I developed the following domain-based Group Policy Object (GPO)?controlled scripts because I needed a simple and enforceable way to manage the password associated with the Administrator account on servers and workstations. A built-in Group Policy option lets you rename the Administrator account, but no built-in feature lets you set the password.

A GPO can run a startup script for computers, and through a script, you can set a password. After you rename the original Administrator account that's identified by the SID S-1-5-32-544, you can create a dummy Administrator account. (No matter what its name is, the account associated with the SID S-1-5-32-544 is the one with administrator powers.) Creating a dummy Administrator account provides a target for malicious intruders who might try to commandeer the Administrator account. (Doing so complies with the industry best practice of renaming the Administrator account and providing a dummy account called "administrator" to make the renaming less obvious.)

My solution uses a domain-based GPO that renames the Administrator account to ServiceHere. I then have Startup.bat called as the startup script in a domain-based GPO. From Startup .bat, SetPW.bat is called, as Listing 1 shows. Because the GPO applied is a computer GPO, Domain Computers are added to the Security Properties of SetPW.bat, and Authenticated Users are removed. Thereafter, regular users (even if they know where to look) won't be able to "see" the contents of SetPW .bat, which contains the password.

Note: You can permit the Domain Controllers group to read this policy, but you must exclude the group from applying it. If the Domain Controllers group could apply the policy, the Domain Administrator account would be renamed and the password reset as well. You don't want the Administrator account on domain controllers (DCs) to be processed too.

After the GPO is in place, the next GPO refresh cycle will rename the account with a SID of S-1-5-32-544. When the computer is restarted, the GPO computer-startup script will run and the dummy Administrator account will be created with its own password. The password will be reset on the ServiceHere account that has the actual Administrator account credentials. Although on subsequent restarts the error message The account already exists is generated, the script moves on and the ServiceHere password is reset. (The /y at the end of each line in Listing 2 ensures that any messages are acknowledged so the script can move on.)

At each computer restart, when the machine GPO computer-startup scripts run, the actual Administrator account's password is reset. This Net User method of resetting a password avoids potential constraints of "enforcing history" and "password age."

—Tom Clark
clark.te@verizon.net

Note: The scripts are domain based and are located on DCs under the folder that contains the governing policy. The following path offers an example location: C:\WINNT\SYSVOL\sysvol\subdomain.domain.com\Policies\\{98441574-5D21-4E92-B718-870EC578F2D8\}\Machine\Scripts\Startup.