• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
Sign in to follow this  
Followers 0
razormoon

Renaming the Administrator Account

19 posts in this topic

OK THE FOLLOWING HAS BEEN TESTED AND WORKING!!!

HOW TO:

Renaming the god-mode Administrator account and Unattended Vista install.

You only need to do this once!

Do the following in the order shown!!!

First:

Click Start >> Run and type 'MMC' and Enter

Click File >> Add/Remove Snap-in...

In the left Window, scroll down and

double-click Security Configuration and Analysis

double-click Security Templates

Click OK

Second:

Create a new Security Template by:

Expand Security Templates

Right-click on default path (should be "%userprofile%\Documents\Security\Templates)

Click New Template...

Type "unattend.inf"

Hit Enter

Create a new database by:

Right-click Security Configuration and Analysis

Click Open Database...

Type "unattend.sdb" This directory is %userprofile%\Documents\Security\Database

Hit Enter

Type "unattend.inf" This directory is %userprofile%\Documents\Security\Templates

Hit Enter

Third:

Enter new Security changes:

Expand Security Templates >> %userprofile%\Documents\Security\Templates >> unattend >> Local Policies >> Security Options

Double-click Accounts: Administrator account status

Tic the box "Define this policy setting in the template"

Radio "Enabled"

Click OK

Double-click Accounts: Rename administrator account

Tic the box "Define this policy setting in the template"

Enter new Administrator name

Hit Enter

Make any other changes you wish:

UAC: Admin Approval Mode... = FilterAdministratorToken Should be disabled

UAC: Behavior of the elevation prompt for admin... = ConsentPromptBehaviorAdmin

UAC: Behavior of the elevation prompt for standard... = ConsentPromptBehaviorUser

UAC: Run all administrators in Admin Approval Mode = EnableLUA Should be enabled (Adversely affects Std Users!)

Close MMC

You don't have to save console settings if you don't want to, but you must save changes to template!

Remember, your new database and template should now reside in %userprofile%\Documents\Security\Database and

%userprofile%\Documents\Security\Templates respectively. Be sure to save the template changes.

Now you must edit INSTALL.WIM!

Mount INSTALL.WIM

imagex /mountrw x:\sources\INSTALL.wim 1 x:\temp "1" depends on your own image file

Copy the CONTENTS (ie; Database and Templates folders) of %userprofile%\Documents\Security folder to x:\temp\Windows\Security

Unmount and commit INSTALL.WIM

imagex /unmount /commit x:\temp

The above should be done before any unattend programs such as vLite and VistaUA.

Also, a pre-existing database file named SECEDIT.SDB exists in INSTALL.WIM. This is fine and you should not overwrite, delete or otherwise alter

this file!

HERE YOU MAY USE VLITE, VISTAUA, CUSTOMIZATIONS, ETC >>>>>>>>>>>>

WITH NO NEED FOR THE ABOVE REGISTRY TWEAKS

Add the following to setupcomplete.cmd (in \sources\$oem$\$$\setup\scripts\):

CMD /C secedit /configure /db %systemroot%\security\database\unattend.sdb /cfg %systemroot%\security\templates\unattend.inf /log %systemroot%\security\logs\unattend.log /overwrite /quiet

Add/Change the following to your PRE-EXISTING autounattend.xml !!!!PRE-EXISTING!!!!

If you already have an oobesystem pass in your autounattend, just add the items within.

<settings pass="oobeSystem">

<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<UserAccounts>

<AdministratorPassword>

<Value>"YOUR ADMINISTRATOR PASSWORD HERE"</Value>

</AdministratorPassword>

</UserAccounts>

<AutoLogon>

<Enabled>true</Enabled>

<LogonCount>3</LogonCount>

<Username>"YOUR RENAMED ADMINISTRATOR ACCOUNT HERE"</Username>

<Password>

<Value>"YOUR ADMINISTRATOR PASSWORD"</Value>

<PlainText>true</PlainText>

</Password>

</AutoLogon>

</component>

</settings>

NOTE: YOU DO NOT HAVE TO AUTOLOGON TO THE RENAMED GOD ACCOUNT, BUT THEN WHAT'S THE SENSE OF DOING ALL OF THIS?

If you have a better, faster and/or easier way of doing this, then I just wasted my time.

Brought to you by razormoon

Edited by razormoon
0

Share this post


Link to post
Share on other sites

If anyone can test if you can change the name in unattend.inf 'on the fly' (ie; if you can parse and edit name without going through the whole spiel) that would be greatly appreciated

0

Share this post


Link to post
Share on other sites

Just seems like a lot of c...ing around to me... hey but whatever does it for ya.

0

Share this post


Link to post
Share on other sites
Just seems like a lot of c...ing around to me... hey but whatever does it for ya.

Sure, it takes a lot, but once it's done to a fresh 'vanilla' image you don't have to do it again.

0

Share this post


Link to post
Share on other sites

I'm thinking that instead of injecting security folders into wim, one can conceivably store them in $OEM$\$$\Security. Much faster and easier. Also conceivable is that one can run the secedit command from AuditUser pass, no?

0

Share this post


Link to post
Share on other sites
I'm thinking that instead of injecting security folders into wim, one can conceivably store them in $OEM$\$$\Security. Much faster and easier. Also conceivable is that one can run the secedit command from AuditUser pass, no?

Sounds good here.

0

Share this post


Link to post
Share on other sites
If you have a better, faster and/or easier way of doing this, then I just wasted my time.

Brought to you by razormoon

I tried several ways to do it (mainly with 3rd party tools and scripts) and arrived at the same secedit method.

During Vista deployment, the built-in administrator account is always renamed "administrator" or localized equivalent (administrateur in french), that's why one have to execute secedit after deployment.

I will try to use the SetupComplete.cmd file.

Razormoon> you should wrap your text in code tags to preserve your formatting with spaces/tabs.

Thanks for sharing your input! :thumbup

Largo.

0

Share this post


Link to post
Share on other sites
I will try to use the SetupComplete.cmd file.

Razormoon> you should wrap your text in code tags to preserve your formatting with spaces/tabs.

Thanks for sharing your input! :thumbup

Largo.

Honest to goodness, I usually wrap my code. Thanks for reminding me! :)

The SetupComplete method works like a charm.

0

Share this post


Link to post
Share on other sites

$OEM$ folder method tested and not working.

Edited by razormoon
0

Share this post


Link to post
Share on other sites

Not so bad. Injecting into install.wim works fine it just takes a little more time...

0

Share this post


Link to post
Share on other sites

Can someone help me?

I've followed this guide a few times but always get the same problem?

On first boot up, it can't log in. So I click ok and enter the password and still cannot log in.

The name I changed admin to appears right on the log in screen.

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<InputLocale>00040408</InputLocale>
<UserLocale>en-US</UserLocale>
<UILanguage>en-US</UILanguage>
<SystemLocale>en-US</SystemLocale>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserData>
<FullName>Charles Watson</FullName>
<AcceptEula>true</AcceptEula>
</UserData>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>......</Value>
<PlainText>true</PlainText>
</Password>
<Enabled>true</Enabled>
<LogonCount>3</LogonCount>
<Username>Charles</Username>
</AutoLogon>
<OOBE>
<HideEULAPage>true</HideEULAPage>
<NetworkLocation>Home</NetworkLocation>
<ProtectYourPC>1</ProtectYourPC>
<SkipMachineOOBE>true</SkipMachineOOBE>
<SkipUserOOBE>true</SkipUserOOBE>
</OOBE>
<TimeZone>Eastern Standard Time</TimeZone>
<UserAccounts>
<AdministratorPassword>
<Value>......</Value>
</AdministratorPassword>
</UserAccounts>
</component>
</settings>
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ComputerName>charles-pc</ComputerName>
</component>
<component name="Microsoft-Windows-Security-Licensing-SLC-UX" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SkipAutoActivation>true</SkipAutoActivation>
</component>
</settings>
<cpi:offlineImage cpi:source="wim:D:/System/Vista/6001.16659.070916-1443_x86fre_Client_en-us-FB1CFRE_EN_DVD/sources/install.wim#Windows Vista ULTIMATE" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

0

Share this post


Link to post
Share on other sites

Are you sure you have defined your security policies in \Windows\Security? Checked all the necessary options? If so, did you inject into install.wim and made a call to secedit from setupcomplete.cmd? I've heard of some users having trouble with the setupcomplete.cmd method. What you can do is move that call from the setupcomplete.cmd and put it in your autounattend.xml as such in <settings pass="specialize">:

        
<component name="Microsoft-Windows-Deployment" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Order>1</Order>
<Path>CMD /C secedit /configure /db %systemroot%\security\database\unattend.sdb /cfg %systemroot%\security\templates\unattend.inf /log %systemroot%\security\logs\unattend.log /overwrite /quiet</Path>
</RunSynchronousCommand>
</RunSynchronous>
</component>

In the meantime, I'll just edit the above to make the call from autounatted.xml as opposed to setupcomplete.cmd.

EDIT: THE ABOVE DOES NOT WORK FOR ME SO REVERTING ORIGINAL POST TO SETUPCOMPLETE.CMD

Edited by razormoon
0

Share this post


Link to post
Share on other sites

You could also call renuser.exe (not a MS utility, but free) via a sync script in OOBE phase. This avoids having to modify the original image. This is how I do it and it works without issue.

0

Share this post


Link to post
Share on other sites

Hi razormon, I've folowed your guide up to the part where I mount the Install.wim...

I can't seem to find that "x\temp" folder you referenced, I'm assuming the "x" is the the drive path or systemdrive... I've searched all my drives and there's no "temp", must I create it myself or what? I just need to drop those files I've created, the only thing that shows on the install.wim is "components" and "Packages"

please advise

nevermind, I've figured it out... but there's still one prob though, I don't have the "setupcomplete.cmd" file, is it really necessary, how do I create it?

Edited by oidicle
0

Share this post


Link to post
Share on other sites

Sorry 'bout that...

in \sources\$oem$\$$\setup\scripts\

SETUPCOMPLETE.CMD

@echo off

CMD /C secedit /configure /db %systemroot%\security\database\unattend.sdb /cfg %systemroot%\security\templates\unattend.inf /log %systemroot%\security\logs\unattend.log /overwrite /quiet

EXIT

Of course, you can add more commands here if you'd like.

Edited by razormoon
0

Share this post


Link to post
Share on other sites

Thanks man, In fact I did add more commands to the setupcomplete.cmd, since I mounted the install.wim to the "temp" directory you specified, I ended up using the setupcomplete that was already there(windows\setup...) and modified it accordingly to install apps and add that line that you provided... it all went well... :thumbup

anyway, thanx for a great guide, I was strugling for two weeks to find a way to rename the "God Mode" :sneaky: administrator account, I thought I could do it without mounting the install.wim but I soon found out through unsuccesfull trial and error that it was seemingly impossible... but I guess it was a blessing that I had to download WAIK and do it through the install.wim because that enabled me to do my own customizations(drop new sidebar gadgets, change the default background, etc)...

CHEERS :hello:

Edited by oidicle
0

Share this post


Link to post
Share on other sites

One of the best things about WAIK? Removing stuff. Like those two icons on the quicklaunch bar (show desktop and switch desktop?)......grrr.

Glad it worked out! :D

Edited by razormoon
0

Share this post


Link to post
Share on other sites

Hi Razormoon,

I tried this with Windows 2008 R2 and it is not working. Have you tried this on 2008 R2?

After the new os is built the template inf file is in the templates directory but the database is not. I checked with mmc/gpmc and none of the settings are there.

Any help would be much appreciated.

Thanks,

Jonn

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.