Re: Domain Controller Security Policy

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/13/05

Next message: Roger Abell: "Re: Granting access based on user location"

Previous message: Roger Abell: "Re: Domain Controller Security Policy"
In reply to: Eric Eickhoff: "Domain Controller Security Policy"
Next in thread: Steven L Umbach: "Re: Domain Controller Security Policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 13 Aug 2005 07:07:20 -0700

As she has the ADRM password, if she also has backup to
use that is fresh enough, then your best route may be to restore
the GPO(s) on the DC OU to point before she did the rename.
Otherwise, I am not sure, but doubtful, whether you could in
ADRM get at just that policy or its value (the @dm name), or
the enable/disable attribute of the GPO link to the OU, etc..

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Eric Eickhoff" <eric_at_sigma@nospam.nospam> wrote in message
news:O2xzkU4nFHA.3996@TK2MSFTNGP12.phx.gbl...
> Greetings,
>
> I am stumped as to whether or not this can be resolved, but a client set
the
> Rename Administrator Account setting in the Domain Controller Security
> Policy to a name containing the '@' character.  Of course now, she can't
log
> on to the domain with that account and as luck would have it -- she
doesn't
> have any other accounts with domain admin privelages and this is the only
> domain controller.  It is a W2K3 DC.  Does anyone know if the DC Security
> Policy can be reset -- at least the Rename Admininstrator Account setting
(I
> know -- this sounds fishy from a security standpoint and truly don't
expect
> an answer on that one) or is there a way to log on to the system using the
> account name with '@' signs in it.  I had her try entering
> DOMAIN\@ministrator in the username with no luck. I am assumming that it
is
> looking at the information after the '@' sign as being the domain info and
> that is why it is failing.  She does have the password for the Active
> Directory Restore Mode if it helps.
>
> Anyone have any insight?
>
>

Next message: Roger Abell: "Re: Granting access based on user location"

Previous message: Roger Abell: "Re: Domain Controller Security Policy"
In reply to: Eric Eickhoff: "Domain Controller Security Policy"
Next in thread: Steven L Umbach: "Re: Domain Controller Security Policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Domain Controller Security Policy
... Rename Administrator Account setting in the Domain Controller Security ... Policy to a name containing the '@' character. ...
(microsoft.public.windows.server.security)
Re: Windows 2003 Server SBS - Warning mesg "SceCli" after every 5 minu
... M260715 - A conflict in Group Policy can cause these events to occur. ... These error messages can occur if the "Rename Administrator Account" security policy is enabled and then set to an account name that is already in use. ... Also, as per M285903, to resolve this behavior, remove all references to the Power Users group in the Local Security settings. ...
(microsoft.public.windows.server.sbs)
How to hide administrator name
... In order to improve security, it is possible to rename Administrator account ... in an Windows XP system. ... But everytime a user choose "Run as.." ...
(microsoft.public.windowsxp.security_admin)