Why Does My Local Admin Account Change When Joining a Domain?

By
Naveen Kumar
-
0
8
Asked By TechWizard88 On

I have some brand new PCs that have been imaged, and I'm running into an issue with the local admin account. When I log in using local admin credentials, I see that the default 'Administrator' account has been renamed to 'companyadmin.' However, after I change the hostname of the PC and restart, 'companyadmin' disappears and is replaced with 'Administrator' again, although the password stays the same. I've checked and confirmed that 'companyadmin' is indeed set up as the local admin account before joining the domain. After joining, the PC gets added to the 'NEWCOMP' Organizational Unit, which applies only a couple of basic Group Policies that shouldn't affect the admin username; this is backed by the results I got from 'gpresult /h.' So, if I rule out Group Policies, what else could be causing the local admin account to change its name once the PC joins the domain?

4 Answers

Answered By AdminGuru42 On

This could definitely be related to LAPS (Local Administrator Password Solution). When you're joining to a domain, managing admin accounts often gets handled by such solutions. You mentioned the 'T2' account, which implies they might be doing things the right way with respect to security. I'd bet LAPS is in play here, even if your password hasn't changed.

Answered By ITExpertVictor On

LAPS or domain GPOs are likely the reasons behind the name change. If you’ve renamed the built-in account, that might be fine for now, but it’s best to have a separate local admin account and avoid using the default one, just to stay secure.

Answered By SystemSage101 On

You might want to double-check your local policies. Even if 'gpresult /h' suggests there aren't any affecting policies, LAPS is typically implemented through GPO, so it could still be the cause. It’s worth investigating!

Answered By NetworkNinja27 On

I totally get your frustration. It's best to create a non-default local admin account and disable the built-in one. That way, you're not leaving a ticking time bomb on your machines. Have a chat with your Active Directory team; they can help clear this up.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.