Re: Local Administrator Account

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Thu, 19 Apr 2007 11:31:09 -0400

---

You would have to go all the way back to the LANMAN and OS/2 documentation. Initially, prior to the concept of a "domain" this is how all authentication communication between the machines was handled.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


John wrote:

Can you explain to me more about the fact that is is by design? Can you point me to resouces that explains this? Thanks in advance.

"Joe Richards [MVP]" wrote:

It isn't an issue, it is by design and it isn't going to change.

Use different passwords on the accounts if you don't want the admin on one machine to access resources on another machine. It is bad security practice to use identical passwords on multiple accounts anyway.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


John wrote:

I have a Windows 2003 Active Directory environment. I have XP workstations and member servers with the local administrator account password set the same. I logged into the XP workstation as the local administrator. Then I was able to access all the administrative shares of the other workstations and member servers that have the same password. I would be able to unc path to \\server\c$ without a domain authenication prompt. I remember this was an issue in the NT domain days when you could log on to other domains with if the administrator account and passwords were the same. I checked another Windows 2003 AD as well as a 2000 AD and it still happened. Any ideas why and how to stop it?

.

---

• References:
  • Re: Local Administrator Account
    • From: Joe Richards [MVP]

• Prev by Date: Re: "Network Service" account is UNABLE to write to a network shared folder
• Next by Date: Re: "Network Service" account is UNABLE to write to a network shared folder
• Previous by thread: Re: Local Administrator Account
• Next by thread: Installing IIS after CA installation?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Secure passwords? ... the same password for a local account as an domain account. ... does not have to obtain the administrator account itself. ... Consider using alt characters in passwords such as £ ... attacker can get physical access to a domain controller, ... (microsoft.public.win2000.security) PLEASE Help with Admin logon on W2k Pro Home PC ... I cannot seem to logo-on to admin or any acct on my home PC. ... and it is used standalone and not ... I only ever used the administrator account and I kept a list of 3 ... I cannot get it to accept any of the 3 passwords and I am at a loss. ... (microsoft.public.win2000.general) Re: PLEASE Help with Admin logon on W2k Pro Home PC ... > I cannot seem to logo-on to admin or any acct on my home PC. ... > and it is used standalone and not ... > administrator account!!. ... > I cannot get it to accept any of the 3 passwords and I am at a loss. ... (microsoft.public.win2000.general) Re: administrator account locked!!!! ... Passwords must be complex, and the administrator account cannot be ... Caller User Name: administrator ... (microsoft.public.windows.server.active_directory) Re: Password Expiration for Remote Users ... I would expect the best way would be to set up something that emails warnings a few days in advance and offer a web page for users to go to to change the passwords. ... Joe Richards Microsoft MVP Windows Server Directory Services ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)