ProblemYou want to rename the administrator and guest accounts on your systems. This is a good practice because these two default accounts are often the target of attackers. SolutionUsing a graphical user interfaceTo rename a domain administrator or guest account, do the following:
To rename a local administrator or guest account, do the following:
Using a command-line interfaceTo rename a domain administrator account, use the dsmove.exe command. The following shows the basic syntax: > dsmove "cn=administrator,cn=users,<DomainDN>" -newname "<NewName>" For example: > dsmove "cn=administrator,cn=users,dc=rallencorp,dc=com" -newname "admn" And this shows how to rename the domain guest account: > dsmove "cn=guest,cn=users,dc=rallencorp,dc=com" -newname "noguest" To rename local accounts, use the cusrmgr.exe utility from the Windows 2000 Resource Kit: > cusrmgr -m \\<SystemName> -u admininstrator -r <NewName> For example: > cusrmgr -m \\srv01 -u admininstrator -r admn And to rename the local guest account: > cusrmgr -m \\<SystemName> -u guest -r <NewName> For example: > cusrmgr -m \\srv01 -u guest -r noguest Using VBScript' This code renames a domain account. ' ------ SCRIPT CONFIGURATION ------ strObjectOldName = "<OldName>" 'e.g. administrator strObjectNewName = "<NewName>" 'e.g. RallencorpAdmin strCurrentParentDN = "<CurrentParentDN>" 'e.g. cn=users,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- set objCont = GetObject("LDAP://" & strCurrentParentDN) objCont.MoveHere "LDAP://cn=" & strObjectOldName & "," & _ strCurrentParentDN, "cn=" & strObjectNewName WScript.Echo strAccount & " successfully renamed" ' This code renames a local account. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<SystemName>" ' e.g. srv01 strOldName = "<OldName>" ' e.g. Guest strNewName = "<NewName>" ' e.g. RallencorpGuest ' ------ END CONFIGURATION --------- set objComp = GetObject("WinNT://" & strComputer) set objUser = GetObject("WinNT://" & strComputer & "/" & strOldName & ",user") set objNewUser = objComp.MoveHere(objUser.ADsPath, strNewName) WScript.Echo "Successfully renamed account" DiscussionYou can also rename the administrator and guest accounts using Active Directory Group Policy or the Local Policy. To do so with Group Policy, do the following:
If you are worried about using an obscure name for your administrator account like vadar and forgetting what you used later, you can always discover the name by looking up the account by SID. And there is a Joeware tool called sidtoname to help do the job. Simply pass the SID of the account to the sidtoname command as shown here: D:\>sidtoname S-1-5-21-1801674531-2025429265-839522115-500 SidToName V02.00.00cpp Joe Richards (joe@joeware.net) March 2003 [User]: RALLENCORP\Vadar The command completed successfully. You can get a complete list of the well-known accounts and their corresponding SIDs in MS KB 243330. You may be wondering, since you can find out the actual administrator account name by looking up the SID, what the point is of renaming it. Ultimately, attackers can find out the name of well-known accounts, but there are still many viruses and worms that have attempted to access the administrator account by name. So this is still effective against less sophisticated attackers and viruses. See AlsoMS KB 243330, "Well Known Security Identifiers in Windows Server Operating Systems," and MS KB 320053, "HOW TO: Rename the Administrator and Guest Account in Windows 2000" |