Rename administrator account policy affects domain admin user account

[Jay Scovill]

I've had this annoying problem forever on Windows 2000 GPOs and am
wondering if there is a solution.

I have created a GPO that renames the local administrator account on all of
our workstations using the "Rename Administrator Account" under Local
Policies -> Security Option. I apply this at the domain level.

The problem is the GPO also affects the pre-Windows 2000 logon name for the
domain administrator account. This causes no end of troubles since that is
the account name used by some service accounts.

First of all, why is this GPO for renaming a LOCAL administrator account
affecting the domain administrator account and second, how do I stop this
from happening?

Any ideas?

 

[Richard McCall [MSFT]]

You need to disable this policy on the default Domain Controller policy. The
lower level policy still applies if other policies are set to not defined.
As for why a Domain Administrator account is a local account for a DC.

 

[Jay Scovill]

Two things:

First, I can't disable the policy in the Default Domain Controller GPO.
It's either Not Defined or I have to define the name I want the
administrator user account renamed to. I suppose I could just define it as
the name I want it to be. But see the second point.

Second, I have turned off inheritence to the Domain Controllers OU so that
domain policy that renames the admin user account isn't even being applied
to the Default Domain Controller OU yet it is still affecting the domain
administrator account.