local user

  • Thread starter Thread starter ali paracha
  • Start date Start date
A

ali paracha

Hi
I have a domain environment in which my user can
chnage local administrator password .I want to restrict
that action and user is not allowed to change local
administrator password.How is it possible.

Thanks in advance
 
<snip>
Don't make the user a member of Administrators ;) Otherwise you can't.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
but my user is not member of administrator then now how i
restrct my user to chande local administrator password.
 
but my user is not member of administrator then now how i
restrct my user to chande local administrator password.
Click to expand...
<snip>
He can't. Non-administrator users cannot perform administrative actions
on other user or group accounts. So if he is not a member of
Administrators or Domain Admins (Power Users can also elevate their
privileges!) you have no worries.

Of which groups is this user a member? What specific user rights is he
granted? What is the client OS? You can use the Whoami.exe tool from
Win2K Resource Kit to view group membership and user rights. Have you
confirmed that he can indeed change the password? Which tool does he
use?
(no more questions for now ;))

--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
If the user can boot the computer from the floppy/cdrom he may be resetting the local
administrators password with one of the free password reset disks would be my guess
of what may be happening as of course a regular user can not change the
administrators password. The solution may be to prevent the computer from booting
from anything but the hard drive, disabling USB also if possible, password protecting
the cmos and having the computer case locked so that user can not change jumper
battery. Even that is not 100 percent [nothing is but death] but worth a try. ---
Steve
 
<snip>
Fully agreed and in accordance to:
"Law #3: If a bad guy has unrestricted physical access to your computer,
it's not your computer anymore"

;)

--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
Back
Top