Solved

Rename Local Administrator Account every 45 Days

Posted on 2012-04-10
7
572 Views
Last Modified: 2012-04-10
I have been tasked with creating GPO to change the name of the "Local Administrator" account on computers and laptops in our domain every 45 days. The reason for this is that we don't want former employees going to the competition with this access to our computers. It is a security vulnerability and we are working to eliminate this risk.

I have found the following article that walks one through creating the GPO. Rename Local Administrator Account

What I don't see is how I would make this change occur every 45 days. Would I have to manually update the GPO with a new username and then allow it to update? Additionally, While this will work for computers actively on the domain and logging in, how do I update the mobile users who only log onto the VPN? Will the GP apply to their computer when they login through the VPN?

Furthermore, the issue I foresee is that some machines will not check-in given their remote situation and when our technicians have to troubleshoot their particular systems they may be one, two or three names behind and this will surely create a nightmare to keep up with.

Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?

Thank you for any suggestions.

Marcus
0
Comment
Question by:P0larb3ar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 400 total points
ID: 37829145
A more secure solution would be to disable the local administrator account completely. If needed, it can be re-enabled by starting the machine in safe mode.

If you are looking for additional security with stolen laptops, you should consider using hardware level encryption. Windows 7 Enterprise/Ultimate supports Bitlocker.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37829147
Short of writing a program, you'd have to do this manually.  Yes, it could/would apply to mobile users as well.  Yes, you may need to try more than one name before you find the right one.

That said, unless your competition has access to your computers, their knowing what you call the Local Administrator doesn't amount to much.  Moreover, they'd still not know the password.  If people outside your network can readily access your desktops, I'd put more emphasis on security there.
0
 
LVL 6

Assisted Solution

by:airborne1128
airborne1128 earned 100 total points
ID: 37829152
You could set up a scheduled task to run the GPO every 45 days.  Becareful though...you should leave a way to get back in, in the even the admin account gets jacked up.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37829156
"Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?"

Yes disable local administrative rights altogether. Having administrative rights just makes it vulnerable as it's that much easier for viruses/malware to enter their systems.
0
 

Author Comment

by:P0larb3ar
ID: 37829441
Sounds like the census is to disable the administrator account. What if I were to disable the "administrator" account and use restricted groups to remove everyone but domain admins and a technical support group? That way, only specific and current users would have access as local admins? Does anyone see any flaws with this idea?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37829536
You will want to educate your users on why they should not be local admins. We phrased it as we were protecting them from viruses. We sent out regular emails detailing the lack of viruses after removing administrative rights.

Also make sure you have the support of higher ups (VPs, CIO, CEO, etc).
0
 

Author Closing Comment

by:P0larb3ar
ID: 37830440
I appreciate the advice.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question