Policy:

Rename Local Administrator Account

Purpose:

This policy checks the name of the built-in, local administrator account.  When it differs from the name assigned, it renames the account name to match.

Controls:
  • Auto-Enable Administrator account if disabled.

The policy can not change the name of a disabled account.  Use this option to allow the policy to enable accounts it finds disabled.

  • Hide Administrator Account from Logon Screen

Some systems will display a renamed local Administrator account on the Interactive Logon Screen.  Enabling this option prevents this account from being displayed.

Tickets:

The Administrator account could not be enabled on ComputerID: <ID>.  Check the remote Third Wall logs for error description.  The account has not been renamed.

This message is returned when Third Wall finds the Local Administrator account disabled, the 'Auto-Enable' check is checked and Third Wall is unsuccessful in enabling the account.  To resolve this issue, determine what is blocking the account from becoming enabled.

The Administrator account could not be enabled on ComputerID: <ID>.  The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.  The account has not been renamed.

This message indicates the Local Administrator account is disabled, the 'Auto-Enable' check is checked and Third Wall is unsuccessful in enabling the account because the currently assigned password does not comply with the local password policy.  Change the local password policy or the currently assigned password on the account to fix.

The Administrator account is disabled on ComputerID: <ID>.  The account has not been renamed.

This message indicates the Local Administrator account is disabled and the 'Auto-Enable' check is not checked.  To resolve, either enable the account, apply the checkbox option or apply an exception to the computer.

The Administrator account could not be changed on ComputerID: <ID>.  The username: '<assigned name> already exists on the remote computer.

Windows will not allow two local accounts to have identical names.  Either rename the assigned name for the Local Administrator or rename the identically named local user.

An error occurred on ComputerID: <ID> when trying to set the Rename Administrator Account policy.  No change has been made, error:

This message indicates something went wrong in either the detection or change process.  Please reach out to support@third-wall.com for assistance.

Notes:

Only known current issue is running on computers where the local administrator account was deleted.  In this case, the monitor will fail every run and no recovery is possible.

To test for this, run this command on an Administrative DOS box:

WMIC useraccount get name, sid

The built-in local administrator is detected as the account that begins with 'S-1-5-21' and ends in '-500'

Version: 2.2.0.1