Re: Registry hack to disable password change

I agree, anyone with admin rights could go in and make the change back to
default, if they knew the correct bit to change and the correct process. This
just stops the "Not so nerdy" admins......
I will post the hack in a little while, I need to check something.

Terry

"Shenan Stanley" wrote:

Terry Caleb wrote:
I used to be able to do this on Windows2000, but do not find the
registry settings or the offsets for Windows2003. What I would
like to do is be able to set a password on an account, and to not
allow anyone at all, including other administrators, to be able
to change the password or the account name. I have searched
through pages upon pages of articles, but have not found
anything. Is this still possible?

Shenan Stanley wrote:
Still?

I am pretty sure you could not do that in Windows 2000 either. If
someone is an administrator, they can do whatever they want to
anything on the machine *except* mess with encrypted files (at
least not get into them without the backed-up certificate from the
account that encrypted them, etc.)

Terry Caleb wrote:
I have written down a registry hack that I used to use to change a
bit in the registry that would not allow ANYONE to change the
password (I think also change the username also, but I never tried
it.) of a user, regardless of their credentials. That included
Domain Admins and everything.

So don't be shy - post it.

I assure you, however - if you can do it as an administrator - anyone with
administrative rights on the same computer can get around it/undo it. If
they have administrative rights on the computer - other than encryption -
you cannot do much to control what they can/cannot do on the computer.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html



.

Relevant Pages

  • Re: Windows Client and Server Security
    ... I am working as a System Administrator in ... > these Computers. ... > He thinks that we should give all the Users, Administrator rights. ... If you have badly-written software that requires local admin rights, ...
    (microsoft.public.win2000.security)
  • RE: W2K Domain Selection
    ... Mind that the user on the domain and the one on the workstation are not the ... Also, domain administrators have administrator rights on all machines, the ... > Domain B eventhough you have admin rights on domain A. ...
    (Security-Basics)
  • Re: Prevent changes to Administrator password
    ... Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. ... accounts with just domain admin rights so they have just enough rights ... The problem is that the other admins can change the root administrator ...
    (microsoft.public.windows.server.active_directory)
  • 3 levels of secutiy in XP Home?
    ... As far as I know a user with Administrator rights has the ... Some programs only install and/or run when logged ... >logged on as a User with Admin rights. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Must all users be administrators?
    ... The familiar look of the AD objects tree you see in Group Policy Editor is ... This seems modestly confusing to an SBS Administrator because there's very ... those rights happen to be nearly unlimited. ... sit a workstation logged on as the Local Administrator, by default, there ...
    (microsoft.public.windows.server.sbs)