Applied a security policy to standalone XP and strange outcome

[Gringo]

First of all let me say that this is my first time ever posting to a
group of any kind so please be forgiving with my inexperience. After
many years I am changing career fields and going into IT.

Here's my situation...

I have an XPpro stand-alone machine that I was messing around with on
Snap-ins and the Security Analysis and Configuration. I don't remember
exactly but 99% confident that I imported and applied the Hisec
template.

Before the template was applied my user account was the local admin
account (which was set as admin from the start when I installed XP on
the machine)and I had 2 other limited user accounts plus 1 guest
account, all of which showed up on the Welcome screen.

After I logged off I noticed that my user did not show up on the
welcome screen and neither did the guest account, instead, a
"Administrator" user appeared with the two limited user accounts on the
Welcome screen. I clicked to logon as the admin but was unable due to
not having the correct password (I have no clue what it would be
because I never setup and "Administrator" user for the machine.

So I began freaking-out and rebooted the system; now the welcome screen
only shows the two limited user accounts and that's it. Through
reading this group I found that I could press ctrl-alt-delete twice and
get the network login, which I did, and logged in with my user account
name no problem. HOWEVER, my user account is no longer set as an admin
account and I can't even view my system calendar much less anything
else.

I downloaded an image to make a boot cd to reset the admin password, I
will see if it works this evening, but I was wondering if anyone knows
what would cause my user to be "kicked out" of the admin group on a
stand alone machine???

Thanks again for the help and forgive me for being long winded and a
newbie.

 

[Roger Abell]

There are so, so many possibilites.
While local security policy does not allow Restricted Group
definitions, these however can be defined in a SCE template,
and when such a template is applied to a standalone system
these will have a one-time effect on the target system.
A Restricted Group definition can be used to state the precise
membership in and also of a Windows group.
Perhaps you wandered into this territory (?).

 

[Gringo]

Roger,

Thanks so much for your response and help! I am not sure if I'm going
to answer your question about wandering into the Restricted Group
defition but this is what I did. I executed MMC and then add the
snap-in for computer security and then imported one of the templates to
"analyze" I thought it was the hisec one but not 100% positive but for
sure it was one of the templates that shows up on default. I then
applied it and that's when troubles started. So I guess it is possibe
that I "wandered" into that territory.

I downloaded the "Offline NT Password & Registry Editor" and put the
image on CD and booted to try to reset the admin password. It didn't
work, I went through the FAQ and followed those to a "T" but no luck.
When I run the program and get to the admin account to change the
password it does say "LANMAN password not set. User may have a blank
password". It does say it is usually safe to continue but I continue
with no luck. I guess that goes back to the fact that when I setup the
machine I put my name as the admin account and no administrator account
was ever made on the machine.

Now, I have another problem! Since trying to change the password and
rebooting a few times I cannot even log in with any user account
becaues it says my security log is full and a admin must sign on to
clear it! LOL I don't mind formatting and restarting but I do have
some stuff I would like to get, any suggestions???

Thanks again for your help for this newbie

Bobby

 

[Gringo]

Well, I got in, yes, using the "NT Pasword & Registry Editor". I have
the security log but it is very vague and I don't think I will be able
to tell what happened form here. My user still doesn't show up on
welcome screen nor is it available when I go to "Users & Computers". I
will keep investigating. Thanks!

 

[Steven L Umbach]

The hisecure template for workstations will remove all users from the local
administrators group except the built in administrator and domain admins
[for a domain computer] when applied with the Security Configuration and
Analysis tool which is what happened to you. You will need to logon as the
built in local administrator and if you do not know the password for that
account the password reset disk you mention to regain admin access to your
computer. For future reference you can view the security template in the mmc
snapin for security templates to see the defined settings in each category.
More security is not always better. --- Steve

 

[Gringo]

Hey Steve,

Thanks for your time and knowledge, I appreciate it! Got everything
back to normal. I did see, once I was able overcome the Administrator
account not having a set password, that my user had been wiped of any
permissions, etc. I appreciate people like you and Roger taking your
time to explain and help.

Bobby

 

[Steven L Umbach]

Sounds good. Glad you got it sorted out. --- Steve