Too late for Administrator's Password?

[DSG]

Too late for Administrator's Password?

My Windows XP SP2 Pro is set so that I am the administrator (standalone)
A password was not set for the Administrator or for me.
In Control Panel I am listed under User Accounts, "user me" Computer
administrator. It is the only item listed on that dialog.

A technician built the basic system and installed the operating system, and
applied the appropriate drivers to the hardware. I have installed some PnP
hardware with their programs and drivers, and the remaining software.

I'm ready to create a Password for the Administrator and a password for
"User me" - I've read all of Help & Support's articles on this.

My quandary is, I don't want to have any snafus later about not being able
to access things, since I don't know "who" installed all these programs - Me
or the "administrator." Since I am both, I assume I will be able to access
anything either with my own password or with the administrator's password.
In Documents and Settings, the only thing the Administrator owns is a My
Documents folder. My own user folder has been assigned to me with my name
on it.

I'm looking at Program Groups in System Information.

Accessibility to Accessories is given to NT Authority\System and "user me."
Accessibility to Accessories\Entertainment is given to NT Authority\System,
to "user me", to default user and All Users.
Startup is given to all four of us.

Everything else is given to All Users. I'm the only one here so that doesn't
bother me.

Please advise: At this point, can I go ahead and do a password for the
administrator and then one for me? Is it too late to do a password for
Administrator?

 

[Guest]

You might be one of the administrators,however if you tap F8 key at starting
youre computer,then select safe mode,you'll see another.

 

[Winguy]

First, if you're going to be messing with permissions then ALWAYS FIRST SET
A SYSTEM RESTORE POINT at minimum. For extra protection, install the XP
Recovery Console (search in Start | Help and Support" on the phrase
"recovery console" without the quote marks, look in the left pane for the
info on how to install it). Install that RC. Since you'e the only one using
your computer, there's no need (unless you want it) to require a password to
login to the RC as the system Administrator, so do this:

For XP-Pro, go into Control Panel and open Administrative Tools and then
open Local Security Policy. In the left pane expand the Local Policies
folder and click the Security Options folder. In the right pane, scroll down
to where you see 2 lines starting with "Rcovery Console:". Right-click each
of them, select Properties, select the Enable option, and click ok. When
done, close the Local Security Settings. Now go to each of these folders and
create within each of them a folder called "MyBackUp" (where %windir% is the
root of where Windows was installed to, usually something like Windows or
WINNT):

%windir%\security\
%windir%\system32\config

Go into the root of Drive C, make sure you can view all files (system,
hidden, all of them) and then un-writeprotect the "boot.ini" file and then
open it with Notepad. You'll see a line that says "timeout=30" and you
should change that timeout to something more reasonable, like 6 (for 6
seconds). This timeout is how long there will be displayed the option to go
into the RC every time you boot. Save boot.ini, exit Notepad, go back and
make its Properties read-only again. It's a good idea to have a backup copy
of boot.ini, renamed to something else like "MyBoot.ini" or something.

Now reboot the computer and elect to go into the RC while you see the option
displayed for that timeout period that you defined above. Issue these
commands exactly as shown here (you may not use wildcards like in old DOS):

cd %windir%\system32\config
copy default MyBackUp\DEFAULT
copy sam MyBackUp\SAM
copy security MyBackUp\SECURITY
copy software MyBackUp\SOFTWARE
copy system MyBackUp\SYSTEM
copy userdiff MyBackUp\USERDIFF
dir
[If you now see other files that start with the characters "userdif" but are
not named "userdiff" then copy them over, too.]
exit
[the computer now boots into windows]

What you have just done is made a copy of the system registry, which is
composed of those files. If you were not even able to boot into safe mode or
System Restore just won't work, copying them back to the
%windir%\system32\config folder, via the RC, would probably allow you to
boot normally again. You should keep these backups up to date.

Equally important is to keep a backup of your security policies. You can do
this from Windows Explorer. If you get an error about the file being open by
something else then reboot, the policies are busy because they are in
process of being updated and that will happen at shutdown and then you
should not get that error. You could do it from the RC, but that's not
necessary. In the %windir%\security folder copy EVERYTHING there (except
your MyBackUp folder!) into your MyBackUp folder that you created within
that folder. Now, if the files are not busy you can put them back again and
eliminate some serious security problems that can occassionally occur due to
file corruption (power off at exactly the incorrect time or whatever). If
necessary, you could (painfully) put them back using the RC.

Feeling a little safer now? Make a System Restore Point anyway.

Next, administrator, you need to have the security tab show when you
right-clcik a file or folder, that's where you assign very granular
permissions about who can access what and what permissions are allowed.
Well, that's why they call it XP-Pro (you can't do this with teh Home
edition). Launch (Windows) Explorer (no, not Internet Explorer!) and select
Tools, then Folder Options, then click the View tab, and UNSELECT the
"Display simple folder view in Explorer's Folders" option, and then click OK
and then exit Explorer. Now you can right-click nearly any file or folder,
select Properties, go into the Security tab, and make things much more to
your liking (or a lot worse). Always have backup of your registry and
security policy before you do things with security!

Now, more to your orignal question. No, everyone who is a member of the
Administrators Group has Administrator powers everywhere BY DEFAULT AT XP
INSTALLATION. Which doesn't mean you can not change default stuff and remove
(or add) the Administrator Group in individual or inherited cases on that
Security tab I was talking about -- you can, and therby limit (or add)
permissions for certain accounts (say, just one particular logged in
administrator account). If you did something like that then ONLY that
particular administrator could change things, so don't do that unless you've
wisely created yet another administrator account that you always give the
same godly permissions to as you give to the first (primary) one. Then if
somethig happens to one account (virus, per chance) you can go into the
other one and still have god power over your virtual domain. I'll have to
leave it up to you to learn about inheriting (or removing inheritance) of
permissions and the like ... hey, they teach entire classes about this sort
of thing but there're some good books too, not to mention many fine articles
about security all over the internet. Actually, it's not all that difficult
as they make it out to be. Just be religious on backup of the registry and
at the same identical time period the security folder content too, and you
can recover from most any problem you invoke except for files that you sent
to the bit bucket instead of to the recycle bin ...

And don't use a powerful administrator account to surf the net with, use a
limited account to do that and dl your stuff with it then switch to an
administrator account to install it and so on. Not that most of us really do
all this good stuff! So also have good antivirus, firewall, and on and on
and on ...

In short, give your admin account god power everywhere on your HDD. Then it
can access most anything, anywhere. There are some minor but important
limits, some things only the system has permission to use.

 

[DSG]

Your instruction is a 1-2-3 approach which I was hoping to get. I have a
large collection of instructions that would do this job, but it never says
what to do first. Thanks, much. dsg
mmmmmmmmmmmmmmmmmmmmmmmmmmmm

First, if you're going to be messing with permissions then ALWAYS FIRST
SET A SYSTEM RESTORE POINT at minimum. For extra protection, install the
XP Recovery Console (search in Start | Help and Support" on the phrase
"recovery console" without the quote marks, look in the left pane for the
info on how to install it). Install that RC. Since you'e the only one
using your computer, there's no need (unless you want it) to require a
password to login to the RC as the system Administrator, so do this:

For XP-Pro, go into Control Panel and open Administrative Tools and then
open Local Security Policy. In the left pane expand the Local Policies
folder and click the Security Options folder. In the right pane, scroll
down to where you see 2 lines starting with "Rcovery Console:".
Right-click each of them, select Properties, select the Enable option, and
click ok. When done, close the Local Security Settings. Now go to each of
these folders and create within each of them a folder called "MyBackUp"
(where %windir% is the root of where Windows was installed to, usually
something like Windows or WINNT):

%windir%\security\
%windir%\system32\config

Go into the root of Drive C, make sure you can view all files (system,
hidden, all of them) and then un-writeprotect the "boot.ini" file and then
open it with Notepad. You'll see a line that says "timeout=30" and you
should change that timeout to something more reasonable, like 6 (for 6
seconds). This timeout is how long there will be displayed the option to
go into the RC every time you boot. Save boot.ini, exit Notepad, go back
and make its Properties read-only again. It's a good idea to have a backup
copy of boot.ini, renamed to something else like "MyBoot.ini" or
something.

Now reboot the computer and elect to go into the RC while you see the
option displayed for that timeout period that you defined above. Issue
these commands exactly as shown here (you may not use wildcards like in
old DOS):

cd %windir%\system32\config
copy default MyBackUp\DEFAULT
copy sam MyBackUp\SAM
copy security MyBackUp\SECURITY
copy software MyBackUp\SOFTWARE
copy system MyBackUp\SYSTEM
copy userdiff MyBackUp\USERDIFF
dir
[If you now see other files that start with the characters "userdif" but
are not named "userdiff" then copy them over, too.]
exit
[the computer now boots into windows]

What you have just done is made a copy of the system registry, which is
composed of those files. If you were not even able to boot into safe mode
or System Restore just won't work, copying them back to the
%windir%\system32\config folder, via the RC, would probably allow you to
boot normally again. You should keep these backups up to date.

Equally important is to keep a backup of your security policies. You can
do this from Windows Explorer. If you get an error about the file being
open by something else then reboot, the policies are busy because they are
in process of being updated and that will happen at shutdown and then you
should not get that error. You could do it from the RC, but that's not
necessary. In the %windir%\security folder copy EVERYTHING there (except
your MyBackUp folder!) into your MyBackUp folder that you created within
that folder. Now, if the files are not busy you can put them back again
and eliminate some serious security problems that can occassionally occur
due to file corruption (power off at exactly the incorrect time or
whatever). If necessary, you could (painfully) put them back using the RC.

Feeling a little safer now? Make a System Restore Point anyway.

Next, administrator, you need to have the security tab show when you
right-clcik a file or folder, that's where you assign very granular
permissions about who can access what and what permissions are allowed.
Well, that's why they call it XP-Pro (you can't do this with teh Home
edition). Launch (Windows) Explorer (no, not Internet Explorer!) and
select Tools, then Folder Options, then click the View tab, and UNSELECT
the "Display simple folder view in Explorer's Folders" option, and then
click OK and then exit Explorer. Now you can right-click nearly any file
or folder, select Properties, go into the Security tab, and make things
much more to your liking (or a lot worse). Always have backup of your
registry and security policy before you do things with security!

Now, more to your orignal question. No, everyone who is a member of the
Administrators Group has Administrator powers everywhere BY DEFAULT AT XP
INSTALLATION. Which doesn't mean you can not change default stuff and
remove (or add) the Administrator Group in individual or inherited cases
on that Security tab I was talking about -- you can, and therby limit (or
add) permissions for certain accounts (say, just one particular logged in
administrator account). If you did something like that then ONLY that
particular administrator could change things, so don't do that unless
you've wisely created yet another administrator account that you always
give the same godly permissions to as you give to the first (primary) one.
Then if somethig happens to one account (virus, per chance) you can go
into the other one and still have god power over your virtual domain. I'll
have to leave it up to you to learn about inheriting (or removing
inheritance) of permissions and the like ... hey, they teach entire
classes about this sort of thing but there're some good books too, not to
mention many fine articles about security all over the internet. Actually,
it's not all that difficult as they make it out to be. Just be religious
on backup of the registry and at the same identical time period the
security folder content too, and you can recover from most any problem you
invoke except for files that you sent to the bit bucket instead of to the
recycle bin ...

And don't use a powerful administrator account to surf the net with, use a
limited account to do that and dl your stuff with it then switch to an
administrator account to install it and so on. Not that most of us really
do all this good stuff! So also have good antivirus, firewall, and on and
on and on ...

In short, give your admin account god power everywhere on your HDD. Then
it can access most anything, anywhere. There are some minor but important
limits, some things only the system has permission to use.

 

[David Candy]

Password only are required at logon. If you set a password that's the only diffence. You in fact have a password now - a blank one. One of the OS's accounts (for the OS's use) doesn't have a password at all. Therefore any password incl a blank one will work. Your account has a blank password. You can only logon with a blank password.

So nothing will change if you CHANGE the password from blank to something else except windows won't automatically enter it for you (which is what is happening behind the scenes).