Re: Easy question on the local admin passwords

As Joe said if the user has system or administrator access he already owns
the operating system and yes that can pose a problem in some cases. What you
could do is make sure that those computers to not use the Group Policy
startup script and then consider making sure each of those computers has a
unique password for the built in administrator account which you could do
with something like cusmgr from the Resource Kit or PsPasswd from
SysInternals in a batch file. If sniffing the password off the wire is a
concern do the operation from a secure admin workstation and have an ipsec
require policy on the computers in question which can be implemented via
Group Policy for SMB ports/protocol from the IP address of the admin
workstation. Do not attempt ipsec however until you have a good
understanding how it works and the need for special considerations for
domain controllers. -- Steve

http://support.microsoft.com/?kbid=272530
http://support.microsoft.com/?kbid=254949 --- ipsec implementation
considerations.

<boomboom999@xxxxxxxxx> wrote in message
news:1152317028.221624.60750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

boomboom...@xxxxxxxxx wrote:
Steven L Umbach wrote:
With a Group Policy "startup" script users do not need read access to
the
script in sysvol. You can remove authenticated users and add domain
computers with read/list/execute instead. You will also have a
potential
problem in that the startup script will not be run until the computer
is
restarted on the domain. You might want to use different local
administrator
password on the laptops than the workstations. --- Steve

Thanks Steve,

That seems to be a more secure solution.
But I think it is still trivial to circumvent.
Any user that manages to run a script under LocalSystem (for any
reason) can acces the administrator password in clear text. As I can
trust totally all the workstations (there are some of them that are
operated by knowledgeable users with administrative rights) I would
prefer do not offer the password in that manner.

Sorry, there is a typo in the last phrase

As I can NOT trust totally all the workstations (there are some of them
that are
operated by knowledgeable users with administrative rights) I would
prefer do not offer the password in that manner.



.

Relevant Pages

  • "The local policy of this system doesnt permit you to logon interactively" on workstation
    ... All users except administrator get this error: "The local policy of this ... There is no problems for all users on other computers. ... I checked local policy on one of the workstations: ...
    (microsoft.public.windows.server.sbs)
  • Re: User group assigned to OU of computers for...
    ... workstations to the domain" only applies to settings in the domain ... controller level security policy and is ignored at any other level. ... to a user without being an administrator, such as managing users/groups, ... computers for an OU using "restricted groups" if need be. ...
    (microsoft.public.win2000.security)
  • Re: Admin Password
    ... the W2K and XP Pro computers using a batch file containing " net user administrator ... Of course that assumes that the built in administrator account is ... are PsPasswd that can change the passwords on remote computers. ... Some of the workstations ...
    (microsoft.public.windows.server.networking)
  • Re: Easy question on the local admin passwords
    ... computers with read/list/execute instead. ... problem in that the startup script will not be run until the computer is ... password on the laptops than the workstations. ... reason) can acces the administrator password in clear text. ...
    (microsoft.public.win2000.security)
  • Re: Is complete home security possible?
    ... > If you are a gamer, some computer games will only run in administrator ... I have a clean disk image made from Norton Ghost, ... security issues to deal with to do it monthly, ... I have been using computers since 76, never had a virus on any of my ...
    (comp.security.firewalls)