I need to write a script which removes the local Administrator account from
the Administrators group to prevent a password cracker from being used to
give local admin access to a PC.

Background
========

I'm writing some VB scripts which automatically install software on PCs and
adds the PCs to a domain during an automated installation of Windows 2000
that uses unattend.txt.

Unattend.txt sets the (local) Administrator password to a known value and
auto-logs-in so as to let me install the apps (using msiexec) and join the
domain (using "netdom join").

At the end of all this, I want to remove administrative access from the
local (not domain-wide) administrative account to prevent unscrupulous users
from being able to use a password cracker to gain local admin privilege to
the PC. I presume a good way to do this is to remove user Administrator from
the Administrators group; maybe I should also add Administrator to the Users
group at the same time.

How do I do this? Is there an object that allows group membership to be
changed - and if I log on as Administrator, can it be used to remove admin
privileges from the very user that I'm logged-in as?

"Martin Underwood" wrote ...

I don't think you can actually do this - you certainly can't from the GUI.

Using Control Panel -> Users and Passwords, try removing the account from
the Adminstrators group; you should find that it *appears* to work
correctly. However, if you close and re-open the applet, you'll find that
the group membership for the account has reverted to "Administrators;
Users".

hth hand

Adam

Update..........

I've found a way of adding/deleting users to/from groups - but it won't let
me remove user Administrator from group Administrators: "Cannot perform this
operation or built-in accounts" :-(

The code I'm using is:

dim oNetwork, oUsersGroup, oAdministratorsGroup, oAdminUser

set oNetwork = WScript.CreateObject("WScript.Network")

wscript.echo "Computer name = " & oNetwork.ComputerName

set oUsersGroup = GetObject("WinNT://" + oNetwork.ComputerName +
"/Users,group")
set oAdministratorsGroup = GetObject("WinNT://" + oNetwork.ComputerName +
"/Administrators,group")

set oAdminUser=GetObject("WinNT://" + oNetwork.ComputerName +
"/administrator,user")

oUsersGroup.Add(oAdminUser.ADsPath)
oAdministratorsGroup.Remove(oAdminUser.ADsPath)

Help!

You're right!

OK. Time to think laterally: suppose I rename the Administratoir account to
a random collection of permissible characters - without a well-known user
name, it's very difficult to start deluging it with likely passwords until
you find the right one (which is also a random collection of permissible
characters).

So... is there a way of renaming an account - something like

set oAdministratorsGroup = GetObject("WinNT://" + oNetwork.ComputerName +
"/Administrators,group")
oAdministratorsGroup.Rename(old_name, new_name)

"Martin Underwood" wrote ...

Won't stop anyone who even vaguely knows what they're doing, unfortunately -
the Administrator account:
a) Can't be deleted
b) Can't be disabled
c) Can't have its priviledges revoked (as per previous messages)
d) Has an *extremely* well known SID - it will always be of the form
S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-500 (As an aside, the 'Guest' account
is always 501)

Renaming it will, however, stop casual attackers. The safest way I can
reccomend (any other suggestions welcome) is:

a) Create a second account which is used for administrative work (ideally
you should have done this anyway)
b) Cause the built-in account to become locked out (i.e. force x
unsuccessful logins, where x is determined by your security policy)

At this point, it doesn't matter if anyone finds out the password for the
account, as it will be unable to log in. *NB I haven't actually tried this
on Win2K, so I'm not sure if it's possible for the Administrator account to
be locked out under the default policy - I know this was certainly
configurable under NT4*

You still have the problem of protecting your new account, but at least
you've closed off some of the more obvious attempts.

hth hand

Adam

"Martin Underwood" wrote ...

Can't be done, I'm afraid, Martin - see my reply to your earlier message re
the GUI tools... ;-(

hth hand

Adam

"Adam D. Barratt" wrote ...
<snip>
account is always 501)

As an additional note - not sure how useful it is, but certainly interesting
;-) - even renaming the Adminstrators group (yes, it is possible) won't
help, as this also has a well-known SID, namely S-1-5-32-544 (the other
built-in groups are 545-7).

Adam