers in Windows Server Operating Systems," and MS KB 320053, "HOW TO: Rename the Administrator and Guest Account in Windows 2000"


Previous page
Table of content
Next page
Windows XP Cookbook
Windows XP Cookbook (Cookbooks)
ISBN: 0596007256
EAN: 2147483647
Year: 2006
Pages: 408
Authors: Robbie Allen, Preston Gralla
BUY ON AMAZON
Adobe After Effects 7.0 Studio Techniques
FileMaker Pro 8: The Missing Manual
The Java Tutorial: A Short Course on the Basics, 4th Edition
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
InDesign Type: Professional Typography with Adobe InDesign CS2
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy