Re: system restrictions

Malke and Kathy: My responses follow Malke's...

"Malke" wrote:

QuidnuncSimcha wrote:


Hello kathy,

The "Built-in" administrator account actually has greater powers than the
default user administrator accounts.

I'm sorry, but this is incorrect. The built-in Administrator in XP has
exactly the same "powers" as any other account with administrative
privileges.

Malke: You are the MVP and I am just a home user. Still, I have read that
the Buil-In administrator account has more authority than created accounts.
Maybe it was regarding the built-in's ability to delete other administrator
accounts but other administrator accounts cannot delete the built-in account.
I believe I remember reading about some other priv's. Maybe it was related to
running services with administrator accounts. If one takes over the built-in
account and configures it to run services, other administrators can not
delete the account wheras a user who controls the built-in account could
delete another member of the administrator group and stop the control of a
specific service. From what I have heard, services can lead to a serious
security problem.

http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/lsm_delete_user.htm



Furthermore, one can go into group
policy, if it exists on your machine, and create restricted user groups.

(snip)

All of this is probably moot. I think we have a home user with Home Edition
(although she didn't specify). Even if she has Pro, she is an end user and
should not be messing about with Group Policy, nor does she need to.

Malke: Once again, you are the MVP (I am not being sarcastic). Still, I
think a little knowledge about group policy can be helpful. Even for
end-users who may be interested in learning. Even though group policies are
designed for domain purposes, one can learn a great deal about Windows XP
when reading the descriptions. In addition, this can lead to mmc operation,
snap-ins, security templates, security analysis...etc.. I have found the
security templates to be very valuble. Even if a person doesn't want to read
the 1000's of pages associated with security and descriptions of security in
XP, they can go to the mmc console, import a higher security template and
immediately harden their OS, which is suggested by SANS, etc... Also, there
is a "Set-up" security template that a user can import if they think changes
in the local security policy may be causing trouble (I have found this very
useful.) With that said, the person must be aware that extra security will
limit usability. Still, if one is using XP pro at home, most will not need
those extra bells and wistles anyhow . As an example, one may be interested
in LanMan Authentication countermeasures by setting local security polices
"Lan Manager Authentication Level" tp "Send NTLM Response Only". Although MS
templates set ist to "Send NTLMv2 Response Only" I believe. This helps
eliminate or reduce SMB packet capture prey.



Note, this is one reason it is not a good idea to have multiple
Administrator accounts. All security experts, I am not one of them, highly
suggest that a machine only have ONE administrator account and to change
ALL other accounts to LIMITED USER accounts....In addition, the BUILT-IN
administrator account should have a strong and complex password associated
with it..Write it down because you can't get back in the account if you
lose the password.

Again, I'm sorry but this is incorrect. Most techs (including me) suggest
that you have at least two user accounts with administrative privileges in
case one becomes corrupted. If at all possible, it is better to run
day-to-day as a Limited or regular user. In practice, this is often
difficult in XP.

Malke: As a home user, if the Built-In Administrator becomes corrupted, I
try to fix it with my limited knowledge. If I cannot, I wipe the drive and
reinstall. I need to do a better job backing-up. :)


In a home situation, it is usually not as crucial to have a strong
Administrator password as it would be in a business. In any case, it is not
true that one can't get back into the account if one forgets the password.
It takes less than 5 minutes. This is not a specific-to-Windows security
issue; any computer running any operating system can be accessed by someone
with 1) physical access; 2) time; 3) skill; 4) tools.

Malke: True, I have used one of these tools on my own machine. There are
password cracking tools out there. I believe one of the "better" or "more
effective" tools is L0phtcrack. Another is "John the Ripper". Brute force
cracking techniques. I believe there is a way via the kernel (Machine level
instruction:Please correct me if I am wrong). Still, I believe my decision to
use one of these tools was one of my worst decisions. Why? Who wants to go
through the code and try to determine if a this tool, that I did not create,
is installing a rootkit at the same time. Sure, one could do brute force via
programming...MOD...DIV...and dictionary...but I am not a TECHI...


I'm snipping the rest because I'm sure the OP just wants to get her machine
working again. She's a home user remember, not a tech.

Malke: If the user believes I gave her too much info, then the user will
just ignore me... If you look at my previous posts, I have stated that I am
not a computer expert. Actually, I payed respect to you in the "Mouse not
Working Post"... I agreed that it may be the motherboard, but still feel
additional troubleshooting can be accomplished. Like checking free disk space
and page file availability. I could be wrong though...Still, the OP said per
was interested in more ideas....

"kathyr" wrote:

Patrick,
I am using Windows XP. This is a home system, so no network.
Kathy

"Patrick Dickey" wrote:

kathyr wrote:
When ever I try to open one of the shortcuts on my desktop, I receive
a message that says that this action was stopped due to system
restrictions and
to check with system administrator. I am signed up as the
administrator. Can someone tell me how to fix this problem.
thanks

Kathyr - We need to know a few more things:

1. Is this XP Home Edition?

2. What is the virus/malware status of the machine? If you think it is
clean, what programs (names and versions) did you use to determine this?

3. Presumably you were able to use the shortcuts at one time. What changed
between the time they worked and the time they didn't?

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

.

Relevant Pages