Solved

Rename Local Administrator Account every 45 Days

Posted on 2012-04-10
7
571 Views
Last Modified: 2012-04-10
I have been tasked with creating GPO to change the name of the "Local Administrator" account on computers and laptops in our domain every 45 days. The reason for this is that we don't want former employees going to the competition with this access to our computers. It is a security vulnerability and we are working to eliminate this risk.

I have found the following article that walks one through creating the GPO. Rename Local Administrator Account

What I don't see is how I would make this change occur every 45 days. Would I have to manually update the GPO with a new username and then allow it to update? Additionally, While this will work for computers actively on the domain and logging in, how do I update the mobile users who only log onto the VPN? Will the GP apply to their computer when they login through the VPN?

Furthermore, the issue I foresee is that some machines will not check-in given their remote situation and when our technicians have to troubleshoot their particular systems they may be one, two or three names behind and this will surely create a nightmare to keep up with.

Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?

Thank you for any suggestions.

Marcus
0
Comment
Question by:P0larb3ar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 400 total points
ID: 37829145
A more secure solution would be to disable the local administrator account completely. If needed, it can be re-enabled by starting the machine in safe mode.

If you are looking for additional security with stolen laptops, you should consider using hardware level encryption. Windows 7 Enterprise/Ultimate supports Bitlocker.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37829147
Short of writing a program, you'd have to do this manually.  Yes, it could/would apply to mobile users as well.  Yes, you may need to try more than one name before you find the right one.

That said, unless your competition has access to your computers, their knowing what you call the Local Administrator doesn't amount to much.  Moreover, they'd still not know the password.  If people outside your network can readily access your desktops, I'd put more emphasis on security there.
0
 
LVL 6

Assisted Solution

by:airborne1128
airborne1128 earned 100 total points
ID: 37829152
You could set up a scheduled task to run the GPO every 45 days.  Becareful though...you should leave a way to get back in, in the even the admin account gets jacked up.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37829156
"Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?"

Yes disable local administrative rights altogether. Having administrative rights just makes it vulnerable as it's that much easier for viruses/malware to enter their systems.
0
 

Author Comment

by:P0larb3ar
ID: 37829441
Sounds like the census is to disable the administrator account. What if I were to disable the "administrator" account and use restricted groups to remove everyone but domain admins and a technical support group? That way, only specific and current users would have access as local admins? Does anyone see any flaws with this idea?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37829536
You will want to educate your users on why they should not be local admins. We phrased it as we were protecting them from viruses. We sent out regular emails detailing the lack of viruses after removing administrative rights.

Also make sure you have the support of higher ups (VPs, CIO, CEO, etc).
0
 

Author Closing Comment

by:P0larb3ar
ID: 37830440
I appreciate the advice.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question