How do I prevent users from using lusrmgr to reset administrator password

Hi
Windows XP
Admin Users
Need Access to lusrmgr

I need to prevent them from resetting the admin password - even if you know where it lives in the reg, I may be able to set sys read only? (and admin full control so that admin can run app later on to restore permissions as req'd)
jkrjoraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jkrjoraAuthor Commented:
I am addressing offline access via another means, and the way that i am protecting some critical reg keys and folders involves a admin account having more permissions than system. There will be applications which pick up the credentials for this account in order to modify theses keys/files, so whatever account the application uses, if the users can reset the password and log in, they will automatically have access to those restricted keys and folders, or if it locks them out of these, it will render the system possibly useless, due to the critical nature of the files being protected.
0
jcimarronCommented:
jkrjora--Well, Admins will always be able to change the password.
But here is another look
http://support.microsoft.com/kb/239803
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

jkrjoraAuthor Commented:
well does http://support.microsoft.com/kb/143475/EN-US/ answer my question then?
0
jkrjoraAuthor Commented:
sorry I got off track looking at that article. Can I create a  user group that has all admin permissionss except when it comes to reseting user passwords?
0
jkrjoraAuthor Commented:
what search result were you thinking of?
0
jcimarronCommented:
jkrjora--create+user+group+that+has+all+admin+permissions+except+resetting+user+passwords
0
jkrjoraAuthor Commented:
Results 1 - 10 of about 3,460,000 for create+user+group+that+has+all+admin+permissions+except+resetting+user+passwords

so what result were you thinking  of? if I wanted to spend hours googling it, I wouldn't have asked it here...
0
jcimarronCommented:
jkrjora--I assumed you wanted a solution to your problem.  I had made two earlier suggestions.  Since those did not satisfy you and I had no further ideas or comments, I thought I would lead you to Google since you apparently had not gone there yourself.
Regrets.
0
matrixnzCommented:
Is this for domain users?  If yes then I'd question why users need to be members of the Local Administrators Group?  If you diminish the Administrators Groups Capacity in any way or the Administrator Account this could potentially cause more problems.  If they do require more privileges than make them members of the users Group and then just add permissions on top of this.

Hope that helps.

Cheers
0
jkrjoraAuthor Commented:
ok - so can you change permissions on a group that pretty much makes them admin (as far as installing programs etc?) if yes I will award points on this question and start another question to address that...
0
matrixnzCommented:
Yes there are a number of ways to install, you can use elevated privileges for MSI based programs, or simply use Startup/Shutdown Scripts basically running as the system account to install.  The good thing about the latter is that it can run both legacy and msi based applications.  Of course you could look at something like Systems Center Essentials http://www.microsoft.com/systemcenter/essentials/en/us/default.aspx the smaller version of SMS/SCCM to to these installations.

Cheers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
matrixnzCommented:
[edit] to to these

To

to do these

=)
0
jkrjoraAuthor Commented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.