I have done just that for security reasons. (Rename the administrator account and create a dummy "Administrator" account with no real privileges.) Its been for situations where someone is trying to 'guess' what the administrator account is and let them spin their wheels harmlessly. And in one case where someone who I could not say 'No' to wanted to know the administrators account password. The guy was known as 'the tweaker' because he couldnt leave things alone and would never admit to changing things, despite being slapped with audit logs showing otherwise.
-----Original Message----- From: Tony Murray [mailto:tony@;mail.activedir.org] Sent: Wednesday, October 23, 2002 8:49 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Admin Account Trouble Ok, so this is an old thread - sorry to raise the dead. :-) I had an idea about this. Could it be that the Administrator account has been renamed and new account created using the name "Administrator". Why anyone would want to do this I don't know, but it can be done (just tested it). If this is the case in your environment, it should be possible to locate the origional Administrator account. The RID is always 500 (or 1F4 if you look at the string representation of objectSid using e.g. LDP.EXE). Just a thought... Tony -----Original Message----- From: Craig Cerino [mailto:Craig_Cerino@;Tiel.com] Sent: Montag, 23. September 2002 15:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Dave, Anything is possible --- but I am the only one that has authority to make any registry changes (and haven't). Also, it doesn't matter where you are - console-TS session. If it's locked out --- I have to use one of the back door accounts I created to unlock it. Cooky. -----Original Message----- From: Thornley, Dave H [mailto:D.H.Thornley@;shu.ac.uk] Sent: Monday, September 23, 2002 9:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Admin Account Trouble Craig, I have a very vague recollection of a utility or a Registry setting or something that would allow the administrator account to be locked out via the network, but you could always log in at the console (or something like that...!) Is it possible that's what's causing your problems? dave -----Original Message----- From: Craig Cerino [mailto:Craig_Cerino@;Tiel.com] Sent: 23 September 2002 13:36 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Rick -- that's what I thought but I am here to tell you the built in administrator account can ABSOLUTELY become locked out. I see it all the time. One of our smaller separate networks (built in) Administrator account gets locked out all the time. It's actually pretty weird and I've been working for a while now trying to figure out WHY this is happening. Craig -----Original Message----- From: Rick Kingslan [mailto:rkingsla@;cox.net] Sent: Friday, September 20, 2002 8:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Admin Account Trouble Craig, Can't happen - the Administrator account can't be locked out. Which, if you think about it is the reason that it's attacked over any other potential admin equivalent account. If the account 'Rick' is an admin equiv but has a lockout of 3 attempts, I may as well go after the Administrator who won't lockout even though I'm going after it with a full onslaught brute force dictionary attack with my mongo dictionary with all possible replacement text. By open of business Monday the administrator account has taken on millions of password attempts. Yeah, it's kind of a small problem. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Craig Cerino > Sent: Friday, September 20, 2002 12:16 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Admin Account Trouble > > > I REALLY don't mean to be insulting -- but is it locked out? > > -----Original Message----- > From: Michael Payne [mailto:mpayne@;amocofcu.org] > Sent: Friday, September 20, 2002 12:43 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Admin Account Trouble > > Hello Everyone, > > My administrator account (Windows 2000 server) can not access > the group policies for the Domain\ Domain Controller. I can > not install software nor does the hardware wizard respond. > Any ideas or suggestions? I would appreciate any advice. > > Thanks in advance, > > > Mike > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
