Built-in domain administrator – lock or disable?

Maybe this is well known but it was a learning experience for me.

The built-in administrator in a domain CAN be locked out. However, when you go to log in as the admin, it will auto-unlock the account. So essentially it doesn’t lock. You can also disable the account and it will actually be disabled. Supposedly if you have to restore you AD, it will unlock this account automatically when in restore mode. I fortunately have not had the chance to test this :]

To find your built-in domain admin if the name has been changed (from: administrator)

$BA = (Get-ADDomain).domainsid 
$BA = $BA.ToString() + "-500" 
Get-ADUser -Identity $BA

reference: http://www.open-a-socket.com/index.php/2011/05/01/how-to-find-the-renamed-domain-built-in-administrator-account-with-powershell/



Leave a Reply

Your email address will not be published. Required fields are marked *