Re: Default Administrator lockout

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 02/27/04 

Date: Fri, 27 Feb 2004 04:18:40 -0700

"rav" <ravburano@hotmail.com> wrote in message
news:%23XdFJ4F$DHA.1796@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> Thanks for your replies but my point is that i have neither disabled the
> admininstrator account in GPO or used passprop.
>
> Thanks

Well, about all I can tell you is that it is so, the built-in is
subject to lock-out. Thinking this is a defined changed
I set out to pull up where this is mentioned as a changed
behavior for W2k3, but to my surprise what instead I am
finding (so far) are what look like cut/pastes from W2k era
docs into the W2k3 docs. For example
http://microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
under its DoS prevention section has the statement :
"Rename the administrator account: Because the administrator account cannot
be locked out, it is recommended that you rename the account. Although this
does not mitigate all of the attacks against the administrator account, it
does help mitigate these attacks most of the time."

> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:ewK5URD$DHA.916@TK2MSFTNGP10.phx.gbl...
> >
> > "Laura A. Robinson [MVP]" <geekwench@snippit.hotmail.com> wrote in
message
> > news:MPG.1aa68f89e9fae6559897a1@nn.bloomberg.com...
> > > In article <#U2XXVy#DHA.684@tk2msftngp13.phx.gbl>,
ravburano@hotmail.com
> > > says...
> > > > Hi,
> > > >
> > > > I have got the default administrator account (it is not a renamed
> > account or
> > > > anything like it, the SID is correct) on a Windows 2003 DC to lock
> out.
> > > > Aanyone else have this at all? Thought it was impossible to do as it
> is
> > a
> > > > backdoor.
> > > >
> > > Not only is it possible (Google for passprop.exe), with Win2K3, you
can
> > > use group policy to disable the account altogether.
> > >
> > > Laura
> >
> > altogether except for safe mode boots
> >
> > Roger
> >
> >
>
>

Relevant Pages

  • Re: Rename administrator account- Unattended from command line or
    ... Thanks for the tip Todd. ... I should have emphasized that I am trying to rename ... policy "rename administrator account" setting. ... "Administrator"--despite the fact that ADUC displayed the new admin name ...
    (microsoft.public.windows.server.general)
  • Re: Account Rename Policy
    ... Ok something changed in GPO leavethat one.But I don,t want to rename the ... Global administrator account policy,so tell me what i have to in GPO. ... TESTnamed DC and XYZ is a system is the member TEST domain. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADSI and C#
    ... that is a honor! ... But when you sad that i must create and delete i think your wrong and here ... >> I want to rename the logon name. ... > of renaming the administrator account do you? ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Rename Administrator Account
    ... If you're ever in the mood to "change history" you can do this. ... and now you are going to have to go and scrape all ... the setting for 'rename administrator account' and 'rename ...
    (microsoft.public.windows.group_policy)
  • Re: A problem regarding admin rights and passwords.
    ... the administrator account. ... it is recommended that you rename the ... Administrator account on all computers in the Windows Small Business Server ... > the account of the user with admin rights. ...
    (microsoft.public.windows.server.sbs)