?
Solved

How can I lock the Admin password from being changed by other users with administrator rights on XPPro?

Posted on 2003-03-20
11
Medium Priority
?
231 Views
Last Modified: 2013-12-04
How can I lock the Admin password from being changed by other users with administrator rights on XPPro?  QS
0
Comment
Question by:QuantumSingularity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8175344
I don't think you can.
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 1000 total points
ID: 8175353
Any user with admin rights has all the privleges of the administrator account. Why not put them under the power user group instead?
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8175493
Don't know if this will help

HOW TO: Create and Use a Password Reset Disk for a Computer That Is Not a Domain Member in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;305478

HOW TO: Create and Use a Password Reset Disk for a Computer in a Domain in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;306214
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 44

Expert Comment

by:CrazyOne
ID: 8175500
Also if you can't get in on the Admin account you can use the following uitlities to reset the password.

Most of these are bootable floppies that give you a backdoor to the SAM registry hive and allows you change the admins password.

---------------------------------
Free stuff

Instructions
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying  the crypted password in the registrys SAM file.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
image files
http://home.eunet.no/~pnordahl/ntpasswd/bd030126.zip  Bootdisk image, date 030126
http://home.eunet.no/~pnordahl/ntpasswd/sc030126.zip - SCSI-drivers (030126)
The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block. For Dos, win95/98 & NT, use rawrite2.exe or some other imagewriter:
http://home.eunet.no/~pnordahl/ntpasswd/rawrite2.zip - DOS Program to write floppy images.

http://home.eunet.no/~pnordahl/ntpasswd/cd030126.zip - Bootable CD image with same version and drivers as floppies above.
====================

Another one
Change administrator password on NT/2000, without knowing it!!! Bootdisk...
http://www.thomasmathiesen.com/itak/html/software.html
image file
http://www.thomasmathiesen.com/filez/sw/external/linuxbootimage.zip
image writer
http://www.thomasmathiesen.com/filez/sw/external/imagewriter.zip
====================

Another one
Offline NT Password and Registry Editor
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=3

Download it here
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=6

Run it to create a boot floppy then follow the instructions. If you choose to do this then you are doing this at your own risk. Just change the admin pw and login then change the account pw's that you desire.

Make sure you have a floppy disk in the floppy drive and let the program create the boot floppy. Now restart the machine a let it boot from the floppy. Now follow what it instructs you to do.

Use it like a bootdisk.

Another one
NTFS/FAT Boot disk for password recovery/reset
http://www.pchelplive.com/modules.php?name=Downloads 
----------------------------------

NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.
http://www.sunbeltsoftware.com/product.cfm?id=265


The Password Auditing and Recovery Application
http://www.atstake.com/research/lc/index.html

L0phtCrack, The integrated password cracker for NT
http://www.securiteam.com/tools/L0phtCrack__The_integrated_password_cracker_for_NT.html

ERD Commander
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp

When your server or workstation won't boot, you need ERD Commander 2002. ERD Commander 2002 boots dead systems directly from CD into a Windows-like environment. You'll have full access to the dead system's volumes, so you can diagnose and repair problems using tools located on the ERD Commander 2002 Start menu. And you'll have built-in network access to safely move data off of, or on to, the dead system. With ERD Commander 2002 you can repair a system quickly and easily, saving you time and rescuing your critical data.
--------------------------------------

Or you could, if you have a FAT32 file system, just boot to a Win98 bootdisk and rename the SAM file (registry Hive) in the C:\WINNT\system32\config folder to something else. Of course this will remove all accounts on the system and you will need to rebuild them. If you are using NTFS then boot to the Win2000 CD and do this from the Recovery console.

For XP
Windows XP Tip: Password Recovery Disk
Take preventive measures against losing user-level passwords
http://www.techtv.com/callforhelp/answerstips/story/0,24330,3356093,00.html
0
 
LVL 9

Expert Comment

by:MSGeek
ID: 8175804
If this is a member of a domain, you can use a group policy to disable access to Manage under My Computer.  You may also accomplish this through a local policy.

However, given they are admins, there is nothing to prevent them from disabling any such roadblocks you out in place.  A better course of action would be to make them users.
0
 

Author Comment

by:QuantumSingularity
ID: 8176017
Looks like there is no way short of dumping them out of the administrator group.  Thanks, QS
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 8176053
:>)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8319742
QUANTUMSINGULARITY... "Looks like there is no way short of dumping them out of the administrator group"

Well - I hope that you followed CRAZYONE's (accepted) answer to add them to local power users group, because there's a damn good reason to remove them from the local admin group.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


BTW - I'm not trying to get points here - my only concern is, that you don't have domain users in local admin group.

Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 

Author Comment

by:QuantumSingularity
ID: 8319821
Jorgen,

Appreciate all the good info - the problem was resolved some time ago.

QS
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8319850
:o) Yes I know before answering

I'm not trying to get points here - my only concern was, that you don't have domain users in local admin group.
0
 

Author Comment

by:QuantumSingularity
ID: 8319945
Jorgen,

I hear you on the points - the question was asked of me by a customer and the last I heard he had resolved the problem but I have no particulars.

QS
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month13 days, 20 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question