QuantumSingularity
asked on
How can I lock the Admin password from being changed by other users with administrator rights on XPPro?
How can I lock the Admin password from being changed by other users with administrator rights on XPPro? QS
CrazyOne
I don't think you can.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Don't know if this will help
HOW TO: Create and Use a Password Reset Disk for a Computer That Is Not a Domain Member in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;305478
HOW TO: Create and Use a Password Reset Disk for a Computer in a Domain in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;306214
HOW TO: Create and Use a Password Reset Disk for a Computer That Is Not a Domain Member in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;305478
HOW TO: Create and Use a Password Reset Disk for a Computer in a Domain in Windows XP
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;306214
Also if you can't get in on the Admin account you can use the following uitlities to reset the password.
Most of these are bootable floppies that give you a backdoor to the SAM registry hive and allows you change the admins password.
--------------------------
Free stuff
Instructions
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
image files
http://home.eunet.no/~pnordahl/ntpasswd/bd030126.zip Bootdisk image, date 030126
http://home.eunet.no/~pnordahl/ntpasswd/sc030126.zip - SCSI-drivers (030126)
The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block. For Dos, win95/98 & NT, use rawrite2.exe or some other imagewriter:
http://home.eunet.no/~pnordahl/ntpasswd/rawrite2.zip - DOS Program to write floppy images.
http://home.eunet.no/~pnordahl/ntpasswd/cd030126.zip - Bootable CD image with same version and drivers as floppies above.
====================
Another one
Change administrator password on NT/2000, without knowing it!!! Bootdisk...
http://www.thomasmathiesen.com/itak/html/software.html
image file
http://www.thomasmathiesen.com/filez/sw/external/linuxbootimage.zip
image writer
http://www.thomasmathiesen.com/filez/sw/external/imagewriter.zip
====================
Another one
Offline NT Password and Registry Editor
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=3
Download it here
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=6
Run it to create a boot floppy then follow the instructions. If you choose to do this then you are doing this at your own risk. Just change the admin pw and login then change the account pw's that you desire.
Make sure you have a floppy disk in the floppy drive and let the program create the boot floppy. Now restart the machine a let it boot from the floppy. Now follow what it instructs you to do.
Use it like a bootdisk.
Another one
NTFS/FAT Boot disk for password recovery/reset
http://www.pchelplive.com/modules.php?name=Downloads
--------------------------
NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.
http://www.sunbeltsoftware.com/product.cfm?id=265
The Password Auditing and Recovery Application
http://www.atstake.com/research/lc/index.html
L0phtCrack, The integrated password cracker for NT
http://www.securiteam.com/tools/L0phtCrack__The_integrated_password_cracker_for_NT.html
ERD Commander
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp
When your server or workstation won't boot, you need ERD Commander 2002. ERD Commander 2002 boots dead systems directly from CD into a Windows-like environment. You'll have full access to the dead system's volumes, so you can diagnose and repair problems using tools located on the ERD Commander 2002 Start menu. And you'll have built-in network access to safely move data off of, or on to, the dead system. With ERD Commander 2002 you can repair a system quickly and easily, saving you time and rescuing your critical data.
--------------------------
Or you could, if you have a FAT32 file system, just boot to a Win98 bootdisk and rename the SAM file (registry Hive) in the C:\WINNT\system32\config folder to something else. Of course this will remove all accounts on the system and you will need to rebuild them. If you are using NTFS then boot to the Win2000 CD and do this from the Recovery console.
For XP
Windows XP Tip: Password Recovery Disk
Take preventive measures against losing user-level passwords
http://www.techtv.com/callforhelp/answerstips/story/0,24330,3356093,00.html
Most of these are bootable floppies that give you a backdoor to the SAM registry hive and allows you change the admins password.
--------------------------
Free stuff
Instructions
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
image files
http://home.eunet.no/~pnordahl/ntpasswd/bd030126.zip Bootdisk image, date 030126
http://home.eunet.no/~pnordahl/ntpasswd/sc030126.zip - SCSI-drivers (030126)
The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block. For Dos, win95/98 & NT, use rawrite2.exe or some other imagewriter:
http://home.eunet.no/~pnordahl/ntpasswd/rawrite2.zip - DOS Program to write floppy images.
http://home.eunet.no/~pnordahl/ntpasswd/cd030126.zip - Bootable CD image with same version and drivers as floppies above.
====================
Another one
Change administrator password on NT/2000, without knowing it!!! Bootdisk...
http://www.thomasmathiesen.com/itak/html/software.html
image file
http://www.thomasmathiesen.com/filez/sw/external/linuxbootimage.zip
image writer
http://www.thomasmathiesen.com/filez/sw/external/imagewriter.zip
====================
Another one
Offline NT Password and Registry Editor
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=3
Download it here
http://www.pc-pipeline.com/modules.php?op=modload&name=Downloads&file=index&req=getit&lid=6
Run it to create a boot floppy then follow the instructions. If you choose to do this then you are doing this at your own risk. Just change the admin pw and login then change the account pw's that you desire.
Make sure you have a floppy disk in the floppy drive and let the program create the boot floppy. Now restart the machine a let it boot from the floppy. Now follow what it instructs you to do.
Use it like a bootdisk.
Another one
NTFS/FAT Boot disk for password recovery/reset
http://www.pchelplive.com/modules.php?name=Downloads
--------------------------
NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.
http://www.sunbeltsoftware.com/product.cfm?id=265
The Password Auditing and Recovery Application
http://www.atstake.com/research/lc/index.html
L0phtCrack, The integrated password cracker for NT
http://www.securiteam.com/tools/L0phtCrack__The_integrated_password_cracker_for_NT.html
ERD Commander
http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp
When your server or workstation won't boot, you need ERD Commander 2002. ERD Commander 2002 boots dead systems directly from CD into a Windows-like environment. You'll have full access to the dead system's volumes, so you can diagnose and repair problems using tools located on the ERD Commander 2002 Start menu. And you'll have built-in network access to safely move data off of, or on to, the dead system. With ERD Commander 2002 you can repair a system quickly and easily, saving you time and rescuing your critical data.
--------------------------
Or you could, if you have a FAT32 file system, just boot to a Win98 bootdisk and rename the SAM file (registry Hive) in the C:\WINNT\system32\config folder to something else. Of course this will remove all accounts on the system and you will need to rebuild them. If you are using NTFS then boot to the Win2000 CD and do this from the Recovery console.
For XP
Windows XP Tip: Password Recovery Disk
Take preventive measures against losing user-level passwords
http://www.techtv.com/callforhelp/answerstips/story/0,24330,3356093,00.html
If this is a member of a domain, you can use a group policy to disable access to Manage under My Computer. You may also accomplish this through a local policy.
However, given they are admins, there is nothing to prevent them from disabling any such roadblocks you out in place. A better course of action would be to make them users.
However, given they are admins, there is nothing to prevent them from disabling any such roadblocks you out in place. A better course of action would be to make them users.
ASKER
Looks like there is no way short of dumping them out of the administrator group. Thanks, QS
:>)
QUANTUMSINGULARITY... "Looks like there is no way short of dumping them out of the administrator group"
Well - I hope that you followed CRAZYONE's (accepted) answer to add them to local power users group, because there's a damn good reason to remove them from the local admin group.
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.
And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation
If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain User Group from the Local Admin Group again!
BTW - I'm not trying to get points here - my only concern is, that you don't have domain users in local admin group.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
Well - I hope that you followed CRAZYONE's (accepted) answer to add them to local power users group, because there's a damn good reason to remove them from the local admin group.
PLEASE READ THIS CAREFULLY:
You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.
And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation
If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Please reply, when You have removed the Domain User Group from the Local Admin Group again!
BTW - I'm not trying to get points here - my only concern is, that you don't have domain users in local admin group.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
ASKER
Jorgen,
Appreciate all the good info - the problem was resolved some time ago.
QS
Appreciate all the good info - the problem was resolved some time ago.
QS
:o) Yes I know before answering
I'm not trying to get points here - my only concern was, that you don't have domain users in local admin group.
I'm not trying to get points here - my only concern was, that you don't have domain users in local admin group.
ASKER
Jorgen,
I hear you on the points - the question was asked of me by a customer and the last I heard he had resolved the problem but I have no particulars.
QS
I hear you on the points - the question was asked of me by a customer and the last I heard he had resolved the problem but I have no particulars.
QS