Re: Where is Local Group Assignment Stored?



"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:x-idnY2o9aFmjnDYnZ2dnUVZ_t2tnZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:u96Pch7XHHA.992@xxxxxxxxxxxxxxxxxxxxxxx
Will,
Let's get clear about built-in Administrator (however renamed) as
they exist on a DC (there are two). Part of what you speak of does
indicate your concern over the built-in Administrator that exists in
the domain (i.e. concern over making sure it is denied access to
reg/filesystem/user rights, etc..
The built-in Administrator that is in the local SAM of a DC is
the DS restore mode admin login (however renamed). You would
probably be well off not crippling this account (just give it a privately
held name and a strong passphrase) since when you do need it you
really will not want other "issues" getting in the way (i.e. mucking
with the groups in the reg as you initially suggested).
Now, while built-in admin is a well-known SID, as you surmise
toward end of your post, it is an account in context of the running
system (the ds restore mode minimal system or ad), governed by
settings (group memberships and uses) of that system.

So the bottom line is: on a Windows 2000 DC, am I safe putting the
default
Administrator account in the domain (not the one used in restore mode)
into
domain groups that deny access to resources?



Right. However, simply giving it a long password (I use a tool the
genreates, given n a pseudo-random phrase n char long). It is more
simple to monitor for password change, logon/use than for change
to memberships of a number of groups used to guard the user rights.

For the machine local users and groups, it is safe to grant Administrators
read to the HKLM\Security key. Inside the SAM you will see how
memberships are stored, by listing an entry per member with the
significant part of that principal's sid, which same you can locate
via the values under Names if the principal is local. Etc..

Roger


.



Relevant Pages

  • Re: Where is Local Group Assignment Stored?
    ... Most companies though find it acceptable just to set the password on the account to some insanely long scrambled mess, put that in an envelope and that envelope in a safe, and then monitor to make sure no one changes the password or logs on. ... being able to modify the group memberships from a BartPE disk... ... Let's get clear about built-in Administrator as ... the DS restore mode admin login. ...
    (microsoft.public.windows.server.security)
  • Re: Where is Local Group Assignment Stored?
    ... Let's get clear about built-in Administrator as ... the DS restore mode admin login. ... probably be well off not crippling this account (just give it a privately ...
    (microsoft.public.windows.server.security)
  • Re: HELP! Do I need to reformat?
    ... Rebooting in safe mode presented the same barrier, asking me to sign in as "Owner". ... If you have forgotten your password, if you have another user account with administrative privileges you can log into that account and change your original user account's password from the User Accounts applet in Control Panel. ... Type in "Administrator" and whatever password you assigned when you set up Windows. ... If you reset the built-in Administrator account's password in Home or have Pro and don't remember the password, use NTpasswd to change the built-in Administrator account's password to a blank. ...
    (microsoft.public.windowsxp.newusers)
  • Re: XP Pc identity...
    ... If you have forgotten your password, if you have another user account with administrative privileges you can log into that account and change your original user account's password from the User Accounts applet in Control Panel. ... do Ctrl-Alt-Del twice to get the classic Windows logon box. ... If you reset the built-in Administrator account's password in Home or have Pro and don't remember the password, use NTpasswd to change the built-in Administrator account's password to a blank. ...
    (microsoft.public.windowsxp.general)
  • Re: Administrator Password
    ... lost admin rights on the only user on the machine. ... Now I can't do control panel etc. Went into safe mode and found the admin user that is only in safe mode. ... If you have forgotten your password, if you have another user account with administrative privileges you can log into that account and change your original user account's password from the User Accounts applet in Control Panel. ... If you reset the built-in Administrator account's password in Home or have Pro and don't remember the password, use NTpasswd to change the built-in Administrator account's password to a blank. ...
    (microsoft.public.windowsxp.general)