Re: Too late for Administrator's Password?
- From: "DSG" <jgillig1@xxxxxxxxxxxx>
- Date: Fri, 24 Jun 2005 00:40:04 GMT
Your instruction is a 1-2-3 approach which I was hoping to get. I have a
large collection of instructions that would do this job, but it never says
what to do first. Thanks, much. dsg
mmmmmmmmmmmmmmmmmmmmmmmmmmmm
"Winguy" <NoSpam@xxxxxxxxxx> wrote in message
news:5-SdnYl27ujJuSbfRVn-pA@xxxxxxxxxxxxxx
> First, if you're going to be messing with permissions then ALWAYS FIRST
> SET A SYSTEM RESTORE POINT at minimum. For extra protection, install the
> XP Recovery Console (search in Start | Help and Support" on the phrase
> "recovery console" without the quote marks, look in the left pane for the
> info on how to install it). Install that RC. Since you'e the only one
> using your computer, there's no need (unless you want it) to require a
> password to login to the RC as the system Administrator, so do this:
>
> For XP-Pro, go into Control Panel and open Administrative Tools and then
> open Local Security Policy. In the left pane expand the Local Policies
> folder and click the Security Options folder. In the right pane, scroll
> down to where you see 2 lines starting with "Rcovery Console:".
> Right-click each of them, select Properties, select the Enable option, and
> click ok. When done, close the Local Security Settings. Now go to each of
> these folders and create within each of them a folder called "MyBackUp"
> (where %windir% is the root of where Windows was installed to, usually
> something like Windows or WINNT):
>
> %windir%\security\
> %windir%\system32\config
>
> Go into the root of Drive C, make sure you can view all files (system,
> hidden, all of them) and then un-writeprotect the "boot.ini" file and then
> open it with Notepad. You'll see a line that says "timeout=30" and you
> should change that timeout to something more reasonable, like 6 (for 6
> seconds). This timeout is how long there will be displayed the option to
> go into the RC every time you boot. Save boot.ini, exit Notepad, go back
> and make its Properties read-only again. It's a good idea to have a backup
> copy of boot.ini, renamed to something else like "MyBoot.ini" or
> something.
>
> Now reboot the computer and elect to go into the RC while you see the
> option displayed for that timeout period that you defined above. Issue
> these commands exactly as shown here (you may not use wildcards like in
> old DOS):
>
> cd %windir%\system32\config
> copy default MyBackUp\DEFAULT
> copy sam MyBackUp\SAM
> copy security MyBackUp\SECURITY
> copy software MyBackUp\SOFTWARE
> copy system MyBackUp\SYSTEM
> copy userdiff MyBackUp\USERDIFF
> dir
> [If you now see other files that start with the characters "userdif" but
> are not named "userdiff" then copy them over, too.]
> exit
> [the computer now boots into windows]
>
> What you have just done is made a copy of the system registry, which is
> composed of those files. If you were not even able to boot into safe mode
> or System Restore just won't work, copying them back to the
> %windir%\system32\config folder, via the RC, would probably allow you to
> boot normally again. You should keep these backups up to date.
>
> Equally important is to keep a backup of your security policies. You can
> do this from Windows Explorer. If you get an error about the file being
> open by something else then reboot, the policies are busy because they are
> in process of being updated and that will happen at shutdown and then you
> should not get that error. You could do it from the RC, but that's not
> necessary. In the %windir%\security folder copy EVERYTHING there (except
> your MyBackUp folder!) into your MyBackUp folder that you created within
> that folder. Now, if the files are not busy you can put them back again
> and eliminate some serious security problems that can occassionally occur
> due to file corruption (power off at exactly the incorrect time or
> whatever). If necessary, you could (painfully) put them back using the RC.
>
> Feeling a little safer now? Make a System Restore Point anyway.
>
> Next, administrator, you need to have the security tab show when you
> right-clcik a file or folder, that's where you assign very granular
> permissions about who can access what and what permissions are allowed.
> Well, that's why they call it XP-Pro (you can't do this with teh Home
> edition). Launch (Windows) Explorer (no, not Internet Explorer!) and
> select Tools, then Folder Options, then click the View tab, and UNSELECT
> the "Display simple folder view in Explorer's Folders" option, and then
> click OK and then exit Explorer. Now you can right-click nearly any file
> or folder, select Properties, go into the Security tab, and make things
> much more to your liking (or a lot worse). Always have backup of your
> registry and security policy before you do things with security!
>
> Now, more to your orignal question. No, everyone who is a member of the
> Administrators Group has Administrator powers everywhere BY DEFAULT AT XP
> INSTALLATION. Which doesn't mean you can not change default stuff and
> remove (or add) the Administrator Group in individual or inherited cases
> on that Security tab I was talking about -- you can, and therby limit (or
> add) permissions for certain accounts (say, just one particular logged in
> administrator account). If you did something like that then ONLY that
> particular administrator could change things, so don't do that unless
> you've wisely created yet another administrator account that you always
> give the same godly permissions to as you give to the first (primary) one.
> Then if somethig happens to one account (virus, per chance) you can go
> into the other one and still have god power over your virtual domain. I'll
> have to leave it up to you to learn about inheriting (or removing
> inheritance) of permissions and the like ... hey, they teach entire
> classes about this sort of thing but there're some good books too, not to
> mention many fine articles about security all over the internet. Actually,
> it's not all that difficult as they make it out to be. Just be religious
> on backup of the registry and at the same identical time period the
> security folder content too, and you can recover from most any problem you
> invoke except for files that you sent to the bit bucket instead of to the
> recycle bin ...
>
> And don't use a powerful administrator account to surf the net with, use a
> limited account to do that and dl your stuff with it then switch to an
> administrator account to install it and so on. Not that most of us really
> do all this good stuff! So also have good antivirus, firewall, and on and
> on and on ...
>
> In short, give your admin account god power everywhere on your HDD. Then
> it can access most anything, anywhere. There are some minor but important
> limits, some things only the system has permission to use.
>
.
- References:
- Too late for Administrator's Password?
- From: DSG
- Re: Too late for Administrator's Password?
- From: Winguy
- Too late for Administrator's Password?
- Prev by Date: control panel stuck in catagory view.
- Next by Date: activesync 3.8 installation error
- Previous by thread: Re: Too late for Administrator's Password?
- Next by thread: Too Late for Administrator's Password?
- Index(es):
Relevant Pages
|
