Re: Where is Local Group Assignment Stored?



"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:x-idnY2o9aFmjnDYnZ2dnUVZ_t2tnZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:u96Pch7XHHA.992@xxxxxxxxxxxxxxxxxxxxxxx
Will,
Let's get clear about built-in Administrator (however renamed) as
they exist on a DC (there are two). Part of what you speak of does
indicate your concern over the built-in Administrator that exists in
the domain (i.e. concern over making sure it is denied access to
reg/filesystem/user rights, etc..
The built-in Administrator that is in the local SAM of a DC is
the DS restore mode admin login (however renamed). You would
probably be well off not crippling this account (just give it a privately
held name and a strong passphrase) since when you do need it you
really will not want other "issues" getting in the way (i.e. mucking
with the groups in the reg as you initially suggested).
Now, while built-in admin is a well-known SID, as you surmise
toward end of your post, it is an account in context of the running
system (the ds restore mode minimal system or ad), governed by
settings (group memberships and uses) of that system.

So the bottom line is: on a Windows 2000 DC, am I safe putting the
default
Administrator account in the domain (not the one used in restore mode)
into
domain groups that deny access to resources?



Right. However, simply giving it a long password (I use a tool the
genreates, given n a pseudo-random phrase n char long). It is more
simple to monitor for password change, logon/use than for change
to memberships of a number of groups used to guard the user rights.

For the machine local users and groups, it is safe to grant Administrators
read to the HKLM\Security key. Inside the SAM you will see how
memberships are stored, by listing an entry per member with the
significant part of that principal's sid, which same you can locate
via the values under Names if the principal is local. Etc..

Roger


.