Re: Restricting the change of the local administrator account password.

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 05/05/04

  • Next message: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword." 
    Date: Wed, 5 May 2004 18:16:32 +0200
To: focus-ms@securityfocus.com

    On 2004-05-05 ddraiggoch@coldyne.com wrote:
    > Ive come accross quite an interesting problem, currently I have an
    > environment split into categories such as application management, OS
    > management etc on the Windows 2000 and 2003 platform's. On the
    > application side we get requests form application administrators to
    > get full administrative rights on the system which is accepted on
    > domain accounts.
    >
    > However, should this user decide to change the local administrator
    > account under windows then there is nothing to restrict them doing so
    > as I can see. This in essence causes an issue where the OS team builds
    > the system with a renamed admin account, and a specific password. This
    > isnt disabled as it is relied on should the domain become unavailable
    > and access is still required.
    >
    > So my question to you all is as follows, how do I restrict the ability
    > to change the local administrator password, even at the level of a
    > domain account specified as administrator in the local group. Is there
    > a setting in woindows that can be turned on so that without knowing
    > what the password is the change cannot be made unless you type in the
    > old password, new password , and its confirmation?

    I doubt that there is a way of doing so. Even if you were able to remove
    the change-password privilege from that specific user account, he could
    easily regain it. Local administrators are able to acquire every right
    on the local system.

    Regards
    Ansgar Wiechers

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Wolf, Glenn: "RE: Restricting the change of the local administrator account pas sword."

    Relevant Pages

    • RE: Why should we disable local administrator accounts?
      ... I understand that you have concerns on disabling local Administrator ... Account on client workstations in SBS domain. ... At least if your local admin passwords are ...
      (microsoft.public.windows.server.sbs)
    • RE: Restricting the change of the local administrator account password.
      ... Restricting the change of the local administrator account ... > So my question to you all is as follows, how do I restrict the ability ... the change-password privilege from that specific user account, ...
      (Focus-Microsoft)
    • Re: local administrator account password policy
      ... computers that hold critical data are physically secured, ... less risk of local administrator passwords being compromised as it is easy ... computers] will make password cracking much more difficult after the policy ... account access smart cards. ...
      (microsoft.public.windows.server.security)
    • Re: Cant Modify Local Security Setting - Windows XP SP 2
      ... If you logon to your computer as a local administrator you will not be ... account will no longer allow your to logon to your computer once removed ... > problem because the system will not refresh the domain policies. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: How hard would it be to script this process
      ... scripting that little bit might be somewhat simpler for you ... > Log in as Local Administrator Account and do the following: ... > b) Rename the built-in Administrator account, ... > a) Create a domain account user profile. ...
      (microsoft.public.windows.server.scripting)