Re: Windows AutoAdminLogon Security
- From: Nicolas RUFF <nicolas.ruff@xxxxxxxxx>
- Date: Tue, 23 Jan 2007 23:17:01 +0100
Scenario: A Windows domain with an n day password expiration policy
and Windows 2000 SP4 PCs with all the latest security patches. I know
that a Windows user will have to change their password today, so I
set AutoAdminLogon to 1 in their registry. When they switch off their
PC and go home I am able to log on to their PC, using their account,
but without requiring a password.
Surely this can't be the way it's supposed to work?! I thought that
the DefaultPassword registry entry had to contain the password for
DefaultUserName before auto logon would work yet it seems to work if
DefaultPassword is missing. Can anyone else confirm this behaviour or
suggest what I may have done wrong?
Sorry for coming so late, but isn't the password stored in LSA Secrets
instead ?
If you used this feature before, then the password might linger there.
Did you try to run LSADUMP2 ? You might see your admin password cleartext.
Regards,
- Nicolas RUFF
- Prev by Date: Re: Secure Remote access - windows 2003
- Next by Date: RE: IPSec and GRE (47)
- Previous by thread: IE security zone assignment on 2003 terminal server
- Next by thread: Automatic spam mover
- Index(es):
