Password

[Guest]

My Son and I are both set-up as Administrator on our home PC. My son was
able to log on under his name, go to User Account, cnahge my account log on
password and log back in under my name with full access to "My Documents"
Folder. Why? how can I stop this.

 

[Jon]

Only by changing his account to a "limited" account via Control Panel > Add
/ Remove Programs

Jon

 

[matsr]

Maybe you can limit his access to controlpanel via Group Policy?

Start > Run > gpedit.msc

UserConfiguration > Admin. templates > Control Panel > prohibit access
to control panel

You should test this with both your user and your son's user since it
very well might affect both.

To skip this setting for your user change your rights to the file
"C:\WINDOWS\system32\GroupPolicy\GPt.ini " to deny all. Of course this
will prevent you from altering the grouppolicy too, but since you can
just change your rights right back to read+modify this will be no big
problem.

And of course if your Son knows how to do this, he can too(as he is
admin) if he is allowed to open the gpedit.msc. Therefore you may want
to change his rights so that he can't run
C:\WINDOWS\system32\gpedit.msc <--- this file

 

[Jon]

Sorry. Typo.

Control Panel > User Accounts

Jon

 

[matsr]

Maybe there is an even better way
once again via gpedit.msc

Start > Run > gpedit.msc

From there

UserConfiguration > Admin. templates > Control Panel > Hide specified
controlpanel applets

Add: nusrmgr.cpl

This will allow him to use everyting in the controlpanel except the
user account managment

There are ways around this as well, you will of course need to secure
the same way as above, still it will not be waterproof.

 

[Jon]

As long as he doesn't discover the "net user" command line command .....

Jon

 

[matsr]

aybe there is an even better way
once again via gpedit.msc

Start > Run > gpedit.msc

From there

UserConfiguration > Admin. templates > Control Panel > Hide specified
controlpanel applets

Add: nusrmgr.cpl

This will allow him to use everyting in the controlpanel except the
user account managment. However if he start the nusrmgr.cpl from
explorer(c:\windows\system32) he will be allowed to open it and change
whatever he wants. You might want to change his rights according to
this file too. I'm not sure if he change his own rights to this file
then? Check it out!

There are ways around this as well, you will of course need to secure
the same way as above, still it will not be waterproof.

 

[Gordon]

My Son and I are both set-up as Administrator on our home PC. My son
was able to log on under his name, go to User Account, cnahge my
account log on password and log back in under my name with full
access to "My Documents" Folder. Why? how can I stop this.

There's no watertight way of doing this.
You have two options: get a removable HDD , put all your data on that ,
remove it and lock it away when you finish on the machine, or, go to a
properly secure Operating system such as a Linux distro.

 

[Z]

My Son and I are both set-up as Administrator on our home PC. My son was
able to log on under his name, go to User Account, cnahge my account log on
password and log back in under my name with full access to "My Documents"
Folder. Why? how can I stop this.

Your son accessed your files the stupid way. Since you've made him Admin
(bad move if he can't be trusted), he could have just read your My
Documents files w/o changing your password (and thus tipping you off)

Anyway, some options:

1. Enable EFS on your My Documents folder

(Windows Explorer > C:\Documents and Settings\<user> > right click on My
Documents > Properties > General > Advanced > Encrypt contents to secure
data)

2. Use some other encryption software, like PGP

 

[Z]

Your son accessed your files the stupid way. Since you've made him Admin
(bad move if he can't be trusted), he could have just read your My
Documents files w/o changing your password (and thus tipping you off)

Anyway, some options:

1. Enable EFS on your My Documents folder

(Windows Explorer > C:\Documents and Settings\<user> > right click on My
Documents > Properties > General > Advanced > Encrypt contents to secure
data)

2. Use some other encryption software, like PGP

One more thing ... when you write "how can I stop this?" I assume you
mean stopping him from reading your files.

 

[Rock]

Your son accessed your files the stupid way. Since you've made him Admin
(bad move if he can't be trusted), he could have just read your My
Documents files w/o changing your password (and thus tipping you off)

Anyway, some options:

1. Enable EFS on your My Documents folder

(Windows Explorer > C:\Documents and Settings\<user> > right click on My
Documents > Properties > General > Advanced > Encrypt contents to secure
data)

2. Use some other encryption software, like PGP

EFS won't work if the son can login to the father's account. Then efs
is transparent.

 

[R. McCarty]

Only/Best solution is buy him the $299 Dell weekly special.
Then lock your own PC down, Boot Password, Single user,
password protect the Administrator account. You can play
the "Cat-&-Mouse" security (Stay out of My Account) game
but it seldom if ever works.

 

[Z]

EFS won't work if the son can login to the father's account. Then efs
is transparent.

Unless I misread the orig. post, the son can only login to the parent's
acct by changing the password on the parent's acct. Forcing a new pw
from another acct should leave EFS secure. Right?

 

[Bruce Chambers]

My Son and I are both set-up as Administrator on our home PC. My son was
able to log on under his name, go to User Account, cnahge my account log on
password and log back in under my name with full access to "My Documents"
Folder. Why?

Because you've granted him administrative privileges. That's the same
as giving him a blank check and dropping him off at the mall.

how can I stop this.

1) Teach your son some manners and proper respect for your property and
privacy.

2) Make you son's account a Limiter User. Monitor his computer usage
closely.

3) Don't forget to put a strong password on the built-in Administrator
account.


HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Use the Internet Explorer 6 Content Advisor to Control Access
to Web Sites in Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;en-us;310401

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

For some requirements, you may find it easier to invest in a
3rd-party solution, such as NetNanny or CyberPatrol.

You need to be aware, however, that *NO* technical or software
solution is 100% child/fool-proof, and _none_ can ever adequately take
the place of live adult supervision. If you cannot trust your son to
safely/properly use the computer without supervision, you may have to
consider limiting his access to it.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Rock]

Unless I misread the orig. post, the son can only login to the parent's
acct by changing the password on the parent's acct. Forcing a new pw
from another acct should leave EFS secure. Right?

No I don't think so. Any administrator can change the password on any
account. Once logged into the account, EFS is transparent.

 

[Z]

No I don't think so. Any administrator can change the password on any
account. Once logged into the account, EFS is transparent.

http://support.microsoft.com/default.aspx?scid=kb;en-us;290260

EFS, Credentials, and Private Keys from Certificates Are Unavailable
After a Password Is Reset
....
CAUSE
This issue can occur if the password was forcefully reset by an
administrator or owner, instead of being changed by the user.

RESOLUTION
NOTE: For any of the following resolutions to work, the user's original
account must still exist, and the user's profile must be present and
unchanged since the user last had access to the data.

To recover all of the data, you must have one of the following:

o The original password. This is the password with which the user last
logged on successfully and was able to access their credentials and files.

o Password Recovery Disk (PRD). This password recovery disk must have
been created while the user had access to the files.

 

[Rock]

http://support.microsoft.com/default.aspx?scid=kb;en-us;290260

EFS, Credentials, and Private Keys from Certificates Are Unavailable
After a Password Is Reset
...
CAUSE
This issue can occur if the password was forcefully reset by an
administrator or owner, instead of being changed by the user.

RESOLUTION
NOTE: For any of the following resolutions to work, the user's original
account must still exist, and the user's profile must be present and
unchanged since the user last had access to the data.

To recover all of the data, you must have one of the following:

o The original password. This is the password with which the user last
logged on successfully and was able to access their credentials and files.

o Password Recovery Disk (PRD). This password recovery disk must have
been created while the user had access to the files.

Ok thanks for the follow up.