{"id":69333,"date":"2005-07-22T14:41:00","date_gmt":"2005-07-22T14:41:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/07\/22\/how-can-i-determine-if-the-local-administrator-account-has-been-renamed-on-a-computer\/"},"modified":"2005-07-22T14:41:00","modified_gmt":"2005-07-22T14:41:00","slug":"how-can-i-determine-if-the-local-administrator-account-has-been-renamed-on-a-computer","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-determine-if-the-local-administrator-account-has-been-renamed-on-a-computer\/","title":{"rendered":"How Can I Determine if the Local Administrator Account has been Renamed on a Computer?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I determine if the local administrator account has been renamed on a computer?

— KF<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, KF. You know, our first thought was to tell you to use ADSI and try to bind to the local administrator account on the computer; if that failed, that would mean that there was<\/I> no account named Administrator on that computer. In turn, that would mean that the account had either been renamed or deleted.<\/P>\n

But then we thought about this a little more. (Yes, having two thoughts in a single day is<\/I> a Scripting Guys record.) Suppose the local administrator account had<\/I> been renamed. In that case, you\u2019d probably want to know the new name for the account. So what we really<\/I> want to know is the name of the local administrator account. Period.<\/P>\n

But how can we know the name of the account if the account has been renamed? (This is the scripting equivalent of, \u201cIf a tree falls in the forest and no one is there to hear it, does it still make a sound?\u201d) Why, through the magic of the \u201cwell-known SID,\u201d of course. A SID, as you probably know, is a \u201csecurity identifier,\u201d a unique identifier assigned to each account on a computer. The computer actually uses the SID to keep track of each account: if you rename the administrator account the computer still knows which account is the administrator account. That\u2019s because the SID – unlike the name – never changes.<\/P>\n

Now that sounds pretty good except for one thing: if the SID is a unique identifier then how can we determine which SID represents the administrator account? That\u2019s where the \u201cwell-known\u201d part comes in. On a computer the SID for a local administrator will always<\/I> begin with S-1-5-<\/B> and end with -500<\/B>. (That\u2019s why the administrator SID-and other SIDS, such as SIDs for the Guest account-are considered well-known.) For example, you might have a SID that looks like this:<\/P>

S-1-5-21-1559272821-92556266-1055285598-500\n<\/PRE>\n
As you can see, our SID starts with S-1-5- and ends with -500. If we can find a SID that fits that pattern, then we\u2019ve found our local administrator account. <\/P>\n
So can<\/I> we find a SID that fits that pattern? Yes, by using a script like this:<\/P>
strComputer = “.”<\/p>\n
Set objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colAccounts = objWMIService.ExecQuery _\n    (“Select * From Win32_UserAccount Where LocalAccount = TRUE”)<\/p>\n
For Each objAccount in colAccounts\n    If Left (objAccount.SID, 6) = “S-1-5-” and Right(objAccount.SID, 4) = “-500” Then\n        Wscript.Echo objAccount.Name\n    End If\nNext\n<\/PRE>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. This particular script works only on Windows XP and Windows Server 2003. In a minute we\u2019ll show you a way to perform this same task on Windows 2000 Server or Windows NT Server 4.0.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
We begin by connecting to the WMI service on a computer, then use this query to retrieve a list of local computer accounts:<\/P>
Set colAccounts = objWMIService.ExecQuery _\n    (“Select * From Win32_UserAccount Where LocalAccount = TRUE”)\n<\/PRE>\n
Note the use of the Where clause Where LocalAccount = TRUE<\/B>. That ensures that we get back only local accounts; we aren\u2019t interested in weeding through domain accounts. This is also the reason why this particular script won\u2019t run on Windows 2000 or Windows NT 4.0; the LocalAccount property wasn\u2019t introduced until Windows XP.<\/P>\n
After getting back a collection of local user accounts we set up a For Each loop and walk through the collection. For each account we use this line of code to see if the account fits the well-known SID pattern:<\/P>
If Left (objAccount.SID, 6) = “S-1-5-” and Right(objAccount.SID, 4) = “-500” Then\n<\/PRE>\n
As you can see, we simply check to see if the first six characters in the string equal S-1-5- <\/B>and<\/I> if the last four characters equal -500<\/B>. If they do then we\u2019ve found the local administrator account and we echo the account name. If they don\u2019t, then we loop around and check the next account in the collection.<\/P>\n
That should do the trick, provided that you\u2019re running the script on Windows XP or Windows Server 2003. If you\u2019re running on Windows 2000 Server or Windows NT Server 4.0 you can use this variation. (This version will also work on Windows XP and Windows Server 2003.) In this script we begin by assigning the name of the computer to the variable strComputer; note, too that we need to use the actual computer name and not the dot (a WMI shortcut method for indicating the local machine). We have to use the computer name because we\u2019ll use this variable to look for accounts with a \u201cdomain\u201d that matches the computer name. (It\u2019s confusing, but in a technical sense a computer is a domain, though obviously not on the scale of something like Active Directory.) Although a dot might represent the local computer name in WMI, it does not<\/I> represent a domain name. Therefore, we must be very explicit when specifying the computer name.<\/P>\n
And, yes, when dealing with a local computer account the domain name is equivalent to the computer name. If you have a user named kmyer and a computer named atl-ws-01, the domain name is atl-ws-01 and the user name is kmyer. <\/P>\n
We then use a modified query to return a collection of accounts where the Domain<\/B> is equal to the name of the local machine; that will eliminate Active Directory accounts and return only local accounts.<\/P>\n
Here\u2019s the script:<\/P>
strComputer = “atl-ws-01”<\/p>\n
Set objWMIService = GetObject(“winmgmts:\\\\” & strComputer & “\\root\\cimv2”)<\/p>\n
Set colAccounts = objWMIService.ExecQuery _\n    (“Select * From Win32_UserAccount Where Domain = ‘” & strComputer & “‘”)<\/p>\n
For Each objAccount in colAccounts\n    If Left (objAccount.SID, 6) = “S-1-5-” and Right(objAccount.SID, 4) = “-500” Then\n        Wscript.Echo objAccount.Name\n    End If\nNext\n<\/PRE>\n
Why are we so concerned with limiting the returned collection to local accounts? Well, without that clause the Win32_UserAccount<\/B> class will try to return a list of all the user accounts in Active Directory as well as all the local user accounts. If you have an hour or two (or three) to kill, well, what the heck: go ahead and return – and weed through – several thousand user accounts if you want to. Otherwise you\u2019re better off limiting the returned data to local accounts only. <\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I determine if the local administrator account has been renamed on a computer?— KF Hey, KF. You know, our first thought was to tell you to use ADSI and try to bind to the local administrator account on the computer; if that failed, that would mean that there was no […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[23,24,3,5],"class_list":["post-69333","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-local-accounts-and-windows-nt-4-0-accounts","tag-other-directory-services","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I determine if the local administrator account has been renamed on a computer?— KF Hey, KF. You know, our first thought was to tell you to use ADSI and try to bind to the local administrator account on the computer; if that failed, that would mean that there was no […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69333"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69333\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69333"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}