Re: Default Administrator lockout

From: Spyke (spyke_at_mailinator.com)
Date: 02/27/04 

Date: Fri, 27 Feb 2004 13:53:11 -0500

Good Day,

I believe the built-in Administrator account of Win/XP/2K3 can't be locked
out because of incorrect passwords but it can be disabled.

Cheers,
Spyke

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%23Q%23fiNS$DHA.2804@tk2msftngp13.phx.gbl...
> "rav" <ravburano@hotmail.com> wrote in message
> news:%23XdFJ4F$DHA.1796@TK2MSFTNGP12.phx.gbl...
> > Hi,
> >
> > Thanks for your replies but my point is that i have neither disabled the
> > admininstrator account in GPO or used passprop.
> >
> > Thanks
>
> Well, about all I can tell you is that it is so, the built-in is
> subject to lock-out. Thinking this is a defined changed
> I set out to pull up where this is mentioned as a changed
> behavior for W2k3, but to my surprise what instead I am
> finding (so far) are what look like cut/pastes from W2k era
> docs into the W2k3 docs. For example
>
http://microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp
> under its DoS prevention section has the statement :
> "Rename the administrator account: Because the administrator account
cannot
> be locked out, it is recommended that you rename the account. Although
this
> does not mitigate all of the attacks against the administrator account, it
> does help mitigate these attacks most of the time."
>
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:ewK5URD$DHA.916@TK2MSFTNGP10.phx.gbl...
> > >
> > > "Laura A. Robinson [MVP]" <geekwench@snippit.hotmail.com> wrote in
> message
> > > news:MPG.1aa68f89e9fae6559897a1@nn.bloomberg.com...
> > > > In article <#U2XXVy#DHA.684@tk2msftngp13.phx.gbl>,
> ravburano@hotmail.com
> > > > says...
> > > > > Hi,
> > > > >
> > > > > I have got the default administrator account (it is not a renamed
> > > account or
> > > > > anything like it, the SID is correct) on a Windows 2003 DC to lock
> > out.
> > > > > Aanyone else have this at all? Thought it was impossible to do as
it
> > is
> > > a
> > > > > backdoor.
> > > > >
> > > > Not only is it possible (Google for passprop.exe), with Win2K3, you
> can
> > > > use group policy to disable the account altogether.
> > > >
> > > > Laura
> > >
> > > altogether except for safe mode boots
> > >
> > > Roger
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: No Administrator Account - Recover Console?
    ... Windows Live Messenger, when I got a message the install could not be ... I am sure that they want my Administrator account info, ... The built-in Administrator account *cannot* be deleted. ... installation, but WinXP Home doesn't. ...
    (microsoft.public.windowsxp.general)
  • Re: No Administrator Account - Recover Console?
    ... The built-in Administrator account *cannot* be deleted. ... Recovery Console, it asks me for the administrator password. ... WinXP Pro asks the installer to set the Administrator's password during installation, ...
    (microsoft.public.windowsxp.general)
  • Re: SBS 2003 - setup indicating "built-in administrator" on a DC?
    ... there still should be a built-in domain Administrator account ... on the SBS server even with a DC. ... *isn't* a built-in administrator account anymore. ... The username I'm ...
    (microsoft.public.windows.server.sbs)
  • Re: Locked out admin account
    ... from Resource Kit to enable locking out for built-in Administrator account. ... In Windows 2000 you can only lock it out from remote logons while in 2003 ... Enable Account Lockout for Remote Administrator Logons ...
    (microsoft.public.windows.server.networking)
  • not using fast user switching. Re: Logs off after choosing a built-in guest account
    ... The built-in administrator account was in the Control Panel 'User Accounts' ... window in an other administrator account session before. ...
    (microsoft.public.windowsxp.security_admin)