I know some folks out there recommend not to rename the built-in administrator in Windows Server 2003. Instead, create another admin account with the same privileges and disable the built-in administrator account. But what if the situation is that I need to rename the administrator account? What would be the best procedure to do this without affecting my Exchange Server 2007, Other Member File Servers and Blackberry Enterprise Server? We've been using the administrator account to login to our windows servers as well as the other servers we have. What would be the step by step approach I need to do to ensure that the moment the administrator's name is renamed, my remaining servers will not crash. For sure there are certain situations where some software's installed as a service in windows would be affected and perhaps after the administrator name has been renamed, I probably need to go into each services on every windows server I have and start editing any software service that uses the administrator name when logging in before restarting each server? I appreciate everyone's advice. Thank you.
Renaming administrator name in Windows Server 2003
active-directorybesexchange-2007windows-server-2003
Related Solutions
Hmm... that's decidedly a "not supposed to happen" scenario. The RID 500 Administrator account is stamped with the "isCriticalSystemObject" attribute set to true, and to my knowledge LSASS is supposed to return an ERROR_DS_UNWILLING_TO_PERFORM error (0x80072035) if you were to try and delete it. (I don't have a scratch AD sitting around in any of my VMs right now to give it a shot. Maybe later...)
How are you searching AD, anyway?
From AD Users and Computers, do a "Find" at the root of the domain, choose a "Custom Search" in the "Find" dropdown, go to the "Advanced" tab, and enter the LDAP search filter "(objectSid=S-1-5-21-2025429265-492894223-1708537768-500)". That'll give you a subtree search of the domain from the root of the directory.
If you really have deleted your RID 500 Administrator account somehow I'd stronly consider contacting Microsoft Product Support Services. They can probably have something coded to re-create the account (if they don't already have such a tool). I can't imagine how you managed to delete it anyway, because the only way I could think to do that would be direct interaction with the database through ESE. I really didn't think there was any publicly-exposed API that would let you delete an object marked with "isCriticalSystemObject" set to True, and I don't think you can set it to False on the RID 500 Administrator, either. Hmmm...
You've got an interesting situation there. Let us know what the subtree search above returns.
Sounds as if you want to change the NetBIOS name, but not the DNS name. Windows 2000 domains do not support renames. Domain must have forest functional level of 2003 or higher. See http://technet.microsoft.com/en-us/library/cc738208%28v=ws.10%29.aspx. You also cannot rename a domains that uses Exchange (see article). Sounds as if when you do the rename you could change the NetBIOS name and leave the DNS name the same. Build a different test domain with a few VM's and test it out if you can. The rendom tool and more checklists at http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx
Best Answer
Group Policy.
Open Group Policy Management, and the setting is found at
Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options.It's named
Accounts: Rename administrator account. (At least at a 2008 R2 FL. The option exists on a 2003 domain, but might be named slightly differently, but I don't recall off the top of my head.)I can't think of any reason to not rename it on the Exchange server, but you can always create an OU that excludes Group Policy Inheritance and put the Exchange server in there, or use WMI filtering on the Group Policy to specifically exclude the Exchange server.
As far as installed software and services running as the Administrator account, that's both very bad, and not a default behavior on anything I'm familiar with. So, hopefully, you're worrying about nothing... and if not, it might be worth breaking that just so you can find and correct services running as the Administrator - create and use service accounts instead.