Re: How do I prevent local administrator from logging on in safe mode

But you did not cross-post. You evidently multi-posted, which is
sending the same thing separately, one by one, to multiple groups.
Cross-posting is making one post named to go to multiple groups,
keeping all responses visible to all in all of those groups.

The memory of those that believe it was not previously possible
is either in error, or someone changed the password to some very
ugly, forgotten value so that no one could log in in safe mode.

Prior to XP it was not possible to disable the built-in account,
but in later W2k it became possible to make it so that it could
only be used for local login, not over the network.
When the built-in admin account is disabled it can still be used
to log in within a safe mode boot, this is also true if locked.

The idea from early days of NT was that there must be at least
one protected way to get in with admin privs. Hence the built-in
admin, which back then could not be disabled and could not be
locked out. This evolved, and the remaining behavior is that
it can be made useless, except in a safe mode boot.

"Freaky" <notgoodtomention@xxxxxxxxxx> wrote in message
news:uZrWQkHFHHA.924@xxxxxxxxxxxxxxxxxxxxxxx
Cross-post on advise. Original from microsoft.public.windowsxp.general

Hey there,

I started a topic earlier that administrator was able to logon in safe
mode (whilst the account is disabled...). Appearantly this is normal,
although I don't understand why... We don't disable the account for
nothing... if we wanted to use it we'd password protect it.

Anyways, with the setup that was here previously it was _NOT_ possible to
logon as administrator locally in safe mode. Now I still have the RIS
image, and installed it on a workstation. However, now it is possible to
logon.

This probably means the setting came from a group policy, as we've changed
a lot in these and removed a lot of them too. Anyone know what setting it
might have been? Can't be much else as the old images now do allow
administrator in safe mode. There are 3 people here that are absolutely
sure it wasn't possible before with those images... Don't remember the
error message tho' that would have helped :/.

Setting a password with the RIS isn't really an option. It would be
readable in the .sif file, or we would have to enter one each time. Both
aren't really options for us.

So if anyone has any suggestions on preventing the (disabled..)
administrator account from accessing safe mode, that would be great. The
problem is that people just logon to the machine as local administrator
using safe mode w/ networking and add themselves to the local
administrators group. This is very undesirable.

TIA


.

Relevant Pages

  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Re: Is it really true that NTFS is secure?
    ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ...
    (microsoft.public.security)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Logon Screen Changed and classic style now shows....
    ... computer you have a box in classic style saying windows is logging off. ... login name is the administrator with NO password. ... One of the updates for .net framework adds a user account. ... what causes the extra logon step. ...
    (microsoft.public.windowsxp.accessibility)
  • Re: Administrator access denied
    ... When you run the command net user username where username is the logon name ... for your user account it show the account is active. ... Home you can only logon to the built in administrator account in Safe Mode. ...
    (microsoft.public.windowsxp.security_admin)