Need some help. ;)

Printable View

March 15th, 2008, 02:30 AM
Computernerd22

Need some help. ;)

Hello fellow members of AO. How can I block users without 'Administrative priviledges' on my Windows Vista system and XP with SP2 from changing users passwords or worse Administarors password from the command prompt? We all know opening command prompt and entering net user or net users will display all users on the windows operating system. A simple net user administrator * can easily change the Administrator password. How can I block/prevent this from happening to my system on both XP and Vista home basic version? Also, is their a way to catch someone in the eventlog or something similar to detect this?

All help is greatly appreciated.

examples:

Quote:

Microsoft Windows (Version 6.0.6000)
Copyright (c) 2006 Microsoft Corporation.
C:\Windows\system32>net user /add pyr0 password
net user /add pyr0 mypassword
The command completed successfully.

C:\Windows\system32>net localgroup administrators pyr0 /add
net localgroup administrators pyr0 /add
The command completed successfully.

and this one:

Quote:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.User accounts for \\H4X0R
-------------------------------------------------------------------------------
C:\Users\mma>net users

Administrator spanky ASPNET
Guest mma
The command completed successfully.

C:\Users\mma>net users administrator *
Type a password for the user:
Retype the password to confirm:
The command completed successfully.
March 15th, 2008, 03:57 AM
ShagDevil

Well, on my home system (XP SP2), I created a new user account for testing purposes. I even moved this new account to the Power Users group and was not able to successfully run the net users command to change the admin password. I was able to view users, and even bring up the password prompt. But after retyping the password, I received an error code 5, along with an access denied message.

I can test it out on a Vista Business machine on Monday when I go back to work. But, being Vista is supposed to have even tighter security, I think the results will be similar. What account were you using for those examples?
March 15th, 2008, 03:59 AM
xiphias360

Umm.... what?!?!?! lol... The simple answer is "you don't, windows does it for you." I don't mess with vista, but with xp, people can't change the admin pass unless they have admin rights. You'd have to go into the settings for that user and downgrade them from a computer administrator.
March 15th, 2008, 05:14 AM
HTRegz

CN22:

Is the account you are testing with an administrator account? Or did Administrator previously not have a password? That's the only way to explain what you just did.
March 15th, 2008, 06:22 AM
xiphias360

Even if the admin pass was blank he still couldn't have done that outside an admin account. Unfortunately that's what most xp users are, and don't even know it...
March 15th, 2008, 10:04 AM
SirDice

Quote:

Originally Posted by Computernerd22

A simple net user administrator * can easily change the Administrator password. How can I block/prevent this from happening to my system on both XP and Vista home basic version?

Just a quick recap of what's been said. Only members of the administrators group are able to do this on all NT based versions of windows.

Quote:

Also, is their a way to catch someone in the eventlog or something similar to detect this?

Turn on auditing.
March 15th, 2008, 07:09 PM
Computernerd22

Quote:

but with xp, people can't change the admin pass unless they have admin rights. You'd have to go into the settings for that user and downgrade them from a computer administrator.

I am currently on a *limited* user account on this Windows XP machine. I don't have administrator privileages, I have limited access. However, when I open the command prompt and enter net user administrator * I am able to change the adminstrator password from a limited user account. No, I don't have administrator privileages nor am I on doing this from a admin account.

Quote:

Even if the admin pass was blank he still couldn't have done that outside an admin account. Unfortunately that's what most xp users are, and don't even know it...

I would know the difference if I had a limited account or running this from an Admin account. Again, I can do this from my Windows XP machine and my Windows Vista. I'm not looking on how to gain admin access I can already do that. I just want to pervent this from happening in the first place.

To everyone who took the time out of their busy day to respond, thank you it's greatly appreciated.
March 15th, 2008, 07:54 PM
xiphias360

Well I'd like to believe you, but I tend to believe the people who built the software more. Check the microsoft.com website and even they'll tell you that limited user accounts can't make changes that would affect other users. This isn't just us throwing out uninformed answers here. Someone must have went under the hood and changed things on your machine if your actually able to do this. And if that's the case, we couldn't help unless we know what was changed.
March 16th, 2008, 05:44 AM
HTRegz

CN22: Did you perhaps set your command prompt to always run as administrator in the past and forgot about it?

I'm on Vista as well and here's my output:

Quote:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Tyler>net users

User accounts for \\HT-DESKTOP

-------------------------------------------------------------------------------
__vmware_user__ Administrator ASPNET
Guest Tyler
The command completed successfully.

C:\Users\Tyler>net users administrator *
Type a password for the user:
Retype the password to confirm:
System error 5 has occurred.

Access is denied.

However, as soon as I go to command prompt and I "run as Administrator" I get the following:

Quote:

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>net users Administrator *
Type a password for the user:
Retype the password to confirm:
The command completed successfully.
March 16th, 2008, 01:08 PM
Nokia

Computernerd: On any default non domain Windows system a non-admin user can not change the local admin users password - this is not really an issue that is debatable as it is pretty much fact.

if you can do it however, then either there is a non-default [miss]configuration that allows you to do so, or you are simply mistaken about the rights you have on the system.

Is your work station on a domain or just a standalone home type jobby?
March 16th, 2008, 04:32 PM
Computernerd22

Quote:

Did you perhaps set your command prompt to always run as administrator in the past and forgot about it?

How do you set your command prompt to always run with admin privileages? Also,

Quote:

if you can do it however, then either there is a non-default [miss]configuration that allows you to do so,

If my system was misconfigured in this way, where should be the first place I should check? Btw, both machines are for home use. Not part of a domain, not a workstation, just two computers standalone hooked up to a WLAN in my home. Vista computer is about 3 months old if that, so everything is basically left as default (I know I need to change this) Thanks for the informative replys. CN22
March 17th, 2008, 06:16 PM
ShagDevil

Quote:

If my system was misconfigured in this way, where should be the first place I should check?

Try disabling the Secondary Logon service and running net users again. See if you can still change the password. Disabling the Secondary Logon service will disable any alternate credentials that may be allowing your limited account to perform admin tasks.