administrator account locked out?

D

djc

I just had a user lock out a local admin account?
this is new? I did not think local administrator accounts were subject to
GPOs such as the account lockout thresholds etc.. I didn't think the local
administrator account *could* be locked out by too many failed login
attempts? when did this change?
 
C

Carey Frisch [MVP]

Administrator unable to unlock a "locked" computer
http://support.microsoft.com/kb/242917/en-us

--
Carey Frisch
Microsoft MVP
Windows - Shell/User

Enjoy all the benefits of genuine Microsoft software:
http://www.microsoft.com/genuine/default.mspx

---------------------------------------------------------------------------­---------------------------------

:

| I just had a user lock out a local admin account?
| this is new? I did not think local administrator accounts were subject to
| GPOs such as the account lockout thresholds etc.. I didn't think the local
| administrator account *could* be locked out by too many failed login
| attempts? when did this change?
 
C

Colin Nash [MVP]

djc said:
I just had a user lock out a local admin account?
this is new? I did not think local administrator accounts were subject to
GPOs such as the account lockout thresholds etc.. I didn't think the local
administrator account *could* be locked out by too many failed login
attempts? when did this change?

You are right, but it is possible to change this behaviour using the
passprop.exe tool provided in the Windows Resource Kit. Maybe the user, or
someone, did that?

I think that the "account locked" checkbox still gets checked after too many
failed login attempts but it has no effect.

From:
http://www.microsoft.com/technet/security/topics/serversecurity/administratoraccounts/aapgch03.mspx :

-------------------------

Enable Account Lockout for Remote Administrator Logons
One way to prevent attackers from using the built-in administrator account
and password credentials is to allow the administrator account to be locked
out of the network by an account policy, after a specified number of logon
failures occur. By default, the built-in administrator account cannot be
locked out; however, you can use passprop.exe, a command-line program in the
Microsoft Windows 2000 Server Resource Kit, to enable account lockout for
remote logons that use the administrator account. When you run the passprop
utility with the /ADMINLOCKOUT switch, you make the administrator account
subject to account lockout policies. In Windows 2000 Server, this only
applies to remote logons, and because the built-in administrator account can
never be locked out from the local computer, this program allows you to
protect the administrator account from attack over the network but still
allows interactive access.

Warning: In Windows Server 2003, passprop will allow the built-in
administrator account to get locked out from interactive logons as well as
remote logons.

You can use the following account lockout switches with passprop:

passprop [/adminlockout] [/noadminlockout]

The /adminlockout switch keeps the administrator locked out.

The /noadminlockout switch removes the administrator lock out.

Note: When you enable this setting, and the account becomes locked out, no
one can do any remote administration with the administrator account.
 
S

Steven L Umbach

I have never seen that happen on a healthy operating system. I am not sure
of the behavior that passprop would do on XP Pro as to the built in
administrator account and you could use it to verify if it has been enabled
on that computer but my guess is that it is unlikely. Another explanation is
that maybe it was not the built in administrator account but a dummy account
renamed administrator as some do as a security measure. Of course if that
was the case the real built in administrator account would be named
something else and always have 500 at the end of it's SID as shown by whoami
tool. I have also noticed that if need be the free password reset disk at
the link below can unlock locked user accounts on the local computer.

Steve

http://home.eunet.no/~pnordahl/ntpasswd/ --- don't leave home without it.
 
B

Bruce Chambers

djc said:
I just had a user lock out a local admin account?
this is new? I did not think local administrator accounts were subject to
GPOs such as the account lockout thresholds etc.. I didn't think the local
administrator account *could* be locked out by too many failed login
attempts? when did this change?

With the introduction of the Administrator account in WinNT, many years
ago.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
S

Steven L Umbach

Depends if you are talking about network or interactive logon. It was not
possible to ever lock out the built in administrator account for interactive
logon for at least NT and Windows 2000. Passprop can cause the built in
administrator account to be locked out for interactive and network logon in
Windows 2003. For XP and Windows 2003 it makes more sense to disable the
built in administrator account than use passprop.

Steve
 
B

Bruce Chambers

Steven said:
Depends if you are talking about network or interactive logon. It was not
possible to ever lock out the built in administrator account for interactive
logon for at least NT and Windows 2000.


Actually, it happened all the time, whenever some twit decided to use
the NTFS file permission "Deny" action and apply it to the Everyone
group. This doesn't lock out an interactive logon, per se, but the
affect is the same; the local administrator can do nothing.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
S

Steven L Umbach

I hear that but I believe OP was specifically talking about lockout of built
in administrator account due to password policy.

Steve
 
B

Bruce Chambers

Steven said:
I hear that but I believe OP was specifically talking about lockout of built
in administrator account due to password policy.

I misunderstood something along the thread, then. Sorry to have intruded.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
R

Robert Moir

djc said:
I just had a user lock out a local admin account?
this is new? I did not think local administrator accounts were
subject to GPOs such as the account lockout thresholds etc.. I didn't
think the local administrator account *could* be locked out by too
many failed login attempts? when did this change?

*THE* 'administrator' account, or '"J. Random User" who has been added to
the Adminstrators group' on the local machine?

Totally different things.

First case - you're talking the sort of changes already identified in the
other posts here.
Second case - Sure. Always been the case. Nothing wrong here at all.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked:
"Have you checked (event viewer / syslog)".
 
B

Bruce Chambers

Steven said:
Bruce your valuable input is always welcome!

Thanks for the kind words, Steve, but I shouldn't have so carelessly
diverted the thread.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top