When Windows workstation or server is installed, the default built-in administrator account name is Administrator. Some companies rename the local built-in administrator account, as a result, instead of using the default account name, we will use the account well-known security identifier (SID). The account SID has the following format “S-1-5-domain-500″.

Commands used

Disable-LocalUser	Disables a local user account.
Get-LocalUser	Gets local user accounts.
Get-WmiObject	Gets instances of Windows Management Instrumentation (WMI) classes or information about the available classes.

Find built-in local administrator account name

Use the following command to find the account on the local system.

Get-LocalUser | Where-Object {$_.Sid -Like "*-500"}

1	Get-LocalUser \| Where-Object {$_.Sid -Like "*-500"}

Find built-in local administrator account name on remote system

For a remote system or even a local system, we can use Get-WmiObject.

Get-WmiObject -ComputerName "WIN10-1234" -Class Win32_UserAccount -Filter "LocalAccount=True" `
            | Where-Object {$_.Sid -Like "*-500"}

1 2	Get-WmiObject -ComputerName "WIN10-1234" -Class Win32_UserAccount -Filter "LocalAccount=True" ` \| Where-Object {$_.Sid -Like "*-500"}

With PowerShell splatting:

$Params = @{
    ComputerName = "WIN10-1234"
    Class = "Win32_UserAccount"
    Filter = "LocalAccount=True"
}
Get-WmiObject @Params | Where-Object {$_.Sid -Like "*-500"}

$Params = @{

ComputerName = "WIN10-1234"

Class = "Win32_UserAccount"

Filter = "LocalAccount=True"

}

Get-WmiObject @Params | Where-Object {$_.Sid -Like "*-500"}

Find built-in local administrator account name on multiple systems

$Systems = @("WIN10-1111","WIN10-2222","WIN10-3333")
ForEach ($ComputerName in $Systems) {
    Get-WmiObject -ComputerName $ComputerName -Class Win32_UserAccount -Filter "LocalAccount=True" `
            | Where-Object {$_.Sid -Like "*-500"} | Select Name
}

$Systems = @("WIN10-1111","WIN10-2222","WIN10-3333")

ForEach ($ComputerName in $Systems) {

Get-WmiObject -ComputerName $ComputerName -Class Win32_UserAccount -Filter "LocalAccount=True" `

| Where-Object {$_.Sid -Like "*-500"} | Select Name

}

Disable built-in local administrator account

To disable the account, use Disable-LocalUser.

Get-WmiObject -ComputerName "WIN10-1234" -Class Win32_UserAccount -Filter "LocalAccount=True" `
            | Where-Object {$_.Sid -Like "*-500"} | Disable-LocalUser

1 2	Get-WmiObject -ComputerName "WIN10-1234" -Class Win32_UserAccount -Filter "LocalAccount=True" ` \| Where-Object {$_.Sid -Like "*-500"} \| Disable-LocalUser

In conclusion

In summary, we explored how to get the name of the built-in administrator account name, even if it was renamed, on a single or multiple systems. Also, how to disable the account.

Did you find this code easy to follow and helpful to you? I certainly would love to hear your feedback and suggestions. So, let me know in the comments below. Happy PowerShelling.

Disclaimer

Purpose of the code contained in blog is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.