TL;DR: After Azure Local deployment, the local Administrator account is renamed to ASBuiltInAdmin as a security hardening measure. Use ASBuiltInAdmin (with the same password set during deployment) to log in locally or over remote PowerShell.
Recommended action:
When connecting to an Azure Local node locally or via remote PowerShell, use
ASBuiltInAdminas the username instead ofAdministrator.The password is the one you set for the local administrator during deployment — the rename does not change the password.
For ongoing administration, create your own named local administrator account and disable
ASBuiltInAdmin. The well-known RID 500 account (regardless of name) is a common attack target and should not be your day-to-day admin.
Why:
Azure Local renames the two well-known built-in accounts (RID 500 and RID 501) during deployment to reduce exposure to attacks that target these accounts by their default names. Administrator becomes ASBuiltInAdmin (enabled), and Guest becomes ASBuiltInGuest (disabled). The underlying RIDs don't change — only the display names — so the accounts still have their original privileges.
Going forward:
Treat ASBuiltInAdmin as a break-glass account, not your routine login. Create a dedicated local admin account for daily use, store the ASBuiltInAdmin credentials somewhere recoverable, and disable the RID 500 account once your own admin is in place and verified working.
Optional details:
The renamed accounts:
| Original name | Name after deployment | Enabled by default |
|---|---|---|
| Administrator | ASBuiltInAdmin |
Yes |
| Guest | ASBuiltInGuest |
No |
ASBuiltInGuest is additionally protected by the security baseline drift control mechanism, so re-enabling it manually will get reverted on the next baseline enforcement pass.
Reference: