Admin Account on XP

dragona

Need help please.....
For reasons I wont go into now, I have banned son from computer.My user account with admin privileges has a password,(not guessed or cracked yet)and so has the default admin account(not visible on welcome screen)
Obviously on the odd occasion when I have not logged off,or somehow anyway, he has managed to change the main admin account password(without knowing the original password, it can be done)and therefore still has access to the computer.
Is there anyway of removing the default admin account? Or do I have to hide mouse and keyboard every time I move away from the screen?

rogue-entity

Short answer no. You would be better off changing the main admin account password to a hard-to-crack one and then use that for your admin tasks. Then switch your normal account to Limited User. This is a safer way to work, and it is the default behavior of Unix systems, and they are known for there superior security. You should also edit your BIOS settings to prevent booting from CD or Floppys and password protect it, just in case your son gets wind of Peter Nordahls Offline Password Changer for NT (it works on XP without fail).

pdogs

Depending on how savvy your son is - you could install a boot manager such as XOSL(freeware) or BootIt-NG(trialware). They are obviously usually used to organise multi-booting but can also password protect booting to a single installation.

If he is changing the password with a Linux-based boot floppy or cd there is a way to make this harder by tweaking some of the security policy settings (dont ask me which though). I thought I could change the password on any NT-based system until I recently was asked to clean up a work computer running Win2KproSP4 purchased by an employee of the Revenue Commissioners from them and for which the password had been lost. I didn't have a lot of time on my hands so in the end I just clean reinstalled a system - but I'd love to know what the settings were.

SouperComputer

i guess it all depends on how he changed\cleared the admin account.

Always add a couple of characters such a #*&$"^% to your password, makes it that bit harder to guess

Capt'n Midnight

SouperComputer wrote:

Always add a couple of characters such a #*&$"^% to your password, makes it that bit harder to guess

IIRC there was something about unicode characters but foreign characters like áóú àòù are just converted back to aou. Also using non-us characters like £ may also increase the difficulty in cracking - but not the difficulty in bypass in the password with the reset disk. - note the € is the easiest unicode char but very predictable. And £ is also on Italian keyboards as well as UK/Irish so not that uncommon.

http://www.microsoft.com/smallbusiness/support/articles/select_sec_passwords.mspx
cf. the bit - ALT Code Not to Use for ALT Key Combinations

aidan_walsh

#Elite wrote:

Take of every account. make one, full admin.

Oh dear lord no. In a perfect world, unless you know what you're doing, you should never run a full admin account, and never all the time. Unfortunatly, its difficult to avoid doing so in Windows, since many apps grumble if you don't (especially apps that shouldn't).

#Elite wrote:

theres no need for accounts

Personalised Windows settings and personalised application settings, for two wide sweeping examples.

Cake Fiend

#Elites wrote:

Leave him do what he wants. theres no need for accounts, when you DONT want him on, put a password on.

Here's someone obviously used to the Windows 98 way of doing things :rolleyes:

Once you have all your apps set up correctly, there's rarely any need to run anything as an Administrator. For the stuff you do, just right-click and use the 'Run As' option.

dragona

Thanks to all, but haven't solved the problem yet!

ai ing

Start - Control Panel - Administrative Tools - Computer Management - Local Users and Groups - Users

Right Click on administrator, select properties, tick 'account is disabled' and apply. Should be ok now. I would not recommend deleting the account as it may be required in the future.

voxpop

bios password

matrim

on the odd occasion when I have not logged off

You could also turn on a screen saver and have it set to "on resume password protect" to pervent him getting access like this

quinta

As someone has already aluded to. If he can get physical access to the system, which he clearly can, he can change the password using the Linux bootdisks/cd-roms. You could remove the cd-rom/floppy drive, or prevent the cd-rom/floppy from booting from within the BIOS and assign a strong BIOS password. All of which can of course be bypassed, but they are just additional layers.

Are you sure therre are no additonal accounts with a SID of 500 which he may have created. I.e. more than one admin account? Whcih allows him to log in as admin whenever he wants. Check what other accounts have admin access.

I suspect he is using the bootdisks though.

Other solution: Using Linux or a LiveCD for web browsing.

Or apply strict security policies.

dragona

Thanks a million for all your replies - I am checking out all possibilities and will let you know!

Lush

pdogs wrote:

I thought I could change the password on any NT-based system until I recently was asked to clean up a work computer running Win2KproSP4 purchased by an employee of the Revenue Commissioners from them and for which the password had been lost. I didn't have a lot of time on my hands so in the end I just clean reinstalled a system - but I'd love to know what the settings were.

Just for future reference, on any NT, Win2K system just delete the 'sam' file found in:

C:\Winnt\system32\config\

If its NTFS boot using Ghost(or any application that allows you to boot into the NTFS system) and choose the restore from file, browse to the above sam file delete it in the browse box, reboot windows, admin account password is now blank.

Do NOT try this in XP as it will corrupt the install as it has built in security against deleting the sam file...
:cool:

Jumpy

Does the computer have to be left on?
If not, set a bios boot password.
He wont crack that.

Capt'n Midnight

Jumpy wrote:

Does the computer have to be left on?
If not, set a bios boot password.
He wont crack that.

You'd also have to put a padlock on the case to stop him resetting it with a jumper or by removing the battery for a few minutes.

riptide

dragona wrote:

Thanks a million for all your replies - I am checking out all possibilities and will let you know!

But a password in the bios. he'll have to have that before the pc does anything other than POST