Rename Local Administrator Account every 45 Days

I have been tasked with creating GPO to change the name of the "Local Administrator" account on computers and laptops in our domain every 45 days. The reason for this is that we don't want former employees going to the competition with this access to our computers. It is a security vulnerability and we are working to eliminate this risk.

I have found the following article that walks one through creating the GPO. Rename Local Administrator Account

What I don't see is how I would make this change occur every 45 days. Would I have to manually update the GPO with a new username and then allow it to update? Additionally, While this will work for computers actively on the domain and logging in, how do I update the mobile users who only log onto the VPN? Will the GP apply to their computer when they login through the VPN?

Furthermore, the issue I foresee is that some machines will not check-in given their remote situation and when our technicians have to troubleshoot their particular systems they may be one, two or three names behind and this will surely create a nightmare to keep up with.

Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?

Thank you for any suggestions.

Marcus
P0larb3arAsked:
Who is Participating?
 
Joseph MoodyBlogger and wearer of all hats.Commented:
A more secure solution would be to disable the local administrator account completely. If needed, it can be re-enabled by starting the machine in safe mode.

If you are looking for additional security with stolen laptops, you should consider using hardware level encryption. Windows 7 Enterprise/Ultimate supports Bitlocker.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Short of writing a program, you'd have to do this manually.  Yes, it could/would apply to mobile users as well.  Yes, you may need to try more than one name before you find the right one.

That said, unless your competition has access to your computers, their knowing what you call the Local Administrator doesn't amount to much.  Moreover, they'd still not know the password.  If people outside your network can readily access your desktops, I'd put more emphasis on security there.
0
 
Glen KrinskySystems AdministratorCommented:
You could set up a scheduled task to run the GPO every 45 days.  Becareful though...you should leave a way to get back in, in the even the admin account gets jacked up.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
DonNetwork AdministratorCommented:
"Is there a better solution to this issue that I am not aware of? How do other companies handle this situation?"

Yes disable local administrative rights altogether. Having administrative rights just makes it vulnerable as it's that much easier for viruses/malware to enter their systems.
0
 
P0larb3arAuthor Commented:
Sounds like the census is to disable the administrator account. What if I were to disable the "administrator" account and use restricted groups to remove everyone but domain admins and a technical support group? That way, only specific and current users would have access as local admins? Does anyone see any flaws with this idea?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You will want to educate your users on why they should not be local admins. We phrased it as we were protecting them from viruses. We sent out regular emails detailing the lack of viruses after removing administrative rights.

Also make sure you have the support of higher ups (VPs, CIO, CEO, etc).
0
 
P0larb3arAuthor Commented:
I appreciate the advice.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.