Prevent administrator access in safe mode

[Freaky]

Hey there,

I started a topic earlier that administrator was able to logon in safe
mode (whilst the account is disabled...). Appearantly this is normal,
although I don't understand why... We don't disable the account for
nothing... if we wanted to use it we'd password protect it.

Anyways, with the setup that was here previously it was _NOT_ possible
to logon as administrator locally in safe mode. Now I still have the RIS
image, and installed it on a workstation. However, now it is possible to
logon.

This probably means the setting came from a group policy, as we've
changed a lot in these and removed a lot of them too. Anyone know what
setting it might have been? Can't be much else as the old images now do
allow administrator in safe mode. There are 3 people here that are
absolutely sure it wasn't possible before with those images... Don't
remember the error message tho' that would have helped :/.

Setting a password with the RIS isn't really an option. It would be
readable in the .sif file, or we would have to enter one each time. Both
aren't really options for us.

So if anyone has any suggestions on preventing the (disabled..)
administrator account from accessing safe mode, that would be great. The
problem is that people just logon to the machine as local administrator
using safe mode w/ networking and add themselves to the local
administrators group. This is very undesirable.

TIA

 

[Lanwench [MVP - Exchange]]

In

Hey there,

I started a topic earlier that administrator was able to logon in safe
mode (whilst the account is disabled...). Appearantly this is normal,
although I don't understand why... We don't disable the account for
nothing... if we wanted to use it we'd password protect it.

Anyways, with the setup that was here previously it was _NOT_ possible
to logon as administrator locally in safe mode. Now I still have the
RIS image, and installed it on a workstation. However, now it is
possible to logon.

This probably means the setting came from a group policy, as we've
changed a lot in these and removed a lot of them too. Anyone know what
setting it might have been? Can't be much else as the old images now
do allow administrator in safe mode. There are 3 people here that are
absolutely sure it wasn't possible before with those images... Don't
remember the error message tho' that would have helped :/.

Setting a password with the RIS isn't really an option. It would be
readable in the .sif file, or we would have to enter one each time.
Both aren't really options for us.

So if anyone has any suggestions on preventing the (disabled..)
administrator account from accessing safe mode, that would be great.
The problem is that people just logon to the machine as local
administrator using safe mode w/ networking and add themselves to the
local administrators group. This is very undesirable.

TIA

I can't address the 'safe mode' issue....although you might post in
microsoft.public.windows.group_policy. What happens if you add a good
complex password via group policy (computer startup script) *and* disable
administrator?

Check out
http://www.microsoft.com/technet/sysinternals/utilities/pspasswd.mspx

Personally, I don't disable the local administrator accounts - I just set
very good passwords on them.