Duck said:
Thanks for that bit of knowledge....now..can I use my new
administrative level account to change the Type of the Admin account
to a limited account, and be sure that if someone knows the Admin
password that they can not change the type back to administrator
priviledges?
You should use the built-in administrator account to change the account you
created to a limited account (or create yourself a third account - non-admin
level.)
The built-in administrator cannot be changed from the administrative level,
deleted or disabled. It can be renamed so the username is not
*administrator* - but that is more of a technique known as 'security by
obscurity ' and is not real effective against more than a casual computer
person.
You should password protect (with different passwords would be best) each
administrator level account (if not all accounts) with strong passwords.
What I suggest for a strong password is the following:
Passwords should contain at least eight characters, and the
character string should contain at least three of these four
character types:
- uppercase letters
- lowercase letters
- numerals
- nonalphanumeric characters (e.g., *, %, &, !,
Passwords should not contain your name/username.
Passwords should be unique to you and easy to remember.
Anyone who obtains administrative level access to your machine - owns
everything *not* encrypted on that machine. They can - as administrative
level users - do anything they desire (change account levels, add/remove
accounts, take ownership of files, change other users passwords, etc....
And anyone with time/a little knowledge and free access to the computer can
gain administrative access.
So - in answer to your question:
"... and be sure that if someone knows the Admin password that they can not
change the type back to administrator priviledges ..."
Not gonna happen. If you do not want them to be able to change the type of
account - they cannot have a few things:
1) They cannot know the administrator password (any administrative level
account on that machine.)
2) The BIOS should be protected by a password (and they cannot know that
one.)
3) The boot order should be set to hdd first.
4) The physical machine should be off-limits or somehow locked closed so
they cannot remove the BIOS battery or find other ways to bypass the BIOS
security and change the boot order allowing them to boot from a
CD/DVD/floppy/etc that gives them more power on your system.
5) The limited users should have no method of installing software/hardware.
6) Private time with the computer should be severely limited.
Most of those are fairly unrealistic.
So the best you can hope is to set the BIOS password, set the boot order,
padlock the case shut and put strong passwords on all accounts - especially
the administrative level accounts and ensure only a select few (one if
plausible) know said administrative level account passwords.
