Disable Win2000 Local Built-in Admin Account
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Disable Win2000 Local Built-in Admin Account

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    172

    Disable Win2000 Local Built-in Admin Account

    Hey,
    I'm looking for a way to disable the built in administrator account in windows 2000. Anyone know of a way. Or if possible remove the account all together... If anyone knows of a way please let me know.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Why on earth would you want to do that?
    How about setting a strong password (14 characters, 4 different groups) on that account?

    As far as I know you cannot disable or delete this account. You can rename it though.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    Here is the whole problem... I have run into users that have downloaded a bootable floppy with chtnpwd or some tool like that on it, that allows a user to boot to a floppy and change the admin password. No matter if you rename the account, it tells the user what the account with admin rights is.

    I want to disable/remove this account and have only Doamin Admins with the rights to administer the computer / a private group membership I will allow later on all local machines that they will be unable to trace. But as long as that built in account is there... all of this is pointless. PLEASE HELP

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    This is a futile attempt. Anyone with physical access to the machine can break into it.

    Your options are:

    Set a BIOS password.
    Disable booting from any other media accept the buildin harddisk.
    Use a blowtorch (or any other way) to secure the box so it cannot be opened and the BIOS cannot be reset.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    I Finally FOUND A WAY.... IT IS POSSIBLE... well, kinda... lol

    How to Deny Access to the Local Administrator on Windows 2000
    In Windows 2000, you cannot disable built-in accounts. However, you can deny access to the local Administrator account by modifying the local security settings.

    NOTE: Before you follow these steps, make sure that there is at least one other local or network user who can gain access to the computer with administrator permissions.
    Log on as Administrator, or as a user with administrator permissions.

    Clicking Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
    In the left pane, expand the Local Policies node, and then click User Rights Assignment.
    In the right pane, double-click Deny access to this computer from the network.
    In Local Security Policy Setting, click Add.
    In the right pane, double-click Deny Logon Locally.
    In Local Security Policy Setting, click Add.
    In the Users and Groups box, click the Administrator account, and then click Add.
    Click OK, click OK, and then quit the Local Security Settings console. You must restart your computer for the new security setting to take effect.

    Works GREAT...

    PS: I did have a bios, they have been resetting it... LOL

    Taken from Microsoft themselves..... wow: http://support.microsoft.com/?kbid=281140

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    jbclarkman:
    Is this in a corporate environment? If so, maybe a review of your policies are in order?

    If that was happening where I work... These people would be out on their rears in no time.

    Make sure that you have proper policies in place. Each employee should read and sign a paper saying that they've read and understood the policy. Not following the policy can result in termination of employment...

    If its at home... then put a lock on it. Or, they have cages you can lock the PCs in... There are several contraptions for physical security...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    Originally posted here by phishphreek80
    jbclarkman:
    Is this in a corporate environment? If so, maybe a review of your policies are in order?

    If that was happening where I work... These people would be out on their rears in no time.
    Yes it is in a corporate enviornment, but the company has decided that so many people are doing it, they would have to fire the entire IT department. It kinda went like, one person found out, and than told someone else, who told 50 other people, and so on and so forth.

    So they asked me to find a solution. Thanks for everyones help... The only next problem would be to find a way to push this out to every machine. I think the best would be a logon script attached to everyones network account? Any other ideas... Any way to keep me from doing this to roughtly 200 machines. lol.... And thats just on 1 floor. LOL

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Can you use this setting on the globaly security policy? You are in an active directory env.?

    I'd test it out... but I'm working on too many things ATM. Just a quick thought.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Gray Haired Old Fart aeallison's Avatar
    Join Date
    Jul 2002
    Location
    Buffalo, Missouri USA
    Posts
    888
    How are they resetting the BIOS password? I don't know how to do this short of opening the box. Would it not be simpler to disable floppy boot up, lock up the BIOS with a strong password, and possibly place a security sticker or two on the boxes themselves, you know, the type that you place across the cover that can't be removed without damaging the sticker, and check the boxes for tampering regularly?

    Just my 2 cents... I think your management needs a lesson in security, I would fire the whole IT department and bring in some new blood. People are really hurting for jobs these days, it would not be hard at all to replace these "crackers" with a new crew that will adhere to the "new" user policies you need to implement. Someone has to make the first step, you might be able to step up a rung or two on the ladder if you make a formal stand on this issue to the Board of Directors. ( This is just a friendly suggestion, don't do this if you think it may jepordize your job.)

    IMHO it would probably benifit your company to clean house.
    I have a question; are you the bug, or the windshield?

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Ahh nice a locked down machine. Just wondering about a couple of things...

    What if the network driver will not load for some reason (ie broken nic)?
    Then there's no way for you to logon and fix it. As you are no longer able to logon using the local admin account. You may be able to logon using your cached domain admin account but we all know cached credentials are "A Bad Thing"(tm). If you ever logged on on that machine that is.

    What if they boot the machine in safe mode after they've reset the local admin account?
    Does this policy still hold? If it doesn't hold they may be able to reset your policy or prevent it from being loaded.

    Just rambling I guess..

    Still think preventing opening of the box is the easiest and still workable way. Since you are in a corporate environment, don't you have an A brand desktop PC? Most of these have special braces that will allow you to "chain" them to a desk. Apart from making it difficult to just steal the box these cables will also prevent the box from being opened. These PCs also have a trigger that will tell the (remote) admin the box has been opened. If you get an alert someone opened his/her box pay them a visit and bring your lart
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •