Re: denying access to the Administrator

From: - AJS (A)
Date: 04/15/03


From: "- AJS" <A Smith at window products dott com>
Date: Mon, 14 Apr 2003 16:55:00 -0700


"Aidee Roman" <Aroman1432@nyc.rr.com> wrote in message
news:NO96a.40200$ma2.11684597@twister.nyc.rr.com...
> Or we can go with simply renaming the Windows NT/2000 admin account in the
> regkeys.

Not in a Domain. The local admin account is not required to read files. A
person with Admin rights to your network can circumvent any OS based
security feature you throw at him except File Encryption. He can sniff your
passwords and crack them, he can copy the SAM and crack it. He can just
change your password and then use it to log in as you, if he doesn't already
have it stored in a file somewhere.

> > > I have a genuine reason for my request. The person at my place of
> > > work who generally controls the administator account has taken to
> > > snooping around in other users' private files and I would like to put
> > > a stop to this.

The bottom line is that if you can't trust your admin, you are in deep, deep
water.

Fire the guy. Seriously, don't mess around with this. An ethically
challenged admin is an ugly, scary thing.

Enable logging, collect the proof, and get the results to someone that
matters. This is a very serious breach of trust. The first thing I teach my
admins: "Any abuse like this and they are on the street. No excuses."

- AJS

Note: I use the pronoun 'he' as a generic reference. I intend no offence or
inference, but merely to write a sentence that doesn't jar the reader. If
you can pony up a gender neutral pronoun that works exactly the way '(s)he'
doesn't, I will be happy to try it out.

----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---



Relevant Pages

  • Re: writing to registry in vista from guest account
    ... Once again, I bring you back to *Virtualization* on Vista, because based on each user, they will have their own VirtualStore in the registry or in case of something happening with the file-system such as a folder. ... By making your application to work with Standard user rights, no UAC escalation or prompt is required for the solution to execute. ... You also don't need a manifest for the application, if it's made to run with Standard user rights and not Admin user rights. ... Like I said, even with UAC disabled, your user admin account is not an account that has full admin rights on Vista. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Error message trying to download
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... I can not apply any updates on any machine in the domain. ... I also tried to log on as the local admin account - still ... I then logged on locally with a local admin account. ...
    (microsoft.public.windowsmedia)
  • Re: How can I change the admin password of all our XP PCs on the doma
    ... You don't go to each workstation and check if that user changed the local admin password. ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Policy Editor
    ... don't want to let guests run in an admin account. ... If you mean *some* programs - group policy isn't where you do stuff ... Oh - and don't forget to complain to the product developers about ...
    (microsoft.public.windowsxp.security_admin)
  • By-pass security settings on a standalone computer
    ... access to the other admin account). ... I did mention the the boss about being able to do things if there was ... > changing or removing the Admin password does remove access for the = ...
    (microsoft.public.windowsxp.security_admin)