Link to home
Start Free TrialLog in
Avatar of jkrjora
jkrjora

asked on

How do I prevent users from using lusrmgr to reset administrator password

Hi
Windows XP
Admin Users
Need Access to lusrmgr

I need to prevent them from resetting the admin password - even if you know where it lives in the reg, I may be able to set sys read only? (and admin full control so that admin can run app later on to restore permissions as req'd)
Avatar of jcimarron
jcimarron
Flag of United States of America image
Avatar of jkrjora
jkrjora

ASKER

I am addressing offline access via another means, and the way that i am protecting some critical reg keys and folders involves a admin account having more permissions than system. There will be applications which pick up the credentials for this account in order to modify theses keys/files, so whatever account the application uses, if the users can reset the password and log in, they will automatically have access to those restricted keys and folders, or if it locks them out of these, it will render the system possibly useless, due to the critical nature of the files being protected.
Avatar of jcimarron
jcimarron
Flag of United States of America image
jkrjora--Well, Admins will always be able to change the password.
But here is another look
http://support.microsoft.com/kb/239803
Avatar of jkrjora
jkrjora

ASKER

well does http://support.microsoft.com/kb/143475/EN-US/ answer my question then?
Avatar of jkrjora
jkrjora

ASKER

sorry I got off track looking at that article. Can I create a  user group that has all admin permissionss except when it comes to reseting user passwords?
Avatar of jkrjora
jkrjora

ASKER

what search result were you thinking of?
Avatar of jcimarron
jcimarron
Flag of United States of America image
jkrjora--create+user+group+that+has+all+admin+permissions+except+resetting+user+passwords
Avatar of jkrjora
jkrjora

ASKER

Results 1 - 10 of about 3,460,000 for create+user+group+that+has+all+admin+permissions+except+resetting+user+passwords

so what result were you thinking  of? if I wanted to spend hours googling it, I wouldn't have asked it here...
Avatar of jcimarron
jcimarron
Flag of United States of America image
jkrjora--I assumed you wanted a solution to your problem.  I had made two earlier suggestions.  Since those did not satisfy you and I had no further ideas or comments, I thought I would lead you to Google since you apparently had not gone there yourself.
Regrets.
Avatar of matrixnz
matrixnz
Is this for domain users?  If yes then I'd question why users need to be members of the Local Administrators Group?  If you diminish the Administrators Groups Capacity in any way or the Administrator Account this could potentially cause more problems.  If they do require more privileges than make them members of the users Group and then just add permissions on top of this.

Hope that helps.

Cheers
Avatar of jkrjora
jkrjora

ASKER

ok - so can you change permissions on a group that pretty much makes them admin (as far as installing programs etc?) if yes I will award points on this question and start another question to address that...
ASKER CERTIFIED SOLUTION
Avatar of matrixnz
matrixnz
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of matrixnz
matrixnz
[edit] to to these

To

to do these

=)