This blog post will show how to rename a built-in administrator account on Windows 10 and Windows 11 devices using the Intune admin center. Windows computers have an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account created during the Windows installation.
The Administrator account has full control of the files, directories, services, and other resources on the local device. The default Administrator account can’t be deleted or locked out, but it can be renamed or disabled. An Administrator account can’t be removed from the Administrators group.
The best practice is to use a non-administrator account to log on to the PC and elevate to an administrator account when required, e.g., to install any applications or perform any configuration tasks on your device. It’s best to avoid using a local administrator account to Sign in to the device.
However, if you are using Windows LAPS and managing a built-in Administrator account, It must be enabled before you can deploy the LAPS policy to the device. You have the flexibility to rename this account and manage it using Windows LAPS.
If you do not intend to use the built-in local admin account for any reason, then you should take the following steps to improve the security of your Windows devices.
- Rename the built-in Local administrator account.
- Disable built-in Local administrator user account.
In the upcoming sections of the blog post, we will learn how to rename the built-in local administrator account on Intune-managed Windows 10 and Windows 11 devices.
You can refer to some of the related useful articles below:
Create a Local Admin Account Using Intune.
Elevate User to Local Admin on Windows 365 Cloud PC.
Step-by-Step Guides
Table of Contents
Rename Built-in Administrator Account using Intune Policy
To rename the built-in Local administrator account using Intune, follow below steps:
- Sign in to the Intune admin center.
- Go to Devices > Configuration > Policies tab > Create > New Policy.
- Select Platform as Windows 10 and later
- Profile type as Settings Catalog
- Click on the Create button.
Basics Tab
Enter the Name and Description of the profile. Click on Next to proceed.
For Example:
- Name: Rename administrator account Policy
- Description: This device configuration profile will rename the administrator account on target Windows devices.
Configuration Settings
- Click on “+ Add settings“
- In the Settings picker, search for “rename admin“
- Under the Category Local Policy Security Options, Select “Accounts Rename Administrator Account“. Exit out of the Settings picker.
Accounts: Rename administrator account This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator.
About “Accounts Rename Administrator Account” Policy setting
- You can rename the built-in local administrator account using the ‘Accounts Rename Administrator Account’ setting‘. In the screenshot below, I have used ‘cloudinfraIT‘ as the new name. Once the Intune policy is successfully applied, the built-in administrator account will be renamed to cloudinfraIT.
Scope tags
Click on Next.
Assignments tab
Click Add groups and select an Entra security group containing Windows 10/11 devices or users.
Review + create
On the Review + Create tab, review the device configuration profile details and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Intune admin center.
- Click on Devices and then click on Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End-user Experience
Once the policy settings are successfully applied to the target devices, the built-in administrator account will be renamed cloudinfraIT. Let’s confirm this from one of the target devices:
- Press the Windows key + R to open the Run dialog box.
- Type
compmgmt.mscand press Enter to open the Computer Management window. - Under System Tools > Local Users and Groups > Users, you will find the built-in Administrator account.
By default, this account will be disabled, and the default name of the account will be Administrator. After our Device Configuration policy takes effect, the name of this account will be changed to cloudinfraIT. The account will remain disabled.
After rebooting the Intune-managed device, you can relaunch Computer Management to confirm whether the built-in Administrator account has been renamed. As shown in the screenshot below, the name specified in the device configuration policy is now applied.
Troubleshooting
In the majority of cases, renaming an administrator account poses no issues. However, if you have applied this policy to Windows devices and the built-in Administrator account remains unchanged even after waiting for the Intune default refresh interval, it is advisable to investigate one of the target devices. Examine the logs to identify and pinpoint the root cause of this issue.
Check Event Viewer Logs
- Press the Windows key + R to open the Run dialog box.
- Type
eventvwrand press Enter to open the Event viewer. - Navigate to Application and Services Logs > Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin.
- Right-click on the Admin folder and click on Filter Current Log…
- Enter 814 in the Event ID box and click on OK.
- You can now locate all logs related to Event ID 814. Examine them one by one until you identify the deployed configuration policy. As the screenshot below shows, the log displays the custom administrator name ‘cloudinfraIT,’ as specified in the device configuration policy.
MDM PolicyManager: Set policy string, Policy: (Accounts_RenameAdministratorAccount), Area: (LocalPoliciesSecurityOptions), EnrollmentID requesting merge: (1541DA32-3D28-4B4F-A7A1-0E4C826BC93A), Current User: (Device), String: (cloudinfraIT), Enrollment Type: (0x6), Scope: (0x0).
Event ID 814 related to Accounts_RenameAdministratorAccount CSP
Check Windows Registry Editor
You can check and confirm the new name of the built-in Administrator account from Windows Registry Editor as well. For the registry entry, we need to check if Accounts_RenameAdministratorAccount should be set to the custom name of the Administrator account we specified while creating the policy.
To locate this registry entry, follow the below steps:
- Press the Windows + R keys to open the Run dialog box.
- Type
regeditand press Enter to open the Registry Editor. - Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\<Administrator GUID>\default\Device\LocalPoliciesSecurityOptions.
Replace the Administrator GUID with the GUID of the Administrator account on your device. If you are unsure about it, a simple trick is to right-click the ‘providers‘ folder and search for your custom administrator account name, which is ‘cloudinfraIT‘ in this case. This will automatically open the registry key that we want to navigate to.
