How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.
Course Of The Month
5 days, 2 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
changing the Administrator password
Posted on 2004-04-26
I have observed that in a standard installation of XP(SP1) or Win2K(SP4) *any* user belonging to the "administrator"-group can change without any problm the password of the master-user "Administrator".
Is it possible to protect the password of the user "Administrator" against such changings?
nmm
Is it possible to protect the password of the user "Administrator" against such changings?
nmm
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4 Comments
Active 4 days ago
Not really... that's why there are best practices... but even with those being followed, it's still a trust issue. M$ Network Admin's face this when ever a new person joins their group, how long do you wait to give them full domain access? While you can't pevent it's changing, you may be able to log who changed it. The event log folder can also have pemissions set so that only "system" and "admin1" can delete the logs. That way there is accountability, but no real prevention. This is a something common to most OS's. The admin accounts are supposed to be the trusted accounts, if you are unsure, then you shouldn't give them access. There used to be a utility to lock the administrator account out, but M$ saw that this was the double-edged sword, and pulled it. The local administrator accounts can never be locked out, unless you could find that tool "admnlock
http://support.microsoft.com/default.aspx?scid=kb;en-us;q281140&sd=tech (still they can reset the password just as before, if they are admins)
If you tried to guess passwords using terminal services, you'd also Never Be Locked out, even if the failed attempts were exceeded- TS thinks of all accounts as Local, even if they are domain accounts. you will be disconnected from TS once you've guessed wrong a few times, but you can keep at it forever! But the user your trying to guess' passwrod would of had to log-on to that server first. Despite the patch for 2000, this still works on XPpro...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;274372
-rich
http://support.microsoft.com/default.aspx?scid=kb;en-us;q281140&sd=tech (still they can reset the password just as before, if they are admins)
If you tried to guess passwords using terminal services, you'd also Never Be Locked out, even if the failed attempts were exceeded- TS thinks of all accounts as Local, even if they are domain accounts. you will be disconnected from TS once you've guessed wrong a few times, but you can keep at it forever! But the user your trying to guess' passwrod would of had to log-on to that server first. Despite the patch for 2000, this still works on XPpro...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;274372
-rich
On the other hand... that means you can just have any one of those folks in the Administrators group run an application that puts the Admin password back to the way you want it. We actually put a program like that in our login batch file periodically to clean up the mess the users make.
The program is called "RePass"... and is availabe as VB.Net source code at http://www.dpw.hood.army.mil/ftp/RePass
The program is called "RePass"... and is availabe as VB.Net source code at http://www.dpw.hood.army.mil/ftp/RePass
Thanks for that information!
If I am in the admin-group than it is possible to change the passwords of any other users in the admin-groupand than i am the only one, who can acess the system with admin-rights.
If I have admin-rights, so it should also possible to disable "repass".
And the idea to protect the log from changing will also not work: if I can change the password of admin1, than after doing that, I can login as admin1 and than I can erase the traces in any log i want.
What is the sense of "admnlock", if they
still "can reset the password just as before, if they are admins"?
-nmm
If I am in the admin-group than it is possible to change the passwords of any other users in the admin-groupand than i am the only one, who can acess the system with admin-rights.
If I have admin-rights, so it should also possible to disable "repass".
And the idea to protect the log from changing will also not work: if I can change the password of admin1, than after doing that, I can login as admin1 and than I can erase the traces in any log i want.
What is the sense of "admnlock", if they
still "can reset the password just as before, if they are admins"?
-nmm
Admins can change passwords, it is their inherent right of control.
Admins as the most trusted of the tech staff, with all the keys at their disposal.
All admins must trust each othe, it is the nature of position, just as mgmt must trust them.
If one admin is not trusted by the others, it is past time for a reorg to change access rights to reflect trustability.
Admins as the most trusted of the tech staff, with all the keys at their disposal.
All admins must trust each othe, it is the nature of position, just as mgmt must trust them.
If one admin is not trusted by the others, it is past time for a reorg to change access rights to reflect trustability.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This is a guide to the following problem (not exclusive but here) on Windows:
Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge.
Any admin who takes se…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you!
In this Micro Tutorial, you'll learn yo…
- Microsoft Applications
- Windows 10
- Windows OS
- Fonts Typography
- Windows 7, Microsoft Word
Suggested Courses
Course of the Month5 days, 2 hours left to enroll
688 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.