Removing local Administrator account from Administrators group 
Author Message
 Removing local Administrator account from Administrators group

I need to write a script which removes the local Administrator account from
the Administrators group to prevent a password cracker from being used to
give local admin access to a PC.

Background
========

I'm writing some VB scripts which automatically install software on PCs and
adds the PCs to a domain during an automated installation of Windows 2000
that uses unattend.txt.

Unattend.txt sets the (local) Administrator password to a known value and
auto-logs-in so as to let me install the apps (using msiexec) and join the
domain (using "netdom join").

At the end of all this, I want to remove administrative access from the
local (not domain-wide) administrative account to prevent unscrupulous users
from being able to use a password cracker to gain local admin privilege to
the PC. I presume a good way to do this is to remove user Administrator from
the Administrators group; maybe I should also add Administrator to the Users
group at the same time.

How do I do this? Is there an object that allows group membership to be
changed - and if I log on as Administrator, can it be used to remove admin
privileges from the very user that I'm logged-in as?



Fri, 13 Dec 2002 03:00:00 GMT  
 Removing local Administrator account from Administrators group
"Martin Underwood" wrote ...

Quote:
> I need to write a script which removes the local Administrator account
from
> the Administrators group to prevent a password cracker from being used to
> give local admin access to a PC.

I don't think you can actually do this - you certainly can't from the GUI.

Using Control Panel -> Users and Passwords, try removing the account from
the Adminstrators group; you should find that it *appears* to work
correctly. However, if you close and re-open the applet, you'll find that
the group membership for the account has reverted to "Administrators;
Users".

hth hand

Adam



Fri, 13 Dec 2002 03:00:00 GMT  
 Removing local Administrator account from Administrators group
Update..........

I've found a way of adding/deleting users to/from groups - but it won't let
me remove user Administrator from group Administrators: "Cannot perform this
operation or built-in accounts" :-(

The code I'm using is:

dim oNetwork, oUsersGroup, oAdministratorsGroup, oAdminUser

set oNetwork = WScript.CreateObject("WScript.Network")

wscript.echo "Computer name = " & oNetwork.ComputerName

set oUsersGroup = GetObject("WinNT://" + oNetwork.ComputerName +
"/Users,group")
set oAdministratorsGroup = GetObject("WinNT://" + oNetwork.ComputerName +
"/Administrators,group")

set oAdminUser=GetObject("WinNT://" + oNetwork.ComputerName +
"/administrator,user")

oUsersGroup.Add(oAdminUser.ADsPath)
oAdministratorsGroup.Remove(oAdminUser.ADsPath)

Help!


Quote:
> I need to write a script which removes the local Administrator account
from
> the Administrators group to prevent a password cracker from being used to
> give local admin access to a PC.

> Background
> ========

> I'm writing some VB scripts which automatically install software on PCs
and
> adds the PCs to a domain during an automated installation of Windows 2000
> that uses unattend.txt.

> Unattend.txt sets the (local) Administrator password to a known value and
> auto-logs-in so as to let me install the apps (using msiexec) and join the
> domain (using "netdom join").

> At the end of all this, I want to remove administrative access from the
> local (not domain-wide) administrative account to prevent unscrupulous
users
> from being able to use a password cracker to gain local admin privilege to
> the PC. I presume a good way to do this is to remove user Administrator
from
> the Administrators group; maybe I should also add Administrator to the
Users
> group at the same time.

> How do I do this? Is there an object that allows group membership to be
> changed - and if I log on as Administrator, can it be used to remove admin
> privileges from the very user that I'm logged-in as?



Fri, 13 Dec 2002 03:00:00 GMT  
 Removing local Administrator account from Administrators group


Quote:
> "Martin Underwood" wrote ...
> > I need to write a script which removes the local Administrator account
> from
> > the Administrators group to prevent a password cracker from being used
to
> > give local admin access to a PC.

> I don't think you can actually do this - you certainly can't from the GUI.

> Using Control Panel -> Users and Passwords, try removing the account from
> the Adminstrators group; you should find that it *appears* to work
> correctly. However, if you close and re-open the applet, you'll find that
> the group membership for the account has reverted to "Administrators;
> Users".

You're right!

OK. Time to think laterally: suppose I rename the Administratoir account to
a random collection of permissible characters - without a well-known user
name, it's very difficult to start deluging it with likely passwords until
you find the right one (which is also a random collection of permissible
characters).

So... is there a way of renaming an account - something like

set oAdministratorsGroup = GetObject("WinNT://" + oNetwork.ComputerName +
"/Administrators,group")
oAdministratorsGroup.Rename(old_name, new_name)



Fri, 13 Dec 2002 03:00:00 GMT  
 Removing local Administrator account from Administrators group
"Martin Underwood" wrote ...

Quote:
> OK. Time to think laterally: suppose I rename the Administratoir account
to
> a random collection of permissible characters - without a well-known user
> name, it's very difficult to start deluging it with likely passwords until
> you find the right one (which is also a random collection of permissible
> characters).

Won't stop anyone who even vaguely knows what they're doing, unfortunately -
the Administrator account:
a) Can't be deleted
b) Can't be disabled
c) Can't have its priviledges revoked (as per previous messages)
d) Has an *extremely* well known SID - it will always be of the form
S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500 (As an aside, the 'Guest' account
is always 501)

Renaming it will, however, stop casual attackers. The safest way I can
reccomend (any other suggestions welcome) is:

a) Create a second account which is used for administrative work (ideally
you should have done this anyway)
b) Cause the built-in account to become locked out (i.e. force x
unsuccessful logins, where x is determined by your security policy)

At this point, it doesn't matter if anyone finds out the password for the
account, as it will be unable to log in. *NB I haven't actually tried this
on Win2K, so I'm not sure if it's possible for the Administrator account to
be locked out under the default policy - I know this was certainly
configurable under NT4*

You still have the problem of protecting your new account, but at least
you've closed off some of the more obvious attempts.

hth hand

Adam



Fri, 13 Dec 2002 03:00:00 GMT  
 Removing local Administrator account from Administrators group
"Martin Underwood" wrote ...

Quote:
> Update..........
> I've found a way of adding/deleting users to/from groups - but it won't
let
> me remove user Administrator from group Administrators: "Cannot perform
this
> operation or built-in accounts" :-(

Can't be done, I'm afraid, Martin - see my reply to your earlier message re
the GUI tools... ;-(

hth hand

Adam



Fri, 13 Dec 2002 03:00:00 GMT  
 Removing local Administrator account from Administrators group
"Adam D. Barratt" wrote ...
<snip>
Quote:
> d) Has an *extremely* well known SID - it will always be of the form
> S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500 (As an aside, the >'Guest'

account is always 501)

As an additional note - not sure how useful it is, but certainly interesting
;-) - even renaming the Adminstrators group (yes, it is possible) won't
help, as this also has a well-known SID, namely S-1-5-32-544 (the other
built-in groups are 545-7).

Adam



Fri, 13 Dec 2002 03:00:00 GMT  
 
 [ 7 post ] 

 Relevant Pages 

1. How can I add a Domain Account to the Local Administrators Group

2. VB script: adding AD group to local administrators group

3. Adding domain groups to gthe local administrator group

4. Adding a domain group to local administrators group

5. Rename Local Administrator account

6. find local administrator account

7. Script that remotely moves local users from Administrators to Power Users group

8. add user to local win2k administrator group

9. Script that remotely moves local users from Administrators to Power Users group

10. Script for rename account administrator

11. rename administrator account

12. VbScript and changing local administrator password

 

 
Powered by phpBB® Forum Software