Built in Accounts vs Created in Win2K

MICATECH
MICATECH used Ask the Experts™
on
Are there any differences between the built in accounts vs created ones in Win2KPro?  In particular the Administrators account, meaning does a created Administrator account have all of the same rights/privileges as the built in Administrator?  We are in the middle of upgrading all of our Win98 machines to Win2K Pro.  We've noticed that randomly we are denied access to the control panel or Network settings for instance if logged in as a created Admin, but later on that very same machine (still as created Admin) everything is accessible.  I'm thinking they should operate exactly alike and am worried that something evil is going on.  Another co-worker says that they are different and that only the "built in one" has all rights of an Administrator.   That just doesn't seem right to me.  But, I'm hoping someone can set it straight for me which ever way it goes.

Thanks,
Laura
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If you have a domain controller, ignore those accounts in local machines.

1) If you login to local accounts, you will not be able to access to network resources.
2) If you don't want to join the client PC to the domain, you have to create accounts individually on every systems.
Somethings to add-on...

Using the domain account would be easier to admin. But in XP, better to keep all local administrator password the same.. sometimes you still need them to assign permissions.

Author

Commented:
To clarify, I'm talking about a local admin account which we create on each individual machine and logon as, on each machine locally.  
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Commented:
Your co-worker is correct - the build-in admin account has more ties to the OS than the added admin account.  If you even rename the build-in administrator account the OS seems to be blind to it.  

I can't remember the exact sequence for doing this, it's renaming the build-in administrator's account using either the build-in administrator account or the added administrator account.  Anyway, use a fresh machine (that you may want to rebuild) rename the build-in administrator account as something else.  Reboot and logon with the newly renamed administrator account.  Now, go to C:\Documents and Settings\; you will see a new folder named with the renamed administrator account.  Further testing shows that the ties is with the old "Administrator" folder not the renamed Administrator folder.  The ties seem to be in administrator services.  (If can see it in Exchange servers as well).

Sorry, I didn't bother going deeper than that.....  

You can create and work with the added administrator for most stuffs.  Rename the build-in administrator account for security.  Do not attemtp to delete the build-in "Administrator" folder.

Author

Commented:
Can you direct me to a source that explains the differences between the two?  And how to you know this to be the case?  Is it something you read about or something you have experienced as well.  I myself have looked and not found anything at Microsoft or anywhere else discussing there being any difference.  I need some more detailed official info on this.
Oh and we've already renamed the account and applied all suggested security settings.  So, I "think" we're ok there, but one never knows.

Thanks

Commented:
It's something that I explored and experienced...... and a certain amount of reading.  See below for a quick difference.  I was a Windows developer, now I taught MCSE and networking.  I used to know the secret keystrokes to go behind the scene - but for the life of me - I couldn't remember it.

It's OK to rename the accounts.... Just remember if you see the "Administrator" and the "NewName" folders in
C:\Documents and Settings\   at the same time - then if you do anything such as installing or applying security to the folders - you need to do to both or check it out to make sure that they work.

A quick example of the difference:  
Try to delete the build-in admin account and then try to delete a user-created admin account.
You can delete a user-created admin account but not the build-in admin account.

Author

Commented:
I know you cannot delete the built in one.  I know I can rename it.  I've done that, but what I'm trying to pinpoint is when performing admin tasks does a created admin user (who is a member of only the admin group) have any less rights/privileges than the built in admin user.  I need to find some official word on this if it's possible.  I have a feeling I'm not going to find it.  :(
Commented:
You will not find a consolidated list of the differences.  For most (normal) administrative task, there is no distinction.  The user-created admin can perform these tasks since these tasks deal with standard objects such as users, groups, files, print, etc... Only when you do something that MS has hard coded the requirement as a security issue that it will require you to use the original administrator (or renamed account) - at that time however the original password can then be used.  The security manager will search the password list and authenticate the access is for the original administrator account before granting access to special priviledges.  I know that it won't clear the issue that you are wondering - but it is all that I can give you since MS didn't publicly announced it.... I can offer another two examples for you to see that the build-in account does have special priviledges that user-created admin doesn't have:

1) Recovery console will ask for "Administrator" account password.  If you renamed the account you can use its password and recovery console will log you on.  Official words on this one:

http://support.microsoft.com/default.aspx?scid=kb;en-us;258585 

2) Unlocking a console that has been locked - It asks for the "Administrator" account password.

I guess it's learn as you go.... It's kind like you said that you know that you can't delete a build-in administrator.  If you ask yourself why?  You would conclude "Oh, there is something special about that account - therefor, user-created administrator is not quite special after all."

 

Author

Commented:
Ok, so there is one provable difference.  Thankyou for that.  

As for the question "Why can we not delete the built in admin account?"  I would guess that it's a neccessary safety feature to never allow that account to be deleted, (besides being the only recovery console admin) because if somehow all the admin accounts were deleted we'd be up a creek with no admin rights to paddle.

Thanks again.

Commented:
Not really, it would be easily to program not allowing "All admin" to be deleted.  All that is needed is to check the admin group and not allow deleting of the last admin user entry.  Once you renamed the build-in admin, how does a program distinguish the build-in vs the user-created admin, the answer "there is a flag somewhere".  I read something about the registry "HKEY_USERS" the key that has the -500 in the end is the build-in admin user key.  One of these day I am going to try to delete that key to see if it would allow me to do it.

Commented:
I've just inherited the administration of a machine that has the built-in administrator account deleted.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial