We're trying to limit our liability and security holes by restricting the
computers to only one account. At default, Windows requires one account in
addition to the default Administrator account. We'd like to have one or the
other - since we're plugging these computers into a domain, multiple local
accounts on a computer are wasted loopholes.

Is there a way to disable one or the other? Preferably the user accounts.

On Wed, 26 Sep 2007 10:34:04 -0700, refurbmike
<refurbmike@discussions.microsoft.com> wrote:

> We're trying to limit our liability and security holes by restricting the
> computers to only one account. At default, Windows requires one account in
> addition to the default Administrator account. We'd like to have one or the
> other - since we're plugging these computers into a domain, multiple local
> accounts on a computer are wasted loopholes.
>
> Is there a way to disable one or the other? Preferably the user accounts.


Two points:

1. You shouldn't ever want to disable the built-in administrator
account, even if you could. That's your only way into the system if
your user account gets corrupted.

2. You should always have at least one user account and use that on a
regular basis. Using the administrator account instead subjects you to
the risk of its getting corrupted, and having no other way into the
system.

--
Ken Blake, Microsoft MVP Windows - Shell/User
Please Reply to the Newsgroup

Hey Ken,

Thanks for the reply and good points.

However, we're using a domain for the user to login. The only time anybody
logs in locally (using an administrator account) is to attach the computer to
the domain. So, as you can see, having more than one administrator account is
really useless and an unnecessary security risk.

"refurbmike" <refurbmike@discussions.microsoft.com> wrote in message
news:B2CEA5EE-5F24-414D-962B-86158540907B@microsoft.com...
> We're trying to limit our liability and security holes by restricting the
> computers to only one account. At default, Windows requires one account in
> addition to the default Administrator account.

Many non-Home versions do not actually require this, but it is very, very
bad practice to either disable the Administrator account or to use it as the
primary - or only - account. The Admin account should only be used for
required maintenance, in order to protect it - and you.

When your one account corrupts, you then have virtually no option but to
remove the drive and scrape the data off it, then put it back, wipe it
during a clean install and then restore the data. Ever timed that?

Instead, you could have just popped by their station, logged into the Admin
account, created a new user account, migrated the data, and had the user
back and working in under an hour.

> We'd like to have one or the
> other - since we're plugging these computers into a domain, multiple local
> accounts on a computer are wasted loopholes.

I'm not sure that's really correct. You'll perhaps note that Linux and
Unix machines also use multiple accounts, and while the built-in Root
accounts certainly exist, they aren't regarded as "wasted loopholes".

> Is there a way to disable one or the other? Preferably the user accounts.

As noted here and elsewhere, this is a very bad idea. You're asking for
real problems and time-consuming solutions later,

Here's the thing: when these problems arise, and they will, it's *you* that
will look bad because the user is forced to do nothing for a day instead of
an hour. If that user is high-ranking, they will be concerned about
this.

Instead, establish a quality password routine for the Admin accounts. Use
strong passwords, don't give them out, and change them regularly. Visit
the account occasionally and check for last login time.

HTH
-pk

"refurbmike" <refurbmike@discussions.microsoft.com> wrote in message
news:C470BDD6-BB7D-45E0-A822-72935CB79C96@microsoft.com...
> Hey Ken,
>
> Thanks for the reply and good points.
>
> However, we're using a domain for the user to login. The only time anybody
> logs in locally (using an administrator account) is to attach the computer
> to
> the domain.

Or to fix the machine when things go wrong, as they *will*.

There can be other valid non-system-critical reasons to get into this
account, for example needing to add or configure hardware like a
serial-to-USB adapter on a laptop. Consider the case of a lawyer's laptop
in a context where he needs to attach to the serial feed from a court
reporter's system - most laptops don't have serial ports. And it's a
discovery proceeding being delayed, so its cost is the the time of several
lawyers.

His account is not Admin and he can't even find out what commport the
adapter is assigned without entering the Admin account, let alone install
the device. His IT group has to be phoned to get the Admin password -
the lawyer does not have this information.

> So, as you can see, having more than one administrator account is
> really useless and an unnecessary security risk.

One might point out that your original post specified only multiple local
accounts, not multiple local *administrator* accounts.

Often the user account on a domain system is not an admin level account, but
the Admin account is indeed there and active, with the user not being given
the password.

HTH
-pk

refurbmike wrote:
> Hey Ken,
>
> Thanks for the reply and good points.
>
> However, we're using a domain for the user to login. The only time anybody
> logs in locally (using an administrator account) is to attach the computer to
> the domain. So, as you can see, having more than one administrator account is
> really useless and an unnecessary security risk.

It's still foolish to have only one local account. On our clients'
workstations we always make a "tech" account along with the built-in
Administrator account. If you give the extra account ("tech" in our
case) a good, strong password, the computer isn't any more or less
secure than if you only have the built-in Administrator account. You
should be looking to other areas to keep your network - server and
workstations - secure.

This is a great place to start your research:

http://www.microsoft.com/technet/sec...wt.svl=leftnav


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Patrick,

Thanks for the input.

> When your one account corrupts, you then have virtually no option but to
> remove the drive and scrape the data off it, then put it back, wipe it
> during a clean install and then restore the data. Ever timed that?

The few times we're working w/ the local Administrator accounts is only to
put the machine into a domain and get going. If that fails, then likely
something bigger is amidst and we can simply re-image the computer; probably
takes a whole lot less time than trying to troubleshoot a corrupted computer.

> Instead, establish a quality password routine for the Admin accounts. Use
> strong passwords, don't give them out, and change them regularly. Visit
> the account occasionally and check for last login time.

We have 300 machines in our office. With our current scripting software, we
can change the password of the "Administrator" account, but no other local
account. So if we want to have a 2nd account, we'd have to visit each
computer twice a year to change the password. Not the best practice for us.

> There can be other valid non-system-critical reasons to get into this
> account, for example needing to add or configure hardware like a
> serial-to-USB adapter on a laptop. Consider the case of a lawyer's laptop
> in a context where he needs to attach to the serial feed from a court
> reporter's system - most laptops don't have serial ports. And it's a
> discovery proceeding being delayed, so its cost is the the time of several
> lawyers.

In the rare case that a situation like this arises, we have domain admit
accounts that are cached on the box (from having to set-up
equipment/software/etc.). If we really need to go this route, we can have the
user log in w/ this account - we can always change the domain passwords later.

However, this is a scenario we don't really run into.

> It's still foolish to have only one local account. On our clients'
> workstations we always make a "tech" account along with the built-in
> Administrator account. If you give the extra account ("tech" in our
> case) a good, strong password, the computer isn't any more or less
> secure than if you only have the built-in Administrator account. You
> should be looking to other areas to keep your network - server and
> workstations - secure.

I am trying to appreciate the feedback, but it's starting to get rather
bitter. I don't appreciate having my ideas called foolish....

As far as security risks, we're trying to protect against possible exploits
w/ future employees that leave. We could have the most complex password in
the world; if we cannot change it w/in reason (not having to visit 300
computers over a span of a few hundred miles), then we'd rather not use it.

"refurbmike" <refurbmike@discussions.microsoft.com> wrote in message
news:A845BDAD-10FC-4975-9F1D-3E017171D962@microsoft.com...
> Patrick,
>
> Thanks for the input.
>
>> When your one account corrupts, you then have virtually no option but to
>> remove the drive and scrape the data off it, then put it back, wipe it
>> during a clean install and then restore the data. Ever timed that?
>
> The few times we're working w/ the local Administrator accounts is only to
> put the machine into a domain and get going. If that fails, then likely
> something bigger is amidst and we can simply re-image the computer;
> probably
> takes a whole lot less time than trying to troubleshoot a corrupted
> computer.

If you have planned for that contingency, then the need for a 2nd *local*
account is significantly reduced, and you are covered.

However, it doesn't change the need for one local (Administrator) and one
domain (User) account, at minimum.

Your posts are a little unclear regarding this specific detail.

>> Instead, establish a quality password routine for the Admin accounts.
>> Use
>> strong passwords, don't give them out, and change them regularly. Visit
>> the account occasionally and check for last login time.
>
> We have 300 machines in our office. With our current scripting software,
> we
> can change the password of the "Administrator" account, but no other local
> account. So if we want to have a 2nd account,

This is a somewhat unclear statement and this lack of clarity is probably
leading to some of the friction you're experiencing elsewhere.

Do you mean a second account, period, or a second *administrator* account?

This is a very important detail!

No, there isn't a great need to have more than one local *administrator*
account, particularly if you are ready to re-image on moderate failure.

Yes, there *is* a need to have more than one account on the system, one
system administrator account and one user.

A common arrangement is that Administrator is local, while User is domain
but does not have admin rights.


HTH
-pk


> we'd have to visit each
> computer twice a year to change the password. Not the best practice for
> us.

Patrick,

Fair enough response. Lemme see if I can clarify.

I'd like the computer to only have/need one administrator account locally,
not including any domain accounts that may be piled on after. As of current,
the computer has two: the default Administrator account and the required
account (named "User", for now) that WindowsXP required me to make when I
installed the OS. As of current, both of these must be administrators by
default - I cannot downgrade either of these accounts, so I am stuck with an
unnecessary administrator account on the computer.