Re: Where is Local Group Assignment Stored?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 5 Mar 2007 23:25:58 -0700
Will,
Let's get clear about built-in Administrator (however renamed) as
they exist on a DC (there are two). Part of what you speak of does
indicate your concern over the built-in Administrator that exists in
the domain (i.e. concern over making sure it is denied access to
reg/filesystem/user rights, etc..
The built-in Administrator that is in the local SAM of a DC is
the DS restore mode admin login (however renamed). You would
probably be well off not crippling this account (just give it a privately
held name and a strong passphrase) since when you do need it you
really will not want other "issues" getting in the way (i.e. mucking
with the groups in the reg as you initially suggested).
Now, while built-in admin is a well-known SID, as you surmise
toward end of your post, it is an account in context of the running
system (the ds restore mode minimal system or ad), governed by
settings (group memberships and uses) of that system.
Roger
"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:06udnVjBqtnNm3DYnZ2dnUVZ_tWhnZ2d@xxxxxxxxxxxxxxx
"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:uiMWd06XHHA.3996@xxxxxxxxxxxxxxxxxxxxxxx
It is in the SAM and the SAM is part of the registry. Doesn't matter
though, direct manipulation of any of that is absolutely unsupported.
Use the published API.
If you boot from Windows PE, would the API you need to remove a user from
a
local group be provided?
The requirement came up because Windows 2000 AD doesn't let you disable
the
BUILTIN Administrator. We wanted to add it to groups that would have
deny
privileges on file system and registry, as well as entry in the Deny
login,
Deny batch, and Deny service user rights in GPO. The effectively
disables
it. And we would have other accounts used for AD administration that
have
tighter security on them (Logon Locally restrictions, do not allow
delegation, and eventually smartcard requirement).
Now if we do all of those things to the BUILTIN Administrator, I guess
those
Deny groups are actually domain groups and not true "Local" groups. If
the
AD becomes corrupt and you need to boot the computer in AD recovery mode,
then I guess the Administrator would no longer be in any of the Deny
groups
so those are entities that only exist when the domain entities are
available? If so, then I guess the situation is somewhat self healing
and
the BUILTIN administrator becomes a usable account when you are in AD
recovery mode.
I would still like to have a Windows PE or Barts PE disk that has a
program
that lets me change local group assignments. At very least I could fight
against a denial of service that puts any account into a group whose
purpose
is to deny access to resources.
--
Will
.
- Follow-Ups:
- Re: Where is Local Group Assignment Stored?
- From: Will
- Re: Where is Local Group Assignment Stored?
- References:
- Where is Local Group Assignment Stored?
- From: Will
- Re: Where is Local Group Assignment Stored?
- From: Joe Richards [MVP]
- Re: Where is Local Group Assignment Stored?
- From: Will
- Where is Local Group Assignment Stored?
- Prev by Date: Re: Where is Local Group Assignment Stored?
- Next by Date: Re: Preventing RDT connection from outside
- Previous by thread: Re: Where is Local Group Assignment Stored?
- Next by thread: Re: Where is Local Group Assignment Stored?
- Index(es):
Relevant Pages
|
