Re: How do I prevent local administrator from logging on in safe mode

---

• From: "Kurt Roggen" <kurt.roggen@xxxxxxxxxx>
• Date: Wed, 6 Dec 2006 10:03:25 +0100

---

Setting a password with the RIS isn't really an option. It would be readable in the .sif file, or we would have to enter one each time. Both aren't really options for us.

You do have the option to set the local administrator password to encrypted in your sif file (via SetupManager) since Windows XP.
--
Kurt Roggen
http://blogontheweb.com/roggenk


"Freaky" <notgoodtomention@xxxxxxxxxx> wrote in message news:%23G6uJCTFHHA.4580@xxxxxxxxxxxxxxxxxxxxxxx

Thanks for the re. Guess there's not much options then. Someone in the others newsgroup advised a group policy start-up/shutdown command to set the local administrator password. Guess we'll look into that then, perhaps in combination with a randomizer.

Thanks again

Roger Abell [MVP] wrote:

But you did not cross-post. You evidently multi-posted, which is
sending the same thing separately, one by one, to multiple groups.
Cross-posting is making one post named to go to multiple groups,
keeping all responses visible to all in all of those groups.

The memory of those that believe it was not previously possible
is either in error, or someone changed the password to some very
ugly, forgotten value so that no one could log in in safe mode.

Prior to XP it was not possible to disable the built-in account,
but in later W2k it became possible to make it so that it could
only be used for local login, not over the network.
When the built-in admin account is disabled it can still be used
to log in within a safe mode boot, this is also true if locked.

The idea from early days of NT was that there must be at least
one protected way to get in with admin privs. Hence the built-in
admin, which back then could not be disabled and could not be
locked out. This evolved, and the remaining behavior is that
it can be made useless, except in a safe mode boot.

"Freaky" <notgoodtomention@xxxxxxxxxx> wrote in message news:uZrWQkHFHHA.924@xxxxxxxxxxxxxxxxxxxxxxx

Cross-post on advise. Original from microsoft.public.windowsxp.general

Hey there,

I started a topic earlier that administrator was able to logon in safe mode (whilst the account is disabled...). Appearantly this is normal, although I don't understand why... We don't disable the account for nothing... if we wanted to use it we'd password protect it.

Anyways, with the setup that was here previously it was _NOT_ possible to logon as administrator locally in safe mode. Now I still have the RIS image, and installed it on a workstation. However, now it is possible to logon.

This probably means the setting came from a group policy, as we've changed a lot in these and removed a lot of them too. Anyone know what setting it might have been? Can't be much else as the old images now do allow administrator in safe mode. There are 3 people here that are absolutely sure it wasn't possible before with those images... Don't remember the error message tho' that would have helped :/.

Setting a password with the RIS isn't really an option. It would be readable in the .sif file, or we would have to enter one each time. Both aren't really options for us.

So if anyone has any suggestions on preventing the (disabled..) administrator account from accessing safe mode, that would be great. The problem is that people just logon to the machine as local administrator using safe mode w/ networking and add themselves to the local administrators group. This is very undesirable.

TIA

.

---

• References:
  • How do I prevent local administrator from logging on in safe mode
    • From: Freaky
  • Re: How do I prevent local administrator from logging on in safe mode
    • From: Roger Abell [MVP]
  • Re: How do I prevent local administrator from logging on in safe mode
    • From: Freaky

• Prev by Date: Re: WiFi, VPN's & Group Policy
• Next by Date: Re: some users without GPO
• Previous by thread: Re: How do I prevent local administrator from logging on in safe mode
• Next by thread: WiFi, VPN's & Group Policy
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How do I prevent local administrator from logging on in safe mode ... Someone in the others newsgroup advised a group policy start-up/shutdown command to set the local administrator password. ... forgotten value so that no one could log in in safe mode. ... Prior to XP it was not possible to disable the built-in account, ... The problem is that people just logon to the machine as local administrator using safe mode w/ networking and add themselves to the local administrators group. ... (microsoft.public.windows.group_policy) Re: Safe Mode trouble ... > however when he went into safe mode he must have selected without ... > Any suggestions on how to correct and possibly disable msconfig to ... You should be able to sign in to the local administrator account without ... (microsoft.public.windowsxp.general) Re: Boot-up peculiarity ... "William B. Lurie" wrote in message ... I screen all the Windows Update downloads (I don't just let ... The password for the built in Windows Administrator account is normally blank. ... boot the computer into Safe Mode. ... (microsoft.public.windowsxp.basics) Re: Boot-up peculiarity ... "William B. Lurie" wrote in message ... I screen all the Windows Update downloads (I don't just let ... The password for the built in Windows Administrator account is normally blank. ... boot the computer into Safe Mode. ... (microsoft.public.windowsxp.basics) Re: Boot-up peculiarity ... I'm selective on what WUs I do install, ... I screen all the Windows Update downloads (I don't just let ... The password for the built in Windows Administrator account is normally blank. ... boot the computer into Safe Mode. ... (microsoft.public.windowsxp.basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)