Disabled administrator account can logon in safe mode

F

Freaky

Hey there,

we're having a strange issue. We're using RIS to deploy WindowsXP with
SP2 integrated (no other updates!). It's just a normal WindowsXP
install, with some driver paths so it can load all the drivers and a
domain join.

The DisableAdminAccountOnDomainJoin = 1 appears to work nicely, as the
administrator account is listed with the red cross and we can also see
the 'Account Disabled' check if we open the properties (heck we can even
see those whilst logging in as local administrator in safe mode...).
Whilst in 'normal' mode we can not log on as the local administrator and
it will nicely give an error stating the account is disabled.

This really has me confused... Any suggestions?

Below is the SIF file we use for installation. Nothing peculiar if you
ask me.

;SetupMgrTag
[Data]
AutoPartition=1
MsDosInitiated="1"
UnattendedInstall="Yes"
floppyless="1"
OriSrc="\\%SERVERNAME%\RemInst\%INSTALLPATH%"
OriTyp="4"
LocalSourceOnCD=1
DisableAdminAccountOnDomainJoin = 1

[SetupData]
OsLoadOptions="/noguiboot /fastdetect"

SetupSourceDevice="\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%"

[Unattended]
UnattendMode=FullUnattended
OemSkipEula=Yes
OemPreinstall=Yes
TargetPath=\WINDOWS
FileSystem=LeaveAlone
NtUpgrade=No
OverwriteOemFilesOnUpgrade=No
OemPnpDriversPath =
\Drivers\HP\NIC;\Drivers\HP\Audio;\Drivers\HP\Video;\Dri
vers\HP\AtiChipset;\Drivers\Asus\A7V5;\Drivers\Asus\Audio;\Drivers\Asus\Monitor;
\Drivers\Asus\NIC;\Drivers\Asus\Video;\Drivers\GX620\AUDIO;\Drivers\GX620\CHIPSE
T;\Drivers\GX620\NIC;\Drivers\GX620\VGA;\Drivers\HDA-Bus
DriverSigningPolicy = Ignore

[GuiUnattended]
AdminPassword=*
EncryptedAdminPassword=NO
OEMSkipRegional=1
TimeZone=110
OemSkipWelcome=1

[UserData]
ProductKey=VVVVV-WWWWW-XXXXX-YYYYY-ZZZZZ
FullName="CompanyName"
OrgName="CompanyName"
ComputerName=%MACHINENAME%

[Display]
BitsPerPel=32
Xresolution=1024
YResolution=768

[TapiLocation]
CountryCode=31
Dialing=Tone

[Identification]
JoinDomain=%MACHINEDOMAIN%
DoOldStyleDomainJoin=Yes

[Networking]
InstallDefaultComponents=Yes
ProcessPageSections=Yes

[RemoteInstall]
Repartition=Yes

[OSChooser]
Description="XP SP2 Std Install"
Help="Dit zou een standaard installatie moeten zijn."
LaunchFile="%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com"
ImageType=Flat
 
J

John John

I may be wrong but my understanding is that even if you disable the
built-in Administrator account you will still be able to logon with the
account in Safe-Mode or in the Recovery Console.

John
 
F

Freaky

Yea it appears so... Have an XP SP2 install and tested it, same issue.

I'm sure though that it was disabled on the previous RIS installs (they
were created by someone else). Those ran SP1 and if we tried logging on
as administrator in safe mode it wouldn't succeed. We could boot into
safe mode tho'.

The search goes on.

John said:
I may be wrong but my understanding is that even if you disable the
built-in Administrator account you will still be able to logon with the
account in Safe-Mode or in the Recovery Console.

John
Hey there,

we're having a strange issue. We're using RIS to deploy WindowsXP with
SP2 integrated (no other updates!). It's just a normal WindowsXP
install, with some driver paths so it can load all the drivers and a
domain join.

The DisableAdminAccountOnDomainJoin = 1 appears to work nicely, as the
administrator account is listed with the red cross and we can also see
the 'Account Disabled' check if we open the properties (heck we can
even see those whilst logging in as local administrator in safe
mode...). Whilst in 'normal' mode we can not log on as the local
administrator and it will nicely give an error stating the account is
disabled.

This really has me confused... Any suggestions?

Below is the SIF file we use for installation. Nothing peculiar if you
ask me.

;SetupMgrTag
[Data]
AutoPartition=1
MsDosInitiated="1"
UnattendedInstall="Yes"
floppyless="1"
OriSrc="\\%SERVERNAME%\RemInst\%INSTALLPATH%"
OriTyp="4"
LocalSourceOnCD=1
DisableAdminAccountOnDomainJoin = 1

[SetupData]
OsLoadOptions="/noguiboot /fastdetect"

SetupSourceDevice="\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%"


[Unattended]
UnattendMode=FullUnattended
OemSkipEula=Yes
OemPreinstall=Yes
TargetPath=\WINDOWS
FileSystem=LeaveAlone
NtUpgrade=No
OverwriteOemFilesOnUpgrade=No
OemPnpDriversPath =
\Drivers\HP\NIC;\Drivers\HP\Audio;\Drivers\HP\Video;\Dri
vers\HP\AtiChipset;\Drivers\Asus\A7V5;\Drivers\Asus\Audio;\Drivers\Asus\Monitor;

\Drivers\Asus\NIC;\Drivers\Asus\Video;\Drivers\GX620\AUDIO;\Drivers\GX620\CHIPSE

T;\Drivers\GX620\NIC;\Drivers\GX620\VGA;\Drivers\HDA-Bus
DriverSigningPolicy = Ignore

[GuiUnattended]
AdminPassword=*
EncryptedAdminPassword=NO
OEMSkipRegional=1
TimeZone=110
OemSkipWelcome=1

[UserData]
ProductKey=VVVVV-WWWWW-XXXXX-YYYYY-ZZZZZ
FullName="CompanyName"
OrgName="CompanyName"
ComputerName=%MACHINENAME%

[Display]
BitsPerPel=32
Xresolution=1024
YResolution=768

[TapiLocation]
CountryCode=31
Dialing=Tone

[Identification]
JoinDomain=%MACHINEDOMAIN%
DoOldStyleDomainJoin=Yes

[Networking]
InstallDefaultComponents=Yes
ProcessPageSections=Yes

[RemoteInstall]
Repartition=Yes

[OSChooser]
Description="XP SP2 Std Install"
Help="Dit zou een standaard installatie moeten zijn."
LaunchFile="%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com"
ImageType=Flat
Click to expand...
Click to expand...
 
J

John John

Unless someone who knows how to really disable it can tell us how it
might be done I would say give it good, strong password protection and
forget about trying to disable it completely. You might get a service
ticket and be happy to have it enabled for special purposes. And even
if it's disabled the guys who really want to get in through the back
door know all about the Linux password disks available out there, so
make it as secure as you can and advise users of the company (firing)
policy for those who try hack it!

John
Yea it appears so... Have an XP SP2 install and tested it, same issue.

I'm sure though that it was disabled on the previous RIS installs (they
were created by someone else). Those ran SP1 and if we tried logging on
as administrator in safe mode it wouldn't succeed. We could boot into
safe mode tho'.

The search goes on.

John said:
I may be wrong but my understanding is that even if you disable the
built-in Administrator account you will still be able to logon with
the account in Safe-Mode or in the Recovery Console.

John
Hey there,

we're having a strange issue. We're using RIS to deploy WindowsXP
with SP2 integrated (no other updates!). It's just a normal WindowsXP
install, with some driver paths so it can load all the drivers and a
domain join.

The DisableAdminAccountOnDomainJoin = 1 appears to work nicely, as
the administrator account is listed with the red cross and we can
also see the 'Account Disabled' check if we open the properties (heck
we can even see those whilst logging in as local administrator in
safe mode...). Whilst in 'normal' mode we can not log on as the local
administrator and it will nicely give an error stating the account is
disabled.

This really has me confused... Any suggestions?

Below is the SIF file we use for installation. Nothing peculiar if
you ask me.

;SetupMgrTag
[Data]
AutoPartition=1
MsDosInitiated="1"
UnattendedInstall="Yes"
floppyless="1"
OriSrc="\\%SERVERNAME%\RemInst\%INSTALLPATH%"
OriTyp="4"
LocalSourceOnCD=1
DisableAdminAccountOnDomainJoin = 1

[SetupData]
OsLoadOptions="/noguiboot /fastdetect"

SetupSourceDevice="\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%"


[Unattended]
UnattendMode=FullUnattended
OemSkipEula=Yes
OemPreinstall=Yes
TargetPath=\WINDOWS
FileSystem=LeaveAlone
NtUpgrade=No
OverwriteOemFilesOnUpgrade=No
OemPnpDriversPath =
\Drivers\HP\NIC;\Drivers\HP\Audio;\Drivers\HP\Video;\Dri
vers\HP\AtiChipset;\Drivers\Asus\A7V5;\Drivers\Asus\Audio;\Drivers\Asus\Monitor;

\Drivers\Asus\NIC;\Drivers\Asus\Video;\Drivers\GX620\AUDIO;\Drivers\GX620\CHIPSE

T;\Drivers\GX620\NIC;\Drivers\GX620\VGA;\Drivers\HDA-Bus
DriverSigningPolicy = Ignore

[GuiUnattended]
AdminPassword=*
EncryptedAdminPassword=NO
OEMSkipRegional=1
TimeZone=110
OemSkipWelcome=1

[UserData]
ProductKey=VVVVV-WWWWW-XXXXX-YYYYY-ZZZZZ
FullName="CompanyName"
OrgName="CompanyName"
ComputerName=%MACHINENAME%

[Display]
BitsPerPel=32
Xresolution=1024
YResolution=768

[TapiLocation]
CountryCode=31
Dialing=Tone

[Identification]
JoinDomain=%MACHINEDOMAIN%
DoOldStyleDomainJoin=Yes

[Networking]
InstallDefaultComponents=Yes
ProcessPageSections=Yes

[RemoteInstall]
Repartition=Yes

[OSChooser]
Description="XP SP2 Std Install"
Help="Dit zou een standaard installatie moeten zijn."
LaunchFile="%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com"
ImageType=Flat
Click to expand...
Click to expand...
Click to expand...
 
A

Ayush

I dont think you can disable it completly. Help files says :
The Administrator account can never be deleted, disabled, or removed from the
Administrators local group, ensuring that you never lock yourself out of the
computer by deleting or disabling all the administrative accounts. This feature
sets the Administrator account apart from other members of the Administrators
local group.

--
Ayush [ Be ''?'' Happy ]
-------------
Search - www.Google.com | Wikipedia - http://en.wikipedia.org
Snip your long urls - http://snipurl.com/
-------------


Replid to [Freaky]s message :
-----------------------------------------------------------
Yea it appears so... Have an XP SP2 install and tested it, same issue.

I'm sure though that it was disabled on the previous RIS installs
(they were created by someone else). Those ran SP1 and if we tried
logging on as administrator in safe mode it wouldn't succeed. We
could boot into safe mode tho'.

The search goes on.

John said:
I may be wrong but my understanding is that even if you disable the
built-in Administrator account you will still be able to logon with
the account in Safe-Mode or in the Recovery Console.

John
Hey there,

we're having a strange issue. We're using RIS to deploy WindowsXP
with SP2 integrated (no other updates!). It's just a normal
WindowsXP install, with some driver paths so it can load all the
drivers and a domain join.

The DisableAdminAccountOnDomainJoin = 1 appears to work nicely, as
the administrator account is listed with the red cross and we can
also see the 'Account Disabled' check if we open the properties
(heck we can even see those whilst logging in as local
administrator in safe mode...). Whilst in 'normal' mode we can not
log on as the local administrator and it will nicely give an error
stating the account is disabled.

This really has me confused... Any suggestions?

Below is the SIF file we use for installation. Nothing peculiar if
you ask me.

;SetupMgrTag
[Data]
AutoPartition=1
MsDosInitiated="1"
UnattendedInstall="Yes"
floppyless="1"
OriSrc="\\%SERVERNAME%\RemInst\%INSTALLPATH%"
OriTyp="4"
LocalSourceOnCD=1
DisableAdminAccountOnDomainJoin = 1

[SetupData]
OsLoadOptions="/noguiboot /fastdetect"

SetupSourceDevice="\Device\LanmanRedirector\%SERVERNAME%\RemInst\%INSTALLPATH%"


[Unattended]
UnattendMode=FullUnattended
OemSkipEula=Yes
OemPreinstall=Yes
TargetPath=\WINDOWS
FileSystem=LeaveAlone
NtUpgrade=No
OverwriteOemFilesOnUpgrade=No
OemPnpDriversPath =
\Drivers\HP\NIC;\Drivers\HP\Audio;\Drivers\HP\Video;\Dri
vers\HP\AtiChipset;\Drivers\Asus\A7V5;\Drivers\Asus\Audio;\Drivers\Asus\Monitor;

\Drivers\Asus\NIC;\Drivers\Asus\Video;\Drivers\GX620\AUDIO;\Drivers\GX620\CHIPSE

T;\Drivers\GX620\NIC;\Drivers\GX620\VGA;\Drivers\HDA-Bus
DriverSigningPolicy = Ignore

[GuiUnattended]
AdminPassword=*
EncryptedAdminPassword=NO
OEMSkipRegional=1
TimeZone=110
OemSkipWelcome=1

[UserData]
ProductKey=VVVVV-WWWWW-XXXXX-YYYYY-ZZZZZ
FullName="CompanyName"
OrgName="CompanyName"
ComputerName=%MACHINENAME%

[Display]
BitsPerPel=32
Xresolution=1024
YResolution=768

[TapiLocation]
CountryCode=31
Dialing=Tone

[Identification]
JoinDomain=%MACHINEDOMAIN%
DoOldStyleDomainJoin=Yes

[Networking]
InstallDefaultComponents=Yes
ProcessPageSections=Yes

[RemoteInstall]
Repartition=Yes

[OSChooser]
Description="XP SP2 Std Install"
Help="Dit zou een standaard installatie moeten zijn."
LaunchFile="%INSTALLPATH%\%MACHINETYPE%\templates\startrom.com"
ImageType=Flat
Click to expand...
Click to expand...
Click to expand...
 
J

John John

It wouldn't be out of the ordinary for a Domain Administrator to have
precedence over these matters, but your post adds weight to the notion
that it can't be disabled completely.

John
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

setup was unable to change the password for user account administrator 1
Can't join domain unattended 7
RIS OemPreinstall Problems 5
RIS Best Practices 1
Prevent administrator access in safe mode 1
RIS Server 2003 SP1 and XPSP2 issues 8
Can not disable the activated administrator account in Home Basic 1
WTD: Nvidia Videocard for 4x AGP Slot 0

Top