Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Rename Local Administrator Account every 45 Days

Posted on 2012-04-10
7
Medium Priority
?
577 Views
Last Modified: 2012-04-10
I have been tasked with creating GPO to change the name of the "Local Administrator" account on computers and laptops in our domain every 45 days. The reason for this is that we don't want former employees going to the competition with this access to our computers. It is a security vulnerability and we are working to eliminate this risk.

I have found the following article that walks one through creating the GPO. Rename Local Administrator Account

What I don't see is how I would make this change occur every 45 days. Would I have to manually update the GPO with a new username and then allow it to update? Additionally, While this will work for computers actively on the domain and logging in, how do I update the mobile users who only log onto the VPN? Will the GP apply to their computer when they login through the VPN?

Furthermore, the issue I foresee is that some machines will not check-in given their remote situation and when our technicians have to troubleshoot their particular systems they may be one, two or three names behind and this will surely create a nightmare to keep up with.

Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?

Thank you for any suggestions.

Marcus
0
Comment
Question by:P0larb3ar
7 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 1200 total points
ID: 37829145
A more secure solution would be to disable the local administrator account completely. If needed, it can be re-enabled by starting the machine in safe mode.

If you are looking for additional security with stolen laptops, you should consider using hardware level encryption. Windows 7 Enterprise/Ultimate supports Bitlocker.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37829147
Short of writing a program, you'd have to do this manually.  Yes, it could/would apply to mobile users as well.  Yes, you may need to try more than one name before you find the right one.

That said, unless your competition has access to your computers, their knowing what you call the Local Administrator doesn't amount to much.  Moreover, they'd still not know the password.  If people outside your network can readily access your desktops, I'd put more emphasis on security there.
0
 
LVL 6

Assisted Solution

by:airborne1128
airborne1128 earned 300 total points
ID: 37829152
You could set up a scheduled task to run the GPO every 45 days.  Becareful though...you should leave a way to get back in, in the even the admin account gets jacked up.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37829156
"Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?"

Yes disable local administrative rights altogether. Having administrative rights just makes it vulnerable as it's that much easier for viruses/malware to enter their systems.
0
 

Author Comment

by:P0larb3ar
ID: 37829441
Sounds like the census is to disable the administrator account. What if I were to disable the "administrator" account and use restricted groups to remove everyone but domain admins and a technical support group? That way, only specific and current users would have access as local admins? Does anyone see any flaws with this idea?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37829536
You will want to educate your users on why they should not be local admins. We phrased it as we were protecting them from viruses. We sent out regular emails detailing the lack of viruses after removing administrative rights.

Also make sure you have the support of higher ups (VPs, CIO, CEO, etc).
0
 

Author Closing Comment

by:P0larb3ar
ID: 37830440
I appreciate the advice.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question