Re: which virus I've got:Everyone is allowed to change administrator's password!

From: Carl Browning (carlbrowning@attbi.com)
Date: 01/17/03 

From: "Carl Browning" <carlbrowning@attbi.com>
Date: Thu, 16 Jan 2003 21:10:50 -0800

You don't have a virus or anything else wrong with your system. You are
misunderstanding what you are seeing. The EVERYONE security principal is
supposed to be on every account. It is supposed to grant Change Password
permissions.

Change Password should not be confused with Reset Password. Change Password
means that a user has to supply the old password before the new password can
be entered. Reset Password means that the new password can be entered
without entering the old password.

If EVERYONE did not have the ability to change the password, then users
would have to be logged in before they could change their password.

The reason the security settings keep coming back to the default is that
Active Directory has an object called AdminSDHolder that contains the
default security values for administrative accounts (Administrator,
Administrators, Domain Admins, etc.). When an user object gets added to one
of those groups, AD will periodically scan and reset the ACL on those
objects.

Long story short, the behavior that you are seeing is perfectly normal.

Carl

"Benson" <TellMeIfUWant2ContactMe@AvoidEmailGarbage.com> wrote in message
news:MPG.188d4efe97739f0d989682@news.cn99.com...
> My OS is win2000 advanced server with sp3 integrated.
>
>
> Today when I opened ACTIVE DIRECTORY USER AND COMPUTER,
> I suddenly found that there is a user named Everyone
> in SECURITY option of my administrator account, and it's
> allowed to change password! This means that everyone can
> change the password of my administrator account!
>
>
> After disconnected my internet connection immediately, I
> deleted the Everyone account. But several minutes later,
> the Everyone account appeared in the same place again. No
> matter how many times I deleted it, it always recovered
> very soon.
>
>
> I ran Norton AntiVirus, but found nothing.
>
>
> And I found that all users in Administrators group have the
> same problem!
>
>
> Am I hacked by Trojan horse? Or am I infected by virus?
>
>
> Any comment is appreciated.

Relevant Pages

  • Re: Renaming Administrator account
    ... > Is changing the Administrator account name really worthwhile or not? ... I would imagine that the lockout is based on the SID rather than ... It is security through obscurity - sorry to repeat old material, ...
    (Focus-Microsoft)
  • Re: Want to restrict teenagers ability to download programs etc
    ... The standard security practice is to rename the account, set a strong password on it, and use it only to create another account for regular use, reserving the Administrator account as a "back door" in case something corrupts your regular account. ... HOW TO Use the Internet Explorer 6 Content Advisor to Control Access ...
    (microsoft.public.windowsxp.security_admin)
  • Re: renaming administrator account
    ... >> This is why renaming the administrator account is more security theater than ... > as security consultants) think they really have broken admin account ...
    (microsoft.public.windows.server.security)
  • Re: Multiple Failed Password Change Attempts!
    ... Security) ... > In the last 2 months there have been two occasions on my Windows 2K Pro ... On both occasions about 50 change password attempts ... > local user accounts, being the guest account (renamed BrendanGuest, ...
    (microsoft.public.win2000.security)
  • Re: Local Security Policies
    ... This small VB Script will make the registry change necessary for the Administrator account to be available on the Welcome Screen. ... There is a space between Windows and NT in the above Key. ... I am having problems with> the Local Security Policy options after an upgrade. ... I found that> several options in the Local Security Policy / Security Options were> desensitized and they could not be set. ...
    (microsoft.public.windowsxp.security_admin)