Re: Resetting local administrator password

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance



"Thee Chicago Wolf (MVP)" wrote:

There appears to be a way, using the net user <administrator account name> *
command via command prompt, to reset the local administrator password. While
I can block access to My Computer>Manage and Start>Run>cmd, there are still
ways for a user to get to a command prompt....

Also, doesn't it seem like a big security hole that you're allowed to reset
a local admin password without having local admin rights to that box? I
didn't think that was true, but I just logged on to a machine with a regular
domain account (that doesn't have local admin rights to the box) and was able
to reset the local admin password via My Computer>Manager and command prompt.

Anyone have any suggestions to further lock down a box to prevent this from
happening?

The Domain Account could have rights to change a local admin password.
Domain accounts usually trump local accounts. If you want, you could
disable NTFS execute permissions on command.com and cmd.exe so no DOS
access is allowed or only for the local admin and system. That could
possibly bung-up some logon scripts unless the system account is
parsing and processing them.

How would I go about disabling NTFS execute permissions on command.com and
cmd.exe? Would I go to that file in Windows, rt-click>Security and lock it
down there? Not sure how to accomplish this one...

Or, using group policies, go to User Configuration\Administrative
Templates\System\Prevent Access To The Command Prompt = Enabled

- Thee Chicago Wolf (MVP)


Would this also prevent someone from creating a notepad doc with "cmd" and
saving the doc as a .bat file and having them run it to get to a command
prompt?
.

Relevant Pages

  • Re: locked out of XP, need file access
    ... machine for months with their domain account, ... the local admin password to. ... This reminds me of the Security Officer at a client site. ...
    (Security-Basics)
  • Re: Resetting local administrator password
    ... a local admin password without having local admin rights to that box? ... domain account and was able ... to reset the local admin password via My Computer>Manager and command prompt. ... possibly bung-up some logon scripts unless the system account is ...
    (microsoft.public.windowsxp.general)
  • Resetting local administrator password
    ... doesn't it seem like a big security hole that you're allowed to reset ... a local admin password without having local admin rights to that box? ... to reset the local admin password via My Computer>Manager and command prompt. ...
    (microsoft.public.windowsxp.general)
  • Resetting local admin password through command prompt
    ... doesn't it seem like a big security hole that you're allowed to reset ... a local admin password without having local admin rights to that box? ... to reset the local admin password via My Computer>Manager and command prompt. ...
    (microsoft.public.windowsxp.general)
  • Re: Domain user account
    ... > domain account, I do not have any administrative rigthts. ... how can I add my domain account to local administrators group ... Start a Command Prompt ...
    (microsoft.public.win2000.general)