Renaming 500 Admin

[drunkardswalk]

Pretty much every security authority out there, including MS itself, says to
rename the 500 Admin account to something else (and you can do it via several
methods; I did it both by applying it in a template, and by setting it the
same way in group policy).

I've corrupted that account beyond repair, though. I had occasion to reboot
the machine once with group policy disabled, and even though the name was
hard-changed in the registry, Windows chose to ignore that and use the name
"Administrator." Of course, the first account I logged into on reboot was the
original, changed-name account. This had the unfortunate effect of making
Windows think that it was a new account, and it created a new directory for it
under that name, ignoring the Administrator account. Resetting group policy
and logging back in did *not* fix the problem.

I've no idea if this is a know issue, but in light of what can happen, I'd
recommend that no one do this in future, especially since it's a trick that
won't slow an experienced hacker down for more than five minutes.

However, if anyone has any idea of how to restore that account, I'm all ears.
BTW, going to an old restore point doesn't do it; just makes things worse.

Reid

 

[HiMan]

Hi Reid,

Pretty much every security authority out there, including MS itself, says to
rename the 500 Admin account to something else (and you can do it via several
methods; I did it both by applying it in a template, and by setting it the
same way in group policy).

Agreed, not a bad idea and I have not had any problems doing it so far.

I've corrupted that account beyond repair, though. I had occasion to reboot
the machine once with group policy disabled, and even though the name was
hard-changed in the registry, Windows chose to ignore that and use the name
"Administrator." Of course, the first account I logged into on reboot was the
original, changed-name account. This had the unfortunate effect of making
Windows think that it was a new account, and it created a new directory for it
under that name, ignoring the Administrator account. Resetting group policy
and logging back in did *not* fix the problem.

From my experience [And I have always only used Group Policy to rename the
account], Windows will associate the new login name with the SID of
Administrator. The name of the profiles folder remains unchanged =
Administrator, but for login the new name has to be used.

I've no idea if this is a know issue, but in light of what can happen, I'd
recommend that no one do this in future, especially since it's a trick that
won't slow an experienced hacker down for more than five minutes.

Almost nothing will keep an experienced hacker out IMO with enough time and
physical access. I see it more like an additional layer of security for
"normal" attempts to breach security.

However, if anyone has any idea of how to restore that account, I'm all ears.
BTW, going to an old restore point doesn't do it; just makes things worse.

I would try the following: Log on as another, new admin user. Have a look in
your registry, where the profile folder for 500 admin is stored and while
you are there look what other profiles are stored and to which profile
folder path they point.. The corresponding registry key is
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList]. Export = save this key.

Now rename Administrator to "Administrator" via Group Policy (do not just
disable the setting), reboot, again log on as another admin. Delete user
accounts you don't want to use anymore, reboot. Log on as another admin.
Delete SIDs in the above mentioned key for users, that are no longer
existent and delete the corresponding profile folders. Think twice, before
you delete anything ;-) and make sure each profile, you want to keep, has a
profile folder and the correct registry entry.

Reboot and log on as Administrator.

If you're not comfortable editing the registry maybe better ignore my post
and wait, if others know of a better way.

 

[Karl Levinson [x y] mvp]

Booting to another OS [like a boot floppy or slaving the hard drive to
another version of Windows] and renaming SAM and I would think also SAM.LOG
should also reset all your local accounts to like new, e.g. just
Administrator with no password and Guest disabled, all other local accounts
deleted. At least this was possible under Windows 2000. You would want to
unencrypt and/or backup any EFS encrypted files before you do this, and any
permissions you set up for any new local users would be lost and need to be
re-setup.

Hi Reid,

Pretty much every security authority out there, including MS itself,

says

to
rename the 500 Admin account to something else (and you can do it via several
methods; I did it both by applying it in a template, and by setting it the
same way in group policy).

Agreed, not a bad idea and I have not had any problems doing it so far.

I've corrupted that account beyond repair, though. I had occasion to reboot
the machine once with group policy disabled, and even though the name was
hard-changed in the registry, Windows chose to ignore that and use the name
"Administrator." Of course, the first account I logged into on reboot

was

the
original, changed-name account. This had the unfortunate effect of making
Windows think that it was a new account, and it created a new directory for it
under that name, ignoring the Administrator account. Resetting group policy
and logging back in did *not* fix the problem.

From my experience [And I have always only used Group Policy to rename the
account], Windows will associate the new login name with the SID of
Administrator. The name of the profiles folder remains unchanged =
Administrator, but for login the new name has to be used.

I've no idea if this is a know issue, but in light of what can happen, I'd
recommend that no one do this in future, especially since it's a trick that
won't slow an experienced hacker down for more than five minutes.

Almost nothing will keep an experienced hacker out IMO with enough time and
physical access. I see it more like an additional layer of security for
"normal" attempts to breach security.

However, if anyone has any idea of how to restore that account, I'm all ears.
BTW, going to an old restore point doesn't do it; just makes things

worse.

I would try the following: Log on as another, new admin user. Have a look in
your registry, where the profile folder for 500 admin is stored and while
you are there look what other profiles are stored and to which profile
folder path they point.. The corresponding registry key is
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList]. Export = save this key.

Now rename Administrator to "Administrator" via Group Policy (do not just
disable the setting), reboot, again log on as another admin. Delete user
accounts you don't want to use anymore, reboot. Log on as another admin.
Delete SIDs in the above mentioned key for users, that are no longer
existent and delete the corresponding profile folders. Think twice, before
you delete anything ;-) and make sure each profile, you want to keep, has a
profile folder and the correct registry entry.

Reboot and log on as Administrator.

If you're not comfortable editing the registry maybe better ignore my post
and wait, if others know of a better way.

 

[HiMan]

Booting to another OS [like a boot floppy or slaving the hard drive to
another version of Windows] and renaming SAM and I would think also
SAM.LOG should also reset all your local accounts to like new, e.g. just
Administrator with no password and Guest disabled, all other local
accounts deleted. At least this was possible under Windows 2000.

Hi Karl,

"forever curious" I tried this out with XP Pro. Deleted SAM and SAM.LOG. No
other changes/preparations. Turned out, that I could not boot anymore. I
ended up with a loop, seeing the login screen and at the same time an MSG
about an lsass.exe error [ Security Account Manager initialization failed
because of the following error: a device attached to the system is not
functioning ... Hit ok to reboot to Safe Mode]. No Safe Mode possible, loop.
I could not log onto Recovery console, not with the old administrator
password, nor with a blank password.

Next I ran a repair setup from the XP CD. This gave me back access and voila
it created a new default Administrator account and a new account with admin
rights for the user name entered during setup. Both accounts were created
without password and I had to change the password later to password protect
login. The guest account was recreated as well (not disabled). The old user
profiles were still present in the registry and the "old" profile folders
still existed. They showed up as unknown accounts in My Computer, right
click, Properties, Advanced, User Profiles, Settings. So basically I had the
chance to save all files from those folders, or backup the profile folders.
The "old" users (with the corresponding profile folders) could be deleted by
removing them from this location.

Group policy was still applied, all installed programs were present. SP1
seemed to be lost though [Normal for a repair install, I guess].

All in all, it looks like an interesting disaster recovery method. I would
not recommend it for a "normal" user though.

 

[drunkardswalk]

Yeah, that would be the effect, save for one thing: I run the machines with
Syskey setting 3, and I believe it disables that trick. I knew of this
technique, which is why I did set Syskey that way. But thanks for the advice.

Reid

Booting to another OS [like a boot floppy or slaving the hard drive to
another version of Windows] and renaming SAM and I would think also SAM.LOG
should also reset all your local accounts to like new, e.g. just
Administrator with no password and Guest disabled, all other local accounts
deleted. At least this was possible under Windows 2000. You would want to
unencrypt and/or backup any EFS encrypted files before you do this, and any
permissions you set up for any new local users would be lost and need to be
re-setup.

Hi Reid,

Pretty much every security authority out there, including MS itself,

says

to
rename the 500 Admin account to something else (and you can do it via several
methods; I did it both by applying it in a template, and by setting it the
same way in group policy).

Agreed, not a bad idea and I have not had any problems doing it so far.

I've corrupted that account beyond repair, though. I had occasion to reboot
the machine once with group policy disabled, and even though the name was
hard-changed in the registry, Windows chose to ignore that and use the name
"Administrator." Of course, the first account I logged into on reboot

was

the
original, changed-name account. This had the unfortunate effect of making
Windows think that it was a new account, and it created a new directory for it
under that name, ignoring the Administrator account. Resetting group policy
and logging back in did *not* fix the problem.

From my experience [And I have always only used Group Policy to rename the
account], Windows will associate the new login name with the SID of
Administrator. The name of the profiles folder remains unchanged =
Administrator, but for login the new name has to be used.

I've no idea if this is a know issue, but in light of what can happen, I'd
recommend that no one do this in future, especially since it's a trick that
won't slow an experienced hacker down for more than five minutes.

Almost nothing will keep an experienced hacker out IMO with enough time and
physical access. I see it more like an additional layer of security for
"normal" attempts to breach security.

However, if anyone has any idea of how to restore that account, I'm all ears.
BTW, going to an old restore point doesn't do it; just makes things

worse.

I would try the following: Log on as another, new admin user. Have a look in
your registry, where the profile folder for 500 admin is stored and while
you are there look what other profiles are stored and to which profile
folder path they point.. The corresponding registry key is
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList]. Export = save this key.

Now rename Administrator to "Administrator" via Group Policy (do not just
disable the setting), reboot, again log on as another admin. Delete user
accounts you don't want to use anymore, reboot. Log on as another admin.
Delete SIDs in the above mentioned key for users, that are no longer
existent and delete the corresponding profile folders. Think twice, before
you delete anything ;-) and make sure each profile, you want to keep, has a
profile folder and the correct registry entry.

Reboot and log on as Administrator.

If you're not comfortable editing the registry maybe better ignore my post
and wait, if others know of a better way.

 

[drunkardswalk]

In a disaster situation, I'd do that. However, I do have access to all files,
so it would be easier to just make sure it was all current on backup, scrub,
and go from scratch. I could build a better setup now, anyway. For me, the
real problem isn't losing files, as I can still get at all of them, but losing
the configurations on the accounts, which are very highly customized. I
really, truly wish MS had provided some means of backing up all the little
look-and-feel customizations, as well as installed software settings. Yeah, I
know there are tools that are supposed to do that, but they're not 100% even
on undamaged accounts.

I do have a rather lengthy file containing instructions I've gleaned the hard
way on how to back up lots of individual apps and system settings, but it's
still a beast to do so. Besides, unless you're willing to do vast amounts of
hand-editing of saved reg files, lots of stuff you'd rather not have present
will come back to haunt you. Will, anyway, since the stuff that ends up in
the "Application Settings" directories contains some non-editable info, and
you'll have to drag those files along, too.

This is the sort of thing that makes you wish MS had found another way to
standardize system, app, and user settings than a registry. Mention
registries in any programmers' group and watch the flames begin <g>. Which I
once did (Boost or maybe the ACCU, can't recall) and boy, did I get an earful.
Ah, well. Lately, I've been involved in product design decisions regarding
*where* to stash app info, and particularly *secret* app info; the sort of
thing you generally use secrets stores for (and those are problematic
themselves). Believe me, it's not a trivial problem to figure out, because of
how the OS works. And for various reasons, the approved MS solutions won't
really work in this case. Further, deponent sayeth not.

Reid

Booting to another OS [like a boot floppy or slaving the hard drive to
another version of Windows] and renaming SAM and I would think also
SAM.LOG should also reset all your local accounts to like new, e.g. just
Administrator with no password and Guest disabled, all other local
accounts deleted. At least this was possible under Windows 2000.

Hi Karl,

"forever curious" I tried this out with XP Pro. Deleted SAM and SAM.LOG. No
other changes/preparations. Turned out, that I could not boot anymore. I
ended up with a loop, seeing the login screen and at the same time an MSG
about an lsass.exe error [ Security Account Manager initialization failed
because of the following error: a device attached to the system is not
functioning ... Hit ok to reboot to Safe Mode]. No Safe Mode possible, loop.
I could not log onto Recovery console, not with the old administrator
password, nor with a blank password.

Next I ran a repair setup from the XP CD. This gave me back access and voila
it created a new default Administrator account and a new account with admin
rights for the user name entered during setup. Both accounts were created
without password and I had to change the password later to password protect
login. The guest account was recreated as well (not disabled). The old user
profiles were still present in the registry and the "old" profile folders
still existed. They showed up as unknown accounts in My Computer, right
click, Properties, Advanced, User Profiles, Settings. So basically I had the
chance to save all files from those folders, or backup the profile folders.
The "old" users (with the corresponding profile folders) could be deleted by
removing them from this location.

Group policy was still applied, all installed programs were present. SP1
seemed to be lost though [Normal for a repair install, I guess].

All in all, it looks like an interesting disaster recovery method. I would
not recommend it for a "normal" user though.