A customer had partially implemented a (written) policy in the past where the the Local Administrator account was renamed according to a special convention.

This policy stated that the Administrator account needed to be renamed to admin with the computername as a prefix.

However they didn’t know exactly on which machines this policy had been applied to in the past. I was asked to write a script that would check a list of machine names, query the Administrator account name and write this in a new list.

The Administrator account has a Well Known SID of S-1-5-21-xxxxxxx-500 where xxxxxxx is the SID of the computer.

This makes this an easy task for PowerShell: we use the Win32_UserAccount WMI Class and filter this on ‘S-1-5-%-500’:

Here is the script: