Replacing the local administrator

In my last post, I discussed setting up LAPS.  During this time, we also made the decision to stop using the built in Administrator user account on the local machines and use something else.  There is a group policy setting that will allow you to rename the default Administrator to something else, but we made the decision that we wanted to leave that account intact (but disabled) and create a different account to be the local admin.  We managed to do all of this with a combination of group policy and PowerShell.

Disable Administrator

Disabling the local Administrator account is fairly simple.  Edit your group policy and go to:  Computer Configuration > Policies > Windows Settings > Local Policies > Security Options > Accounts:  Administrator account status.  Set this to disabled.  In our environment, we added this setting to the existing GPO for LAPS.

Creating a New Local Admin

For this, we used PowerShell.  And for this example, I am going to call the new user account newadmin.

This script will first check to see if user newadmin already exists.  If not, the the account is created with a password of P@ssw0rd and then added into the local administrators group on the machine.  If the account does exist, then the script does nothing.  The password for this account will of course be changed the next time the machine updates group policy in accordance with LAPS.

Save this script with a .ps1 extension and put it somewhere on the network for distribution such as the scripts folder in sysvol.  In our environment we decided to place this in the same deployment folder with the msi files for LAPS to keep everything related to LAPS in the same place.

Next edit a group policy to deploy this script.  We set this as a startup script, and again used the same GPO that we used for LAPS.