Secure passwords on Windows 2003 domain?

I was wondering if there is a way to secure passwords on Windows XP clients? I have a number of laptop users that travelw ith their machines and in the event of a theft or loss I dont want someone to be able to overwrite the password. There are many utilities that can do that as I am sure you all know. Besides a hardware key for login, is there anything I can do to prevent these passwords from being removed by a removal utility to gain access to the machine? I have a win2k3 domain with XP Pro clients.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No.  ERDCommander and hundreds of other utilities will still change the passwords.  It sounds like you may want to implement EFS (encrypted file system)
If you want to implement EFS, PLAN PLAN PLAN.  Using Group Policies, you can safely implement EFS.  A poorly planned EFS deployment will be your worst nightmare.  EFS renders data useless unless you have the keys to unencrypt it.  Losing a laptop that is not encrypted is like giving the thief CDs of all your data.

Here is a starting point

If you want a good laugh, read this KBase article.  It falls under the "no SH!T catagory";en-us;818200
PS -

Even with SECURID or SMARTCARD, a thief could still piggy back a hard drive in another system, mount it and take ownership of the files to read them.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

You may wish to consider using a hard-disk encryption software like  DRIVECRYPT.

DRIVECRYPT allows both, the encryption of an entire Hard Disk partition, as well as the creation of a virtual container file that will store all the encrypted information.

- Strong cryptography - Disk partition and file volume encryption - Invisible containers -  Improved password security -
- Password sniffing protection -  No-evidence encryption - Administrator password control (keyfiles)
- Anti dictionary or brute force attack mechanism - Easy and fast hotkey control - Second user access
- Forgotten user password recovery - Eliminate the danger of unattended computers
- Secure disk deletion (disk wiping) - Encrypted volume resizing - External hardware support
- Works on any storage medium - Encrypted data is easily recovered
- Software works on any storage medium: HD, FDD, CD, DVD, Zip, Jazz, ....
- Easy to install, deploy & use - Maximize your security, minimize your risk
- No backdoors present

Another good disk encryption software.
WinMagic HardDisk Encryption - SecureDoc

An evaluation copy is available here:

Set a password for the Harddisk. This can normaly be set in the PCs BIOS Setup routine. If the Harddisk is password protected you have to enter that password every time the PC is turned on. If you forget that PW, it won't help if move the disk to another PC or change the PCB on the disk. There are no backdoor Passwords provided by the disks Manufacturer. If you forget the PW, you have to send the disk to the Manufacturer, along with proof that it is your data on that disk, they can then reset the password, but they ask for a good pay when doing that (a lot more expensive than a new drive costs).
I would have to agree with tengange here EFS is the way to go.... no point in purchasig more software when you already have it... EFS is also transparent to the user, so no additional training required.

Summery of key strenghts and types:-
On Windows 2000 pre-SP2: 40bit DESX
Windows 200 SP2 or later 120bit DESX
Windows XP pre SP1 120bit DESX
Windows XP SP1 or later 256bit AES
Windows Server 2003 256bit AES

It is worth bearing in mind however that the encryption key is protected by the users password, so you need to ensure that you enforce strong password rules.
Bios passwords are set in bios, and stored in bios.  Not only can you reset the bios and wipe out the password, the drive has no idea it is password protected.  If you pull a drive and piggyback it, one can definately get to the files on it.

I am not opposed to 3rd party solutions and I would probably evaluate some if I needed EFS.  One example would be Quota software.  There are some things that MS doesn't do that 3rd party software does (quota's, backups, antivirus).  They are doing some things now that they didn't in the past like firewalls, remote desktops, encryption, cd burning.
tengage, the harddisk password is not a bios password and it isn't stored in the bios. In fact it is stored on the disk platters. The bios only acts as the interface to set this password. If you try to read a protected disk in another system you won't get to it. You can even change the pcb and not be able to reset the Password. I do agree that the other Passwords you can set from the bios are usually easily reset, thats why i didn't mention those.

The only problem with this password is that most people usually select a simple one with only a few characters, which makes it guessable by try and error, but this problem you will encounter with most passwords.
There is a way to lock the hdd disk so no one can access it, on your computer, or anyone elses..not even if you open up the hdd, take out the disks, and use another drive...I'll be back to inform you how..I haven't done this in a while..

But grab this program..,fid,8082,00.asp

And I'll figure out how to do the other procedure properly so it can''t be accessed on any computer.
Hi ZeropointNRG, disk encryption has been reccomended already.
Yes, but I gave an alternate program, but that's not what I'm really trying to tell him. No one has told him it is possible, everyone has said it's not possible, "you can easily change computer and grab the info" this is what the guy needs, and what I'm trying to figure out, and I kow its possible to do, because I've done it years ago.

The program is only a alternate, like all the other alternates that are here....
Have a look at PGP's website  Their workgroup looks just what you need;  it encrypts the hard disc.

Rich RumbleSecurity SamuraiCommented:
The best thing is an encrypted folder or partition. With physical access ala theft, there is no other viable option, imho.

 I do not recommend M$ EFS, I laugh with every recovery I do. If i can't recover with Elcomsoft's  aEFSdr then I recovery the .tmp file that is created when EFS is used to encrypt a doc or folder. The .tmp file has the plain-text version of the doc, or folder.
Ontrack has the best file recovery tools I've ever seen, and they make me lot's o money- I've used all the over-writter's out there, formatted using linux,be-os,unix, fa16,32,ntfs- i can still get the files back.

For more about the .tmp file read here:

Basically use someone elses encryption program if your extremely worried about theft and what they might get. M$ EFS is ok... but far from good enough for us.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Excellent comment richrumble...(learnt something new, today). Thanks...:o)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.