Why not use regular Administrator Account?

[Don J]

I've yet to see a good explanation of how to avoid using the predefined
Administrator Account as the Regular Aministrator Acount during normal
operation. What is the difference between the regular Administrator Account
and one that you have defined for the purpose. In particular can roles be
reversed? Can a new Account be defined and used as the hidden Account, and
the original Account be used as the operating account. If the answer to
this question is no, whst is the reason?

Don J

----------------------------------------------------------------------------------------------------------

 

[JS]

Think of the built in Admin account as your back door (safety net), and your
personal account (Admin privileges) as your every day account. Should your
personal account get hosed that back door may be the only way into Windows.

JS

 

[Don J]

Why can't the roles be reversed?

Don J

------------------------------------------------------------------------

Think of the built in Admin account as your back door (safety net), and
your personal account (Admin privileges) as your every day account. Should
your personal account get hosed that back door may be the only way into
Windows.

JS

 

[Shenan Stanley]

Why can't the roles be reversed?

Think of the built in Admin account as your back door (safety
net), and your personal account (Admin privileges) as your every
day account. Should your personal account get hosed that back door
may be the only way into Windows.

I've yet to see a good explanation of how to avoid using the
predefined Administrator Account as the Regular Aministrator
Acount during normal operation. What is the difference between
the regular Administrator Account and one that you have
defined for the purpose. In particular can
roles be reversed? Can a new Account be defined and used as
the hidden Account, and the original Account be used as the
operating account. If the answer to this question is no, whst
is the reason?

First - what is the purpose?
Some sort of 'security by obscurity'? Unwise IMHO...

No matter the reasoning - where did you get that it 'could not be done'?
You can disable the built in administrator and create as many other
administrators on a Windows XP system as you desire.

How to disable the Local Administrator account in Windows
http://support.microsoft.com/kb/281140

The warning there says a bunch...
------
Note Before you disable the local Administrator account, make sure that
there is at least one other local or network user who can gain access to the
computer with administrator permissions. Otherwise, you will not be able to
reverse this action in the future.
------

Your original question should have had nothing to do with how to avoid using
the built-in account - it should be, essentially (and paraphrasing) - why is
it unwise to run as an administrator all the time and/or have only a single
user with administrative rights that you use for daily activity? The answer
is simple - you are apt to make a foolish/unwise decision and with that much
power on the machine - you can pretty much turn a small 'shouldn't have
clicked on that' to a complete format and install anew in a matter of
minutes. Not fun, not worth it.

Sure - you could say 'I keep good backups' or 'I have an image of my
machine' or whatever method you plan on reversing it - but while you are
doing that, someone with more than one administrative account with good
password and security built in will be fixed and running while you are
restoring and hoping you haven't lost too much.

As for the account being 'hidden' - only if you are utilizing Windows XP
Home Edition. Even then it is not really hidden - just more difficult for
the normal Windows user to get to and utilize than in the professional
version of the same OS (and all supersets of that.)

Now - what would REALLY be unwise is to have ONLY one account and use that
lone account with administrative powers (would pretty much have to have
these rights - given it is the ONLY user account) on a daily basis. After
all - if something gets corrupted - what account are you logging in as in
order to repair things? Sure - you can do the recovery console, you could
do a repair install, you could boot from a Windows XP BartPE CD and erase
the account's profile directory (or rename it) so a new profile is made at
the next logon - but that still puts all your eggs in one basket.

 

[smlunatick]

Why can't the roles be reversed?

Don J

------------------------------------------------------------------------





- Show quoted text -

The "Administrator" account is the default account that XP creates (as
with Windows NT and 2000.) Depending on how your create your general
day to day userr account, you might not:

1) Be able to access the "administrator" account data files

2) Be able to create new user accounts

3) Reset passwords


XP Home does not let you use the "Administrator" account directly.
And during creating new user account, the "administrator" account
creating the new user account can define this new account as a
different type of accouint than "administrator" type.

 

[Don J]

I don't understand your last paragraph. In particular I've been using the
Administrator Account as my normal day to day account, in XP Home, for about
a year. What do you mean by "XP Home does not allow you to use the
'Administrator' account directly"?

And what do you mean by "creating the new user account can define this new
account as a different type of account than administrator type."? How does
it get changed?

Don J

-----------------------------------------------------------------------------------------

Why can't the roles be reversed?

Don J

------------------------------------------------------------------------





- Show quoted text -

The "Administrator" account is the default account that XP creates (as
with Windows NT and 2000.) Depending on how your create your general
day to day userr account, you might not:

1) Be able to access the "administrator" account data files

2) Be able to create new user accounts

3) Reset passwords


XP Home does not let you use the "Administrator" account directly.
And during creating new user account, the "administrator" account
creating the new user account can define this new account as a
different type of accouint than "administrator" type.

 

[Jim]

I've yet to see a good explanation of how to avoid using the predefined
Administrator Account as the Regular Aministrator Acount during normal
operation. What is the difference between the regular Administrator
Account
and one that you have defined for the purpose. In particular can roles be
reversed? Can a new Account be defined and used as the hidden Account,
and
the original Account be used as the operating account. If the answer to
this question is no, whst is the reason?

Don
J

All members of the administrators group are equal. Thus it is easy to
create an account that is the full equal of the built in administrator. The
best practice is to rename the administrator account to something else; this
is a form of security by obscurity. You then create an account for your own
use which is a member of the administrators group. You use this account for
all tasks which need the power of the administrator.

Doing this serves two goals.

In the first place, it is harder for malware to login as the administrator
if that account has been renamed and is disabled. It is also harder to
login with your private account because the malware needs to search for
members of the administrators group.

In the second place, using a separate private account for day to day
activities which require the power of an administrator keeps one such
account free for repair purposes when, like most humans, you make some
mistake. A mistake by a member of the administratos group can cause serious
problems.

Jim

 

[John John]

No matter the reasoning - where did you get that it 'could not be done'?
You can disable the built in administrator and create as many other
administrators on a Windows XP system as you desire.

How to disable the Local Administrator account in Windows
http://support.microsoft.com/kb/281140

The warning there says a bunch...
------
Note Before you disable the local Administrator account, make sure that
there is at least one other local or network user who can gain access to the
computer with administrator permissions. Otherwise, you will not be able to
reverse this action in the future.
------

I think it's time Microsoft reviewed and rewrote that article. For
Windows XP you cannot keep the built-in Administrator account from
logging on to Safe-Mode with the procedure described there and for
Windows 2000 that will not prevent logging on locally with the built-in
Administrator account, the Administrator will still be able to log on
locally in Safe-Mode and in Normal mode! There is another policy at the
same location that will effectively lockout the built-in Administrator
account, but the one mentioned in the article won't do it.

John

 

[M.I.5¾]

I don't understand your last paragraph. In particular I've been using the
Administrator Account as my normal day to day account, in XP Home, for
about a year. What do you mean by "XP Home does not allow you to use the
'Administrator' account directly"?

In Windows XP Home, if you do not create any other account and only have the
administrator account existing, then XP will boot directly into that account
and allow its use for everyday purposes. As soon as you create a second
account regardless of whether you grant administrator or limited access, the
administrator account is disabled from being accessed in anything other than
safe mode. This is done to disuade the home user from using the safety net
for anything other than a safety net. The current discussion shows clearly
that non professional users don't appreciate the importance of keeping the
safety net in good order (and having previously used the likes of Windows 98
or ME, why would they?).

And what do you mean by "creating the new user account can define this new
account as a different type of account than administrator type."? How
does it get changed?

From Control panel and then User ccounts, you can create a new user account.
Such an account can be either an 'administrator' account or a 'limited'
account. The former has all the privileges of the default administrator
account, and as much capability to wreak havoc. It can also be accessed in
safe mode. The limited account has much more limited capability. It can't
generally load new applications or make most registry changes. It also
can't be entered while in safe mode. The account type can be changed in the
control panel.

While in the user accounts, you will notice that there is a third type of
account called 'guest', which is disabled by default. When enabled this
account allows access with even more restriction than the limited account.
I heartily recommend against enabling this account.

Users of XP professional will be aware that there are more types of account
available with increasing levels of privilege available.

 

[Guest]

I'm guilty of using the out-of-the-box Administrator as the sole daily user
account (XP Pro) -Thanks for this post. This Administrator's "Account Name"
is a major Folder Name in Local Documents & Settings. Assuming the matching
names Are Related, what happens to that Folder name if you Re-name Or
Disable that Administrator's account when creating a new Account with Admin
Privileges as you suggest ? As a non-expert I don't want to Open a can of
worms I can't fix. Thanks.

 

[Don J]

I don't undedrstand your statement that creating a second account prevents
the original Adminisrator Account from being accessed in anything but "Safe
Mode". I have used an "XP Home" disk to create a new XP installation of
Windows XP. The first thing I did was to define a new Administrator
Account. I then exited Windows and reentered it. There is no indication
that I am in "Safe Mode".

Don J

------------------------------------------------------------------------------------------------

 

[WaIIy]

Now - what would REALLY be unwise is to have ONLY one account and use that
lone account with administrative powers (would pretty much have to have
these rights - given it is the ONLY user account) on a daily basis. After
all - if something gets corrupted - what account are you logging in as in
order to repair things? Sure - you can do the recovery console, you could
do a repair install, you could boot from a Windows XP BartPE CD and erase
the account's profile directory (or rename it) so a new profile is made at
the next logon - but that still puts all your eggs in one basket.

Great comments and advice on this issue. As a reader of this group, I
thank you for taking the time to explain the logic of not having only
the administrator account activated.

 

[Jim]

I'm guilty of using the out-of-the-box Administrator as the sole daily
user
account (XP Pro) -Thanks for this post. This Administrator's "Account
Name"
is a major Folder Name in Local Documents & Settings. Assuming the
matching
names Are Related, what happens to that Folder name if you Re-name Or
Disable that Administrator's account when creating a new Account with
Admin
Privileges as you suggest ? As a non-expert I don't want to Open a can of
worms I can't fix. Thanks.

<big snip?
Nothing happens to the folder name in Documents & Settings when all you do
is rename the account.
When you create an account, a new folder tree for that specific account gets
created in Documents & Settings.

The way that this works is that every account is tied to a specific Security
ID. This is a multi digit number which would be the pits to use as your
login. A username is thus merely an alias for the SID.
When you rename an account, you are actually changing the alias. As far as
XP is concerned you have done nothing. Creating a new member of the
administrators group has no effect on any of the other members of the group.

Jim

 

[WaIIy]

In Windows XP Home, if you do not create any other account and only have the
administrator account existing, then XP will boot directly into that account
and allow its use for everyday purposes. As soon as you create a second
account regardless of whether you grant administrator or limited access, the
administrator account is disabled from being accessed in anything other than
safe mode. This is done to disuade the home user from using the safety net
for anything other than a safety net. The current discussion shows clearly
that non professional users don't appreciate the importance of keeping the
safety net in good order (and having previously used the likes of Windows 98
or ME, why would they?).


From Control panel and then User ccounts, you can create a new user account.
Such an account can be either an 'administrator' account or a 'limited'
account. The former has all the privileges of the default administrator
account, and as much capability to wreak havoc. It can also be accessed in
safe mode. The limited account has much more limited capability. It can't
generally load new applications or make most registry changes. It also
can't be entered while in safe mode. The account type can be changed in the
control panel.

While in the user accounts, you will notice that there is a third type of
account called 'guest', which is disabled by default. When enabled this
account allows access with even more restriction than the limited account.
I heartily recommend against enabling this account.

Users of XP professional will be aware that there are more types of account
available with increasing levels of privilege available.

I installed http://support.microsoft.com/?kbid=245216

SCESP41.EXE to my WinXP Home which gives me the Security Tab as in
XP Pro.

Pretty handy and can be pretty dangerous at the same time.