Re: Logon with disabled admin account possible!
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/27/04
- Previous message: Tim Springston [MSFT]: "Re: Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?"
- In reply to: Franz Schenk: "Re: Logon with disabled admin account possible!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 19:17:43 -0700
Point taken. It is IMO suboptimal, but understandable
as the ability to disable the built-in admin is not something
that W2k understands. Evidently it was not something deemed
simple to backport into W2k, or if simple not worth the
possible side-effects on existing deployed customer systems .
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message news:O%23PxECycEHA.2544@TK2MSFTNGP10.phx.gbl... > Thank you very much for your help. I have now an explanation for our > customer and know that this behaviour is "by design". > I also could reproduce on a Windows 2000 server that it is not possible to > disable the built in administrator account. I'v got a message at the moment > when I tried to disable the account. > > But what we have in the customer domain with mixed Windows 2000 and Windows > 2003 DC's is very questionable to me: I CAN disable the account in Active > Directory Users and Computers without getting any error message and the > administrator account IS shown as disabled in the Windows 2003 AND in the > Windows 2000 "Active Directory Users and Computers" MMC Snap-In's. And the > "disabled" Administrator is able to logon on the Windows 2000 DC without > that any security related event is protocolled in the security event log of > either DC. And a search in the MS KB with the keywords "disable > administrator account" does not show any articles related to this issue. > > best regards > Franz > > "Roger Abell" <mvpNOSpam@asu.edu> schrieb im Newsbeitrag > news:uJqKRoxcEHA.3864@TK2MSFTNGP10.phx.gbl... > > Whether this is a security hole or not has been a matter of > > discussion, and this behavior is something that has been changed > > over time between versions. With W2k and earlier it was not > > possible to disable the built-in admin account - you could rename > > it and restrict it to local (not network type) console login. > > With XP and later (i.e. W2k3) it became possible to disable the > > built-in admin account - in which case it only remains available > > in recovery/safe mode boots. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Server System: Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message > > news:utpM5BxcEHA.1356@TK2MSFTNGP09.phx.gbl... > > > We have a network with Windows Server 2003 active directory with two > DC's: > > > One is Windows 2000 Server SP4, the other is Windows 2003 Server. Each > > > system has all windows security updates applied. > > > > > > The customer has discovered that his is able to logon locally or over a > > > terminal session with the disabled admin account, and we are able to > > > reproduce this behaviour every time!!! > > > > > > - This works only on the Windows 2000 DC, logon to the Windows 2003 DC > is > > > not possible as it should. > > > - There are no errors on both DC in the DNS and Directory Service event > > > logs. replmon.exe shows successful replication on all AD partitions. > > > - On the Windows 2000 DC in the application eventlog, there are 4 1015 > > > Perflib error messages and one Userenv 1000 Message "Windows cannot > > > determine the user or computer name. Return value (1317). " After > logging > > on > > > to the Windows 2000 DC. Logging on with the disabled AD administrator > > > account takes a long time, but it works! > > > > > > never thought that there are such security holes still open > > > > > > > > > Thanks in advance for any advice > > > Franz > > > > > > > > > > > >
- Previous message: Tim Springston [MSFT]: "Re: Windows 2003 Server, Constant Logon/Logoff in my Security Log - does this mean something is worng?"
- In reply to: Franz Schenk: "Re: Logon with disabled admin account possible!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
