PC Review


Reply
Thread Tools Rate Thread

Why not use regular Administrator Account?

 
 
Don J
Guest
Posts: n/a
 
      23rd Oct 2007
I've yet to see a good explanation of how to avoid using the predefined
Administrator Account as the Regular Aministrator Acount during normal
operation. What is the difference between the regular Administrator Account
and one that you have defined for the purpose. In particular can roles be
reversed? Can a new Account be defined and used as the hidden Account, and
the original Account be used as the operating account. If the answer to
this question is no, whst is the reason?

Don J

----------------------------------------------------------------------------------------------------------



 
Reply With Quote
 
 
 
 
JS
Guest
Posts: n/a
 
      23rd Oct 2007
Think of the built in Admin account as your back door (safety net), and your
personal account (Admin privileges) as your every day account. Should your
personal account get hosed that back door may be the only way into Windows.

JS

"Don J" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've yet to see a good explanation of how to avoid using the predefined
> Administrator Account as the Regular Aministrator Acount during normal
> operation. What is the difference between the regular Administrator
> Account
> and one that you have defined for the purpose. In particular can roles be
> reversed? Can a new Account be defined and used as the hidden Account,
> and
> the original Account be used as the operating account. If the answer to
> this question is no, whst is the reason?
>
> Don
> J
>
> ----------------------------------------------------------------------------------------------------------
>
>
>



 
Reply With Quote
 
 
 
 
Don J
Guest
Posts: n/a
 
      23rd Oct 2007
Why can't the roles be reversed?

Don J

------------------------------------------------------------------------
"JS" <@> wrote in message news:(E-Mail Removed)...
> Think of the built in Admin account as your back door (safety net), and
> your personal account (Admin privileges) as your every day account. Should
> your personal account get hosed that back door may be the only way into
> Windows.
>
> JS
>
> "Don J" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I've yet to see a good explanation of how to avoid using the predefined
>> Administrator Account as the Regular Aministrator Acount during normal
>> operation. What is the difference between the regular Administrator
>> Account
>> and one that you have defined for the purpose. In particular can roles
>> be
>> reversed? Can a new Account be defined and used as the hidden Account,
>> and
>> the original Account be used as the operating account. If the answer to
>> this question is no, whst is the reason?
>>
>> Don
>> J
>>
>> ----------------------------------------------------------------------------------------------------------
>>
>>
>>

>
>



 
Reply With Quote
 
Shenan Stanley
Guest
Posts: n/a
 
      23rd Oct 2007
Don J wrote:
> Why can't the roles be reversed?


JS wrote:
> Think of the built in Admin account as your back door (safety
> net), and your personal account (Admin privileges) as your every
> day account. Should your personal account get hosed that back door
> may be the only way into Windows.


Don J wrote:
> I've yet to see a good explanation of how to avoid using the
> predefined Administrator Account as the Regular Aministrator
> Acount during normal operation. What is the difference between
> the regular Administrator Account and one that you have
> defined for the purpose. In particular can
> roles be reversed? Can a new Account be defined and used as
> the hidden Account, and the original Account be used as the
> operating account. If the answer to this question is no, whst
> is the reason?


First - what is the purpose?
Some sort of 'security by obscurity'? Unwise IMHO...

No matter the reasoning - where did you get that it 'could not be done'?
You can disable the built in administrator and create as many other
administrators on a Windows XP system as you desire.

How to disable the Local Administrator account in Windows
http://support.microsoft.com/kb/281140

The warning there says a bunch...
------
Note Before you disable the local Administrator account, make sure that
there is at least one other local or network user who can gain access to the
computer with administrator permissions. Otherwise, you will not be able to
reverse this action in the future.
------

Your original question should have had nothing to do with how to avoid using
the built-in account - it should be, essentially (and paraphrasing) - why is
it unwise to run as an administrator all the time and/or have only a single
user with administrative rights that you use for daily activity? The answer
is simple - you are apt to make a foolish/unwise decision and with that much
power on the machine - you can pretty much turn a small 'shouldn't have
clicked on that' to a complete format and install anew in a matter of
minutes. Not fun, not worth it.

Sure - you could say 'I keep good backups' or 'I have an image of my
machine' or whatever method you plan on reversing it - but while you are
doing that, someone with more than one administrative account with good
password and security built in will be fixed and running while you are
restoring and hoping you haven't lost too much.

As for the account being 'hidden' - only if you are utilizing Windows XP
Home Edition. Even then it is not really hidden - just more difficult for
the normal Windows user to get to and utilize than in the professional
version of the same OS (and all supersets of that.)

Now - what would REALLY be unwise is to have ONLY one account and use that
lone account with administrative powers (would pretty much have to have
these rights - given it is the ONLY user account) on a daily basis. After
all - if something gets corrupted - what account are you logging in as in
order to repair things? Sure - you can do the recovery console, you could
do a repair install, you could boot from a Windows XP BartPE CD and erase
the account's profile directory (or rename it) so a new profile is made at
the next logon - but that still puts all your eggs in one basket.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


 
Reply With Quote
 
smlunatick
Guest
Posts: n/a
 
      23rd Oct 2007
On Oct 22, 8:35 pm, "Don J" <(E-Mail Removed)> wrote:
> Why can't the roles be reversed?
>
> Don J
>
> ------------------------------------------------------------------------
>
>
>
> "JS" <@> wrote in messagenews:(E-Mail Removed)...
> > Think of the built in Admin account as your back door (safety net), and
> > your personal account (Admin privileges) as your every day account. Should
> > your personal account get hosed that back door may be the only way into
> > Windows.

>
> > JS

>
> > "Don J" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed)...
> >> I've yet to see a good explanation of how to avoid using the predefined
> >> Administrator Account as the Regular Aministrator Acount during normal
> >> operation. What is the difference between the regular Administrator
> >> Account
> >> and one that you have defined for the purpose. In particular can roles
> >> be
> >> reversed? Can a new Account be defined and used as the hidden Account,
> >> and
> >> the original Account be used as the operating account. If the answer to
> >> this question is no, whst is the reason?

>
> >> Don
> >> J

>
> >> ---------------------------------------------------------------------------*-------------------------------- Hide quoted text -

>
> - Show quoted text -


The "Administrator" account is the default account that XP creates (as
with Windows NT and 2000.) Depending on how your create your general
day to day userr account, you might not:

1) Be able to access the "administrator" account data files

2) Be able to create new user accounts

3) Reset passwords


XP Home does not let you use the "Administrator" account directly.
And during creating new user account, the "administrator" account
creating the new user account can define this new account as a
different type of accouint than "administrator" type.

 
Reply With Quote
 
Don J
Guest
Posts: n/a
 
      23rd Oct 2007
I don't understand your last paragraph. In particular I've been using the
Administrator Account as my normal day to day account, in XP Home, for about
a year. What do you mean by "XP Home does not allow you to use the
'Administrator' account directly"?

And what do you mean by "creating the new user account can define this new
account as a different type of account than administrator type."? How does
it get changed?

Don J

-----------------------------------------------------------------------------------------
"smlunatick" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
On Oct 22, 8:35 pm, "Don J" <(E-Mail Removed)> wrote:
> Why can't the roles be reversed?
>
> Don J
>
> ------------------------------------------------------------------------
>
>
>
> "JS" <@> wrote in messagenews:(E-Mail Removed)...
> > Think of the built in Admin account as your back door (safety net), and
> > your personal account (Admin privileges) as your every day account.
> > Should
> > your personal account get hosed that back door may be the only way into
> > Windows.

>
> > JS

>
> > "Don J" <(E-Mail Removed)> wrote in message
> >news:(E-Mail Removed)...
> >> I've yet to see a good explanation of how to avoid using the predefined
> >> Administrator Account as the Regular Aministrator Acount during normal
> >> operation. What is the difference between the regular Administrator
> >> Account
> >> and one that you have defined for the purpose. In particular can roles
> >> be
> >> reversed? Can a new Account be defined and used as the hidden Account,
> >> and
> >> the original Account be used as the operating account. If the answer
> >> to
> >> this question is no, whst is the reason?

>
> >>
> >> Don
> >> J

>
> >> ---------------------------------------------------------------------------*--------------------------------
> >> Hide quoted text -

>
> - Show quoted text -


The "Administrator" account is the default account that XP creates (as
with Windows NT and 2000.) Depending on how your create your general
day to day userr account, you might not:

1) Be able to access the "administrator" account data files

2) Be able to create new user accounts

3) Reset passwords


XP Home does not let you use the "Administrator" account directly.
And during creating new user account, the "administrator" account
creating the new user account can define this new account as a
different type of accouint than "administrator" type.


 
Reply With Quote
 
Jim
Guest
Posts: n/a
 
      23rd Oct 2007

"Don J" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've yet to see a good explanation of how to avoid using the predefined
> Administrator Account as the Regular Aministrator Acount during normal
> operation. What is the difference between the regular Administrator
> Account
> and one that you have defined for the purpose. In particular can roles be
> reversed? Can a new Account be defined and used as the hidden Account,
> and
> the original Account be used as the operating account. If the answer to
> this question is no, whst is the reason?
>
> Don
> J
>
> ----------------------------------------------------------------------------------------------------------
>
>
>

All members of the administrators group are equal. Thus it is easy to
create an account that is the full equal of the built in administrator. The
best practice is to rename the administrator account to something else; this
is a form of security by obscurity. You then create an account for your own
use which is a member of the administrators group. You use this account for
all tasks which need the power of the administrator.

Doing this serves two goals.

In the first place, it is harder for malware to login as the administrator
if that account has been renamed and is disabled. It is also harder to
login with your private account because the malware needs to search for
members of the administrators group.

In the second place, using a separate private account for day to day
activities which require the power of an administrator keeps one such
account free for repair purposes when, like most humans, you make some
mistake. A mistake by a member of the administratos group can cause serious
problems.

Jim


 
Reply With Quote
 
John John
Guest
Posts: n/a
 
      23rd Oct 2007
Shenan Stanley wrote:

> No matter the reasoning - where did you get that it 'could not be done'?
> You can disable the built in administrator and create as many other
> administrators on a Windows XP system as you desire.
>
> How to disable the Local Administrator account in Windows
> http://support.microsoft.com/kb/281140
>
> The warning there says a bunch...
> ------
> Note Before you disable the local Administrator account, make sure that
> there is at least one other local or network user who can gain access to the
> computer with administrator permissions. Otherwise, you will not be able to
> reverse this action in the future.
> ------


I think it's time Microsoft reviewed and rewrote that article. For
Windows XP you cannot keep the built-in Administrator account from
logging on to Safe-Mode with the procedure described there and for
Windows 2000 that will not prevent logging on locally with the built-in
Administrator account, the Administrator will still be able to log on
locally in Safe-Mode and in Normal mode! There is another policy at the
same location that will effectively lockout the built-in Administrator
account, but the one mentioned in the article won't do it.

John
 
Reply With Quote
 
M.I.5
Guest
Posts: n/a
 
      23rd Oct 2007

"Don J" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I don't understand your last paragraph. In particular I've been using the
>Administrator Account as my normal day to day account, in XP Home, for
>about a year. What do you mean by "XP Home does not allow you to use the
>'Administrator' account directly"?
>


In Windows XP Home, if you do not create any other account and only have the
administrator account existing, then XP will boot directly into that account
and allow its use for everyday purposes. As soon as you create a second
account regardless of whether you grant administrator or limited access, the
administrator account is disabled from being accessed in anything other than
safe mode. This is done to disuade the home user from using the safety net
for anything other than a safety net. The current discussion shows clearly
that non professional users don't appreciate the importance of keeping the
safety net in good order (and having previously used the likes of Windows 98
or ME, why would they?).

> And what do you mean by "creating the new user account can define this new
> account as a different type of account than administrator type."? How
> does it get changed?
>


From Control panel and then User ccounts, you can create a new user account.
Such an account can be either an 'administrator' account or a 'limited'
account. The former has all the privileges of the default administrator
account, and as much capability to wreak havoc. It can also be accessed in
safe mode. The limited account has much more limited capability. It can't
generally load new applications or make most registry changes. It also
can't be entered while in safe mode. The account type can be changed in the
control panel.

While in the user accounts, you will notice that there is a third type of
account called 'guest', which is disabled by default. When enabled this
account allows access with even more restriction than the limited account.
I heartily recommend against enabling this account.

Users of XP professional will be aware that there are more types of account
available with increasing levels of privilege available.



 
Reply With Quote
 
=?Utf-8?B?Q3JhaWcgUw==?=
Guest
Posts: n/a
 
      23rd Oct 2007
I'm guilty of using the out-of-the-box Administrator as the sole daily user
account (XP Pro) -Thanks for this post. This Administrator's "Account Name"
is a major Folder Name in Local Documents & Settings. Assuming the matching
names Are Related, what happens to that Folder name if you Re-name Or
Disable that Administrator's account when creating a new Account with Admin
Privileges as you suggest ? As a non-expert I don't want to Open a can of
worms I can't fix. Thanks.

"Jim" wrote:

>
> "Don J" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > I've yet to see a good explanation of how to avoid using the predefined
> > Administrator Account as the Regular Aministrator Acount during normal
> > operation. What is the difference between the regular Administrator
> > Account
> > and one that you have defined for the purpose. In particular can roles be
> > reversed? Can a new Account be defined and used as the hidden Account,
> > and
> > the original Account be used as the operating account. If the answer to
> > this question is no, whst is the reason?
> >
> > Don
> > J
> >
> > ----------------------------------------------------------------------------------------------------------
> >
> >
> >

> All members of the administrators group are equal. Thus it is easy to
> create an account that is the full equal of the built in administrator. The
> best practice is to rename the administrator account to something else; this
> is a form of security by obscurity. You then create an account for your own
> use which is a member of the administrators group. You use this account for
> all tasks which need the power of the administrator.
>
> Doing this serves two goals.
>
> In the first place, it is harder for malware to login as the administrator
> if that account has been renamed and is disabled. It is also harder to
> login with your private account because the malware needs to search for
> members of the administrators group.
>
> In the second place, using a separate private account for day to day
> activities which require the power of an administrator keeps one such
> account free for repair purposes when, like most humans, you make some
> mistake. A mistake by a member of the administratos group can cause serious
> problems.
>
> Jim
>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why why why why why Mr. SweatyFinger Microsoft ASP .NET 4 21st Dec 2006 02:15 PM
findcontrol("PlaceHolderPrice") why why why why why why why why why why why Mr. SweatyFinger Microsoft ASP .NET 2 2nd Dec 2006 04:46 PM
administrator profile with administrator.000 and administrator under documents a Adrian Windows XP Setup 2 13th Feb 2004 05:49 PM
Customizing Regular Expression Editor for Regular Expression Validator Control Jason Timmerman Microsoft Dot NET Framework 0 27th Oct 2003 09:16 PM
Dynamically changing the regular expression of Regular Expression validator VSK Microsoft ASP .NET 2 24th Aug 2003 03:47 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 05:05 PM.