• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 233
  • Last Modified:

How can I lock the Admin password from being changed by other users with administrator rights on XPPro?

How can I lock the Admin password from being changed by other users with administrator rights on XPPro?  QS
0
QuantumSingularity
Asked:
QuantumSingularity
  • 5
  • 3
  • 2
  • +1
1 Solution
 
CrazyOneCommented:
I don't think you can.
0
 
CrazyOneCommented:
Any user with admin rights has all the privleges of the administrator account. Why not put them under the power user group instead?
0
 
CrazyOneCommented:
Don't know if this will help

HOW TO: Create and Use a Password Reset Disk for a Computer That Is Not a Domain Member in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;305478

HOW TO: Create and Use a Password Reset Disk for a Computer in a Domain in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;306214
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
CrazyOneCommented:
Also if you can't get in on the Admin account you can use the following uitlities to reset the password.

Most of these are bootable floppies that give you a backdoor to the SAM registry hive and allows you change the admins password.

---------------------------------
Free stuff

Instructions
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying  the crypted password in the registrys SAM file.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
image files
http://home.eunet.no/~pnordahl/ntpasswd/bd030126.zip  Bootdisk image, date 030126
http://home.eunet.no/~pnordahl/ntpasswd/sc030126.zip - SCSI-drivers (030126)
The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block. For Dos, win95/98 & NT, use rawrite2.exe or some other imagewriter:
http://home.eunet.no/~pnordahl/ntpasswd/rawrite2.zip - DOS Program to write floppy images.

http://home.eunet.no/~pnordahl/ntpasswd/cd030126.zip - Bootable CD image with same version and drivers as floppies above.
====================

Another one
Change administrator password on NT/2000, without knowing it!!! Bootdisk...
http://www.thomasmathiesen.com/itak/html/software.html
image file
http://www.thomasmathiesen.com/filez/sw/external/linuxbootimage.zip
image writer
http://www.thomasmathiesen.com/filez/sw/external/imagewriter.zip
====================

Another one
Offline NT Password and Registry Editor
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=3

Download it here
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=6

Run it to create a boot floppy then follow the instructions. If you choose to do this then you are doing this at your own risk. Just change the admin pw and login then change the account pw's that you desire.

Make sure you have a floppy disk in the floppy drive and let the program create the boot floppy. Now restart the machine a let it boot from the floppy. Now follow what it instructs you to do.

Use it like a bootdisk.

Another one
NTFS/FAT Boot disk for password recovery/reset
http://www.pchelplive.com/modules.php?name=Downloads 
----------------------------------

NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.
http://www.sunbeltsoftware.com/product.cfm?id=265


The Password Auditing and Recovery Application
http://www.atstake.com/research/lc/index.html

L0phtCrack, The integrated password cracker for NT
http://www.securiteam.com/tools/L0phtCrack__The_integrated_password_cracker_for_NT.html

ERD Commander
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp

When your server or workstation won't boot, you need ERD Commander 2002. ERD Commander 2002 boots dead systems directly from CD into a Windows-like environment. You'll have full access to the dead system's volumes, so you can diagnose and repair problems using tools located on the ERD Commander 2002 Start menu. And you'll have built-in network access to safely move data off of, or on to, the dead system. With ERD Commander 2002 you can repair a system quickly and easily, saving you time and rescuing your critical data.
--------------------------------------

Or you could, if you have a FAT32 file system, just boot to a Win98 bootdisk and rename the SAM file (registry Hive) in the C:\WINNT\system32\config folder to something else. Of course this will remove all accounts on the system and you will need to rebuild them. If you are using NTFS then boot to the Win2000 CD and do this from the Recovery console.

For XP
Windows XP Tip: Password Recovery Disk
Take preventive measures against losing user-level passwords
http://www.techtv.com/callforhelp/answerstips/story/0,24330,3356093,00.html
0
 
MSGeekCommented:
If this is a member of a domain, you can use a group policy to disable access to Manage under My Computer.  You may also accomplish this through a local policy.

However, given they are admins, there is nothing to prevent them from disabling any such roadblocks you out in place.  A better course of action would be to make them users.
0
 
QuantumSingularityAuthor Commented:
Looks like there is no way short of dumping them out of the administrator group.  Thanks, QS
0
 
CrazyOneCommented:
:>)
0
 
trywaredkCommented:
QUANTUMSINGULARITY... "Looks like there is no way short of dumping them out of the administrator group"

Well - I hope that you followed CRAZYONE's (accepted) answer to add them to local power users group, because there's a damn good reason to remove them from the local admin group.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


BTW - I'm not trying to get points here - my only concern is, that you don't have domain users in local admin group.

Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
QuantumSingularityAuthor Commented:
Jorgen,

Appreciate all the good info - the problem was resolved some time ago.

QS
0
 
trywaredkCommented:
:o) Yes I know before answering

I'm not trying to get points here - my only concern was, that you don't have domain users in local admin group.
0
 
QuantumSingularityAuthor Commented:
Jorgen,

I hear you on the points - the question was asked of me by a customer and the last I heard he had resolved the problem but I have no particulars.

QS
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now