How to find the renamed domain Built-In Administrator account with Powershell

By | May 1, 2011

Many organisations choose to rename the Built-in Administrator account for the domain for security reasons.  Whether or not renaming the account provides any real protection is the matter of some debate.  What is clear is that any hacker worth his or her salt is not going to be fooled by the rename, because the account has a well known security identifer:

SID: S-1-5-21domain-500

I was working on something the other day and needed to find the Built-in Administrator account using Powershell.  It wasn’t quite as straightforward as I thought it would be.  Anyway, here’s what I came up with:

$BA = (Get-ADDomain).domainsid 
$BA = $BA.ToString() + "-500" 
Get-ADUser -Identity $BA

As you can see it basically involves grabbing the domain SID, adding on the well-known identifier “-500” and then searching for the account based on the concatenanted string. 

I can’t help thinking there must be an easier method, so if you have one please post a comment here.

8 thoughts on “How to find the renamed domain Built-In Administrator account with Powershell

  1. ldap389

    Hello,

    I use this method:

    Get-ADUser -filter {isCriticalSystemObject -eq $true -and Admincount -eq 1 -and SamAccountName -ne “krbtgt”}

    But I think yours is more accurate 🙂

    Regards

    Reply
  2. Pingback: built-in domain administrator - lock out or disable? | Adam Akers Blog

  3. Pingback: built-in domain administrator - lock out or disable? | Adam Akers Blog

  4. GUALHERO

    Thank you very much for all the posts, specially for the original idea.
    Just in case you want that one in just one line, it would be it:
    Get-ADUser -Identity “$(((Get-ADDomain).domainsid).ToString())-500”

    The other suggested line also works:
    Get-ADUser -Filter * | Where {$_.sid -match “-500”}

    Reply
  5. Robert Rostek

    careful, –match is a regexp parser, it will also find objects having the searchstring anywhere, not just at the end of the string.

    so to match strings ENDING with -xxx you should write

    Get-ADUser -filter * | where {$_.sid -match ‘-500$’}

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.