This tutorial shows you how to rename built-in administrator account on Windows 10 and Windows 11 devices using Intune. The configuration profiles in Intune can be used to create a policy for changing the administrator account name on Windows devices.
Recently, one of our customers enrolled a number of Windows devices in Intune. After the enrollment was complete, they noticed that the built-in local administrator account was enabled on these devices. They wanted to rename this account so that it would be difficult for local users to identify it.
Changing the built-in administrator account name can be done manually through the Local Users and Group console. However, when you want to do this process on multiple Windows devices, you can either use Group Policy or Microsoft Intune.
Renaming the administrator account has the advantage of allowing IT teams to manage the devices. If you want your IT teams to use a single account on all Windows devices for troubleshooting, you can create one or simply rename the built-in administrator account with Intune.
About Built-in Administrator Account on Windows
The built-in local administrator account exists on all Windows 10 and Windows 11 desktop editions (Home, Pro, Enterprise, and Education). Administrator accounts have privileged access to systems, so the built-in administrator account is disabled when you install Windows.
Windows 11 users can enable the built-in administrator account using multiple methods. However, in most organizations, users are not granted administrator privileges to avoid installing third-party applications, making device changes, etc.
For IT teams, handling the built-in administrator account – BUILTIN\Administrator, NT AUTHORITY\Administrator, the account with a relative identifier (RID) 500 is a common source of trouble. This account is present by default on all Microsoft Windows operating systems and Active Directory domains.
As a recommended security practice, most organizations rename the administrator account to make it slightly more difficult for attackers to guess this username and password combination. Some organizations, however, prefer to disable the administrator account to prevent security breaches. Here are some important reasons why most organizations disable the administrator account as a best practice.
Rename administrator account policy
On Windows devices, you will find a built-in GPO setting known as Accounts: Rename administrator account policy that determines whether a different account name is associated with the security identifier (SID) for the administrator account. The same policy is available on Windows servers, and you can use a GPO to rename a built-in local administrator account.
Microsoft Intune also utilizes the same policy setting via the Settings catalog to effectively set the new name for the built-in administrator account on Windows devices. Intune also lets you create a new local administrator account on all Windows devices.
If you intend to use an Intune to rename the built-in administrator account on Windows devices, please read the following prerequisites:
Rename built-in administrator account using Intune policy
To rename the built-in administrator account using Intune, perform the following steps:
- Sign in to the Microsoft Intune admin center.
- Select Devices > Windows > Configuration Profiles.
- Click on Create > New Policy to set up a new policy.
Make the following selections on the Create a Profile pane:
- Platform: Windows 10 and later
- Profile type: Settings Catalog
In the Basics tab, enter the following properties:
- Name: Enter a descriptive name for the profile, which you or other IT admins can easily identify later. For example, a good profile name is “Rename administrator account using Intune policy.”
- Description: Enter a brief description of the profile. This setting is optional but recommended. The following description is entered in the screenshot below: “Configure the rename administrator account policy on Windows devices using Intune.”
In the Configuration Settings section, under Settings Catalog, click Add Settings. On the Settings picker window, type “Rename administrator account” in the search box and click Search. From the search results, select the setting “Accounts Rename Administrator Account” and close the Settings Picker window.
Next to the setting, Accounts Rename Administrator Account, enter the local administrator name of your choice. In the below example, we have entered “GlobalIT” as the built-in administrator account name. Once the Intune policy is applied to devices, the “Administrator” account will be renamed “GlobalIT.”
Accounts: Rename administrator account: This security setting determines whether a different account name is associated with the security identifier (SID) for the account administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator.
On the Scope Tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments tab, specify the Entra ID groups to assign the policy. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.
Finally, on the Review+Create tab, take a look at all the settings you’ve configured for renaming the administrator account policy with Intune. Click Create.
After you create the above configuration policy in Intune, the following notification appears: “Policy created successfully.” This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.
Intune Policy Sync on Windows devices
To receive the above policy settings from Intune, the Windows devices must be enrolled in Microsoft Intune, and most importantly, they must be online. Regularly, the devices will synchronize with Intune to obtain the most recent policies. To speed up the policy assignments, you can force sync Intune policies using different methods, including PowerShell on your Windows computers, to download the latest policies from Microsoft Intune.
Monitor Rename Built-in Administrator Account Policy in Intune
While the policy settings are being applied to Windows devices, you can monitor the devices and users that have successfully received the rename built-in administrator account policy settings in Intune.
In the Intune admin center, select the policy and review the device and user check-in status. Under “Device and user check-in status,” you get to see the total number of devices and users who successfully received the policy settings.
To view the device names that have successfully received the policy settings, click on View Report.
In some cases, the Intune policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.
Verify new Administrator account name
In this section, we will demonstrate several methods for determining whether the built-in administrator account has been successfully renamed as per the Intune policy applied to our Windows devices.
You can check to see if Intune has renamed the built-in administrator account on your Windows devices using one of three methods:
- Local Users and Groups
- Windows Event Viewer
- Windows Registry
Local Users and Groups
Accessing the local users and groups is one of the simplest ways to check if Intune has renamed the built-in administrator account. Press the Win + R keyboard shortcut. Type “lusrmgr. msc” and press Enter to launch the Local Users and Groups window. Go to the Users directory, and you will notice that the Administrator account has been renamed GlobalIT, as per the Intune policy.
Windows Event Viewer
The event viewer IDs 813 and 814 indicate whether Intune has successfully applied the rename administrator account policy settings. The Intune MDM event logs can be viewed on client devices using the Event viewer.
Launch the event viewer on the Windows device by running the shortcut command eventvwr. Next, browse the following path in the event viewer to view Intune MDM event logs:
Application and Services Logs: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Once you have navigated to the above path in Event Viewer, you may filter the current log with ‘Event ID 813.’ This will give you quick access to the event logs that you’re looking for. In the screenshot below, the event ID 813 confirms that the Windows device has successfully received the Accounts_RenameAdministratorAccount policy settings from Intune.
MDM PolicyManager: Set policy string, Policy: (Accounts_RenameAdministratorAccount), Area: (LocalPoliciesSecurityOptions), EnrollmentID requesting merge: (0311D8CB-2B6F-4FD7-8B55-A34087DA3885), Current User: (Device), String: (GlobalIT), Enrollment Type: (0x0), Scope: (0x0).
Check the Windows Registry on the client device to see if the Intune policy changed the name of the built-in administrator account. Run the regedit.exe command to open the registry editor on a Windows device. In the registry editor, navigate to the below path.
Here you’ll see the Accounts_RenameAdministratorAccount registry key with the value “GlobalIT.” This demonstrates that you can use the Windows registry to check whether the administrator account was renamed as per the Intune policy.
After deploying the policy to rename the built-in administrator account using Intune, on some Windows devices, the policy may fail to apply. There could be other errors as well. To resolve the issues, we recommend reviewing Intune logs on Windows computers.