Built In Admin account vs Created one

  • Thread starter Thread starter wutsitallabout
  • Start date Start date
W

wutsitallabout

Can anyone out there please tell me if there is any
difference between the Built in Administrator account
versus one that is created and made a member of the admin
group and only the admin group. It is a local account on
a local machine (not logging on to a domain).

To put it yet another way, are all of the rights,
privileges and behaviours the same for each?

Someone must know! If you claim that they do behave
differently, can you please direct me to the source of the
information. I need an official word on this. Not just
opinions.
Thanks
 
They have the same exact power/rights. The built in administrator account is a member
of the local administrators group and that is where it gets its power. Adding another
user to that group gives them the same power. Here are the differences. The
administrator account has an assigned well known sid [known to hackers] account can
not be removed from the local administrators group, and it can not be deleted,
disabled [in W2K] or locked out from console logon. The built in administrator group
is a target for attackers and for that reason it should be renamed, given a very
complex password, and audited for account log on events. By default the administrator
account can not be locked out from network logon, but the passprop utility from the
Resource Kit is supposed to be able to allow that. Protecting the administrator
account is just one aspect of securing a computer. ----Steve

http://www.microsoft.com/security/protect/
http://securityadmin.info/faq.asp#harden --- From the FAQ.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
-- Technet security.
 
I need to add, that by default the administrator account is the EFS Recovery Agent on
a stand alone machine if EFS encryption is used. I do not believe that can be
changed. It is possible to make another user/administrator the Recovery Agent instead
later. Do not implement EFS until you know all tips, tricks, and traps ahead of time
though. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255742

Steven L Umbach said:
They have the same exact power/rights. The built in administrator account is a member
of the local administrators group and that is where it gets its power. Adding another
user to that group gives them the same power. Here are the differences. The
administrator account has an assigned well known sid [known to hackers] account can
not be removed from the local administrators group, and it can not be deleted,
disabled [in W2K] or locked out from console logon. The built in administrator group
is a target for attackers and for that reason it should be renamed, given a very
complex password, and audited for account log on events. By default the administrator
account can not be locked out from network logon, but the passprop utility from the
Resource Kit is supposed to be able to allow that. Protecting the administrator
account is just one aspect of securing a computer. ----Steve

http://www.microsoft.com/security/protect/
http://securityadmin.info/faq.asp#harden --- From the FAQ.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
-- Technet security.

wutsitallabout said:
Can anyone out there please tell me if there is any
difference between the Built in Administrator account
versus one that is created and made a member of the admin
group and only the admin group. It is a local account on
a local machine (not logging on to a domain).

To put it yet another way, are all of the rights,
privileges and behaviours the same for each?

Someone must know! If you claim that they do behave
differently, can you please direct me to the source of the
information. I need an official word on this. Not just
opinions.
Thanks
 
Thanks So Much Steve.
I had expected and hoped to hear that. However, we are
experiencing some strange occurances with created Admin
accounts. Such as random access denied, no sufficient
permissions to perform the task...(can't remember exact
words) errors to admin tasks. A co-worker believes that
the 2 accounts are different. Actually 2 co-workers claim
that when logged to each, the behaviour is different. I
myself have experienced it while logged on as the Built in
Administrator.

Ok so now I really am worried that something evil is going
on. All machines have renamed Admin accounts, Current
AntiVirus software. Security policies/settings have all
been followed per Microsoft suggestions as far as we can
tell.

Do you have any ideas what could be causing this? Also, is
there anyway that I can prove to my co-workers that the
accounts are supposed to function the same?

Thanks Again
 
Wow. There seems to be a lot of that going one [service pack upgrades/patches
causing complaints]. Keep in mind that a user who is in the administrator group may
somewhere - ntfs, registry, security options, services, user right assignments, etc
have different settings applied to them [for instance administrator may be in a
setting for a user rights assignment, but not administrators group]. However they
have the power to change those settings - if they know what they are. What you may
want to try is to reset a machines security settings back to default or start with at
least part of it. See the related KB link on how to do such, and you could use the
area option /areas with secedit to reset just say user rights - /areas user_rights.
I don't know what could be causing it, but when something unusual is going on always
run virus scan. In addition check Event Viewer for and unusual errors. You could also
use some of the utilities from Sysinternals such as Regmon and Filemon that may
pinpoint where you are being denied access to files or registry keys. It would also
be a good idea to scan for trojans and maybe adware/spyware. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
http://swatit.org/download.html -- Trojan scanner
http://spybot.eon.net.au/ -- Adware/spyware/malware scanner.
http://www.sysinternals.com/ntw2k/utilities.shtml -- Sysinternals freeware.
http://www.microsoft.com/windows2000/techinfo/planning/security/secdefs.asp -- Description
of adminstrators group.
 
Steven L Umbach said:
I need to add, that by default the administrator account is the EFS
Recovery Agent on a stand alone machine if EFS encryption is used. I
do not believe that can be
changed. It is possible to make another user/administrator the
Recovery Agent instead later. Do not implement EFS until you know
all tips, tricks, and traps ahead of time though. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;255742

Steven L Umbach said:
They have the same exact power/rights. The built in administrator
account is a member of the local administrators group and that is
where it gets its power. Adding another user to that group gives
them the same power. Here are the differences. The administrator
account has an assigned well known sid [known to hackers] account
can not be removed from the local administrators group, and it can
not be deleted, disabled [in W2K] or locked out from console logon.
The built in administrator group
is a target for attackers and for that reason it should be renamed,
given a very complex password, and audited for account log on
events. By default the administrator account can not be locked out
from network logon, but the passprop utility from the Resource Kit
is supposed to be able to allow that. Protecting the administrator
account is just one aspect of securing a computer. ----Steve

http://www.microsoft.com/security/protect/
http://securityadmin.info/faq.asp#harden --- From the FAQ.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
-- Technet security.

That's why I export the certificates, even for EFS and the
Administrator. Any userid in the Administrators group can then import
the certificate as long as you know the password used to encrypt the
private key in it when you do the import. I forgot once to export my
security certificates and got burned on a later restore after rebuilding
the machine. That's all it took to make me remember.
 
It is possible for even the administrator account to have its
rights/permissions changed somewhere along the line, but again the
administrator has the power to change things back. Of course if virus
infections, etc are involved there could be major corruption/instability to
the operating system which usually a reinstall is needed to fix. If nothing
seems to help, the secedit command to restore default security settings is
always worth a try. Using Sytem File Checker with sfc /scannow may also
help, just be sure to have install cd in hand. There have been more than a
few times where I have thrown in the towel and done a reinstall after a lot
of head scratching. --- Steve
 
Back
Top