Solved

Rename Local Administrator Account every 45 Days

Posted on 2012-04-10
7
558 Views
Last Modified: 2012-04-10
I have been tasked with creating GPO to change the name of the "Local Administrator" account on computers and laptops in our domain every 45 days. The reason for this is that we don't want former employees going to the competition with this access to our computers. It is a security vulnerability and we are working to eliminate this risk.

I have found the following article that walks one through creating the GPO. Rename Local Administrator Account

What I don't see is how I would make this change occur every 45 days. Would I have to manually update the GPO with a new username and then allow it to update? Additionally, While this will work for computers actively on the domain and logging in, how do I update the mobile users who only log onto the VPN? Will the GP apply to their computer when they login through the VPN?

Furthermore, the issue I foresee is that some machines will not check-in given their remote situation and when our technicians have to troubleshoot their particular systems they may be one, two or three names behind and this will surely create a nightmare to keep up with.

Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?

Thank you for any suggestions.

Marcus
0
Comment
Question by:P0larb3ar
7 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 400 total points
ID: 37829145
A more secure solution would be to disable the local administrator account completely. If needed, it can be re-enabled by starting the machine in safe mode.

If you are looking for additional security with stolen laptops, you should consider using hardware level encryption. Windows 7 Enterprise/Ultimate supports Bitlocker.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 37829147
Short of writing a program, you'd have to do this manually.  Yes, it could/would apply to mobile users as well.  Yes, you may need to try more than one name before you find the right one.

That said, unless your competition has access to your computers, their knowing what you call the Local Administrator doesn't amount to much.  Moreover, they'd still not know the password.  If people outside your network can readily access your desktops, I'd put more emphasis on security there.
0
 
LVL 6

Assisted Solution

by:airborne1128
airborne1128 earned 100 total points
ID: 37829152
You could set up a scheduled task to run the GPO every 45 days.  Becareful though...you should leave a way to get back in, in the even the admin account gets jacked up.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37829156
"Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?"

Yes disable local administrative rights altogether. Having administrative rights just makes it vulnerable as it's that much easier for viruses/malware to enter their systems.
0
 

Author Comment

by:P0larb3ar
ID: 37829441
Sounds like the census is to disable the administrator account. What if I were to disable the "administrator" account and use restricted groups to remove everyone but domain admins and a technical support group? That way, only specific and current users would have access as local admins? Does anyone see any flaws with this idea?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37829536
You will want to educate your users on why they should not be local admins. We phrased it as we were protecting them from viruses. We sent out regular emails detailing the lack of viruses after removing administrative rights.

Also make sure you have the support of higher ups (VPs, CIO, CEO, etc).
0
 

Author Closing Comment

by:P0larb3ar
ID: 37830440
I appreciate the advice.
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now