Archived from groups: microsoft.public.win2000.security (
More info?)
Right on, on the use of the reg copies in Repair dir,
as the copy into active use is precisely part of a ERD
repair, or OS CD boot to repair, and does reset box
to point of last System State bkup.
I have to assume that the binaries are coded to protect
against the built-in from having its bits set to disabled,
but the bits are there and if set are obeyed by the other
binaries (IOW, the binary protect against setting rather
than against enforcement) - - - just speculation.
--
Roger
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:1HtBd.52891$k25.29610@attbi_s53...
> OK. I was not sure if malware had been detected or if it was assumed. That
> free password reset disk that is common on the internet will enumerate the
> user accounts on a computer and show if an account is locked out/disabled.
A
> renamed built in administrator account will show as the new name but the
ID
> 01F4 by a user name will indicate the built in administrator account which
> may help someone if they are unsure which account is the built in
> administrator account. I have found that going to the \winnt\repair folder
> and copying the sam and security file to \winnt\system32\config folder
> [after backing up/renaming the old] while not running in the operating
> system that you are copying the sam/security file to can return the sam to
> the state of an account not being locked out. Of course if the System
State
> has never been backed up that sam will only contain the built in
> administrator account [with original password] and the guest account but
it
> could possibly be a way to "unlock" the administrator account, though I
> certainly am not suggesting that is a better solution than rebuilding a
> compromised computer. --- Steve
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23IgWJI47EHA.1408@TK2MSFTNGP10.phx.gbl...
> > They pretty much accepted the advice that
> > a compromised system is a compromised system
> > perhaps always will be --> format + build
> > Those systems did not come up clean to industry
> > anti-malware scans.
> > --
> > Roger
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:3ogBd.594640$wV.566044@attbi_s54...
> >> Scary?? Did you have to reinstall assuming a non domain computer?? ---
> >> Steve
> >>
> >>
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:erCUQb17EHA.2452@TK2MSFTNGP14.phx.gbl...
> >> > My understanding agrees with what you two have expressed.
> >> > I have however seen before a couple times systems (granted,
> >> > all XP) where the built-in had indeed become locked out (not
> >> > disabled) and best we could tell it had been by some malware.
> >> >
> >> > --
> >> > Roger Abell
> >> >
> >> > "Herb Martin" <news@LearnQuick.com> wrote in message
> >> > news:un$5Pyw7EHA.4072@TK2MSFTNGP10.phx.gbl...
> >> >> <somebody@compusmart.ab.ca> wrote in message
> >> >> news:7qs9t09bg0sm91pc83q6bbid0e1b185t0k@4ax.com...
> >> >> > My understanding is that the built-in administrator account cannot
> >> >> > be
> >> >> > locked out at the console, but can be made to follow lockout
> >> >> > policies
> >> >> > for logon attempts over the network. Is this account in fact
locked
> >> >> > out at the console?
> >> >>
> >> >> Perhaps he meant network.
> >> >>
> >> >> It makes no sense (even) to allow lockout from the
> >> >> console since this could be a denial of service attack
> >> >> against the admin with no supported way to reset it.
> >> >>
> >> >>
> >> >> --
> >> >> Herb Martin
> >> >>
> >> >>
> >> >> >
> >> >> > What's the status of the guest account? It used to be recommended
> >> >> > to
> >> >> > rename the administrator account for increase security (very
little
> >> >> > benefit).
> >> >> >
> >> >> > What's the access to the machine? Could the admin account have
been
> >> >> > renamed to something different and a decoy non-admin account given
> > the
> >> >> > name of administrator. In fact, can the guest account be renamed
to
> >> >> > administrator (and administrator to guest). Check the status of
> >> >> > the
> >> >> > guest account.
> >> >> >
> >> >> > The SIDs will tell which is which.
> >> >> >
> >> >> > Roger
> >> >> >
> >> >> > "Ed Gregory" <eg@hotmail.com> wrote:
> >> >> >
> >> >> > >I have a Win2000 Pro machine that is allowing the administrator
> >> >> > >account
> >> >> to
> >> >> > >be locked out. I thought that with Win2000, XP, 2003 the
> >> >> > >administrator
> >> >> > >account couldn't be locked out. This comes from MS tech
articles.
> >> >> > >The
> >> >> > >user, I guess typed the password incorrect too many times and now
> >> >> > >we
> >> > are
> >> >> > >unable to login with the administrator account. There are only
two
> >> >> accounts
> >> >> > >on the system. Administrator and Guest.
> >> >> > >
> >> >> > >How do I unlock or enable the administrator account? I don't
mean
> >> >> > >I
> >> >> > >do
> >> > I
> >> >> > >recover a password, but how do I disable the account locked out
> >> >> > >flag
> >> > that
> >> >> > >must be set in the user?
> >> >> > >
> >> >> > >Thanks.
> >> >> > >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
Facebook
Twitter
Instagram