Renamed Local Administrator Account Name Reverts to Old Account Name

Discussion in 'Security Software' started by underthegun2004, Nov 30, 2005.

  1. We are moving XP boxes from DOMAINA to DOMAINB.

    When we initially built the machines, we renamed the local admin
    account from administrator to "local.a".

    Instead of renaming them manually when joining the new DOMAINB, we
    created and applied a GPO that renames the local admin account to
    "local.b".

    Our dilemma is that when we unjoin from new DOMAINB, local admin
    account name reverts from "local.b" to "local.a".

    The only solution I can think of is to ensure that we change the names
    manually before joining it to the new DOMAINB.

    Any suggestions to do avoid having to do this manually? If you look at
    Local Security Policy settings, it has the correct name of "local.b",
    but if you unjoin from domain to workgroup, Local Security Policy even
    reverts back to "local.a".

    Where is the WORKGROUP LSP stored? Can we modify those stored settings
    while the machine is in the DOMAINB?
     
    underthegun2004, Nov 30, 2005
    #1
    1. Advertisements

  2. I would really need to set up a test on this, but off the top it
    sounds like you named the account by use of the rename
    policy in the LSP, not by the local user manager, prior to the
    joining to the first domain. So, when the machine goes out
    of management scope of the AD based GPOs the account
    has its name gets set to that specified in the LSP.
    When you say you see the current name, as defined in the
    AD based GPO, when you look in the LSP, this I am taking
    as your seeing the effective policy value (from AD GPO).
    Unless I am recalling incorrectly the rename is a real rename
    and it would persist when a machine goes out of scope of
    management by a GPO, so it must be that another (i.e. the
    LSP) policy is then changing it.
    So, you could try defining a security template with the one
    setting to rename the account to the desired value and then
    apply this with secedit. The idea is that this will adjust the
    local value stored in the security.sdb, but the AD based GPO
    setting will still be effective. Then, when the machine goes
    out of scope of the GPO the newly set local value should be
    applied.
     
    Roger Abell [MVP], Dec 1, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.