Re: Logon with disabled admin account possible!
From: Franz Schenk (franz.schenkNOSPAM_at_fititNO-_SPAM.ch)
Date: 07/26/04
- Previous message: Roger Abell: "Re: Logon with disabled admin account possible!"
- In reply to: Roger Abell: "Re: Logon with disabled admin account possible!"
- Next in thread: Roger Abell: "Re: Logon with disabled admin account possible!"
- Reply: Roger Abell: "Re: Logon with disabled admin account possible!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 16:57:16 +0200
Thank you very much for your help. I have now an explanation for our
customer and know that this behaviour is "by design".
I also could reproduce on a Windows 2000 server that it is not possible to
disable the built in administrator account. I'v got a message at the moment
when I tried to disable the account.
But what we have in the customer domain with mixed Windows 2000 and Windows
2003 DC's is very questionable to me: I CAN disable the account in Active
Directory Users and Computers without getting any error message and the
administrator account IS shown as disabled in the Windows 2003 AND in the
Windows 2000 "Active Directory Users and Computers" MMC Snap-In's. And the
"disabled" Administrator is able to logon on the Windows 2000 DC without
that any security related event is protocolled in the security event log of
either DC. And a search in the MS KB with the keywords "disable
administrator account" does not show any articles related to this issue.
best regards
Franz
"Roger Abell" <mvpNOSpam@asu.edu> schrieb im Newsbeitrag
news:uJqKRoxcEHA.3864@TK2MSFTNGP10.phx.gbl...
> Whether this is a security hole or not has been a matter of
> discussion, and this behavior is something that has been changed
> over time between versions. With W2k and earlier it was not
> possible to disable the built-in admin account - you could rename
> it and restrict it to local (not network type) console login.
> With XP and later (i.e. W2k3) it became possible to disable the
> built-in admin account - in which case it only remains available
> in recovery/safe mode boots.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
> news:utpM5BxcEHA.1356@TK2MSFTNGP09.phx.gbl...
> > We have a network with Windows Server 2003 active directory with two
DC's:
> > One is Windows 2000 Server SP4, the other is Windows 2003 Server. Each
> > system has all windows security updates applied.
> >
> > The customer has discovered that his is able to logon locally or over a
> > terminal session with the disabled admin account, and we are able to
> > reproduce this behaviour every time!!!
> >
> > - This works only on the Windows 2000 DC, logon to the Windows 2003 DC
is
> > not possible as it should.
> > - There are no errors on both DC in the DNS and Directory Service event
> > logs. replmon.exe shows successful replication on all AD partitions.
> > - On the Windows 2000 DC in the application eventlog, there are 4 1015
> > Perflib error messages and one Userenv 1000 Message "Windows cannot
> > determine the user or computer name. Return value (1317). " After
logging
> on
> > to the Windows 2000 DC. Logging on with the disabled AD administrator
> > account takes a long time, but it works!
> >
> > never thought that there are such security holes still open
> >
> >
> > Thanks in advance for any advice
> > Franz
> >
> >
>
>
- Previous message: Roger Abell: "Re: Logon with disabled admin account possible!"
- In reply to: Roger Abell: "Re: Logon with disabled admin account possible!"
- Next in thread: Roger Abell: "Re: Logon with disabled admin account possible!"
- Reply: Roger Abell: "Re: Logon with disabled admin account possible!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
