Guest mgr Posted November 9, 2008 Posted November 9, 2008 I have a situation where I want to be the administrator for my son's laptop, and convert him to a standard (non-admin) account. He originally set up the laptop, giving himself admin privileges, but he is no longer allowed to use it in that condition style_emoticons/ I am now the passworded local admin account (same account used to install Vista), and AFAIK do not have the system Administrator (upper-case A) account activated. He has a "standard" account. However, he is clever, and will try to work-around to get admin access. I've read the "recover password / activate Admin /etc." links in the forum, and I have a few questions: 1. Can my local admin account OR the system Admin account be accessed and altered by a standard user in Safe Mode? 2. Is it possible to block Method 3 (DVD boot for password reset) if the system is already properly set up for one admin's access? 3. I do not see the "user groups" folder in Comp Mmgt Control Panel to enable or disable the system Admin account. How can I check its status? BTW, I'm using Vista Home Basic. Thanks, mgr -- mgr Quote
Guest barman58 Posted November 9, 2008 Posted November 9, 2008 Hello Mgr and welcome to the vista forums :party: First thing you may want to check is vista's built-in parental controls ... 'Explore the features: Parental controls' (http://www.microsoft.com/windows/windows-v...l-controls.aspx) which should allow you to set limits for any standard account from your administrator account. as for the booting of a password reset cd or dvd which cannot be controlled from vista as it boots before vista does, the only way I can advise is this. go into the BIOS of the laptop and either remove the cd drive from the boot devices or set it to after the hard drive. that will stop anyone gaining access to the drive before vista boots. you should then be able to password protect the changing of the BIOS with a password Not foolproof - I have professional software that can defeat this but it is not generally available If you need to boot from a CD/DVD yourself it is a fairly simple matter to log into the BIOS change the setting and reboot hope this helps ... -- barman58 Regards, Nigel the beginning of knowledge is the discovery of something we do not understand.,- frank herbert Quote
Guest FromTheRafters Posted November 9, 2008 Posted November 9, 2008 "mgr" <guest@unknown-email.com> wrote in message news:4decb1bab7b24203b8b99d370510f94b@nntp-gateway.com...<span style="color:blue"> > > I have a situation where I want to be the administrator for my son's > laptop, and convert him to a standard (non-admin) account. He originally > set up the laptop, giving himself admin privileges, but he is no longer > allowed to use it in that condition style_emoticons/ > > I am now the passworded local admin account (same account used to > install Vista),</span> Not really, that account was created afterward. <span style="color:blue"> > and AFAIK do not have the system Administrator > (upper-case A) account activated. He has a "standard" account. However, > he is clever, and will try to work-around to get admin access.</span> Activate and create a password for the real administrator, then deactivate it again. That way he won't be able to easily access that account. <span style="color:blue"> > I've read > the "recover password / activate Admin /etc." links in the forum, and I > have a few questions: > > 1. Can my local admin account OR the system Admin account be accessed > and altered by a standard user in Safe Mode?</span> It shouldn't be possible. <span style="color:blue"> > 2. Is it possible to block Method 3 (DVD boot for password reset) if > the system is already properly set up for one admin's access?</span> Disable or resequence the CD/DVD boot option in the CMOS and apply a password to the CMOS to make it more difficult to modify. <span style="color:blue"> > 3. I do not see the "user groups" folder in Comp Mmgt Control Panel to > enable or disable the system Admin account. How can I check its status?</span> Type "net user Administrator" at the command prompt. Type "net help user|more" at the command prompt for usage of the net user command switches and options. Quote
Guest mgr Posted November 12, 2008 Posted November 12, 2008 All, Appreciate the informative replies. Looks like I have a number of options to prevent workarounds. I'm _-hoping_- I don't have to do any of these yet. I'm still curious about that first established account, though. It's true the account didn't exist until we got the laptop (as Vista was already installed) but I've read that any changes to that first account (e.g. changing it from an admin to standard and creating a new admin) can create serious problems. Are people really referring to the system Admin account in these situations? Thanks, mgr -- mgr Quote
Guest FromTheRafters Posted November 12, 2008 Posted November 12, 2008 "mgr" <guest@unknown-email.com> wrote in message news:8cebcfb932676e6ba49f413724d4f087@nntp-gateway.com...<span style="color:blue"> > > All, > > Appreciate the informative replies. Looks like I have a number of > options to prevent workarounds. I'm _-hoping_- I don't have to do any of > these yet. > > I'm still curious about that first established account, though. It's > true the account didn't exist until we got the laptop (as Vista was > already installed) but I've read that any changes to that first account > (e.g. changing it from an admin to standard and creating a new admin) > can create serious problems. Are people really referring to the system > Admin account in these situations?</span> When Vista sets up, it creates the "Administrator" account. After that it sets up the split token user/administrator account and disables the "Administrator" account and hides it from the user. The user/administrator is then prompted to create other standard user accounts as desired. If for any reason the last available account with administrator privileges is demoted or deleted - the OS should enable the "Administrator" account and make it available in safe mode. Unfortunately, it is possible to give the ASP.NET account administrator privileges and then demote or delete all other accounts without the OS enabling "Administrator". To the OS there is still an administrator level account - the problem then is the access to that account. Quote
Guest barman58 Posted November 12, 2008 Posted November 12, 2008 Hi mgr, There is confusion as to when the FULL Administrator account is available in vista. of course it may be enabled using the NET USER command and will then appear in the log-in (by default with no password style_emoticons/ ). In XP when you entered Safe Mode you were automatically logged in as the FULL administrator this is NOT the default for Vista. If however there are no administrator accounts set-up in Vista then it is supposed to revert to the XP system (as a fall-back to prevent lockout). I say "supposed" as I have seen lockouts where re-install was the only remedy. As for the first account created by the user in vista this is by default an administrator account but as far as I am aware this is not "special" in any way. This account may be removed, (by another later created administrator or the FULL administrator account, but not if it's the only account on the machine), and I believe it may also be downgraded to a standard user even when it is the only administrator on the system, and this is why the reversion to XP behaviour was included for safe mode. Hope this helps ... -- barman58 Regards, Nigel the beginning of knowledge is the discovery of something we do not understand.,- frank herbert Quote
Guest FromTheRafters Posted November 12, 2008 Posted November 12, 2008 "barman58" <guest@unknown-email.com> wrote in message news:0a563722690fa961418c09b21397d6a5@nntp-gateway.com... <span style="color:blue"> > As for the first account created by the user in vista this is by > default an administrator account but as far as I am aware this is not > "special" in any way.</span> It is "special" in that it uses a split token (as opposed to the full token in the real administrator account). The account runs as a standard user until an action is requested that requires admin privileges. It then will prompt the user to "consent" to using the rest of the split token. They call this Admin Approval Mode or AAM for short. The same action requested in a regular standard user account will prompt the user to supply administrator credentials before allowing the action to take place. Quote
Guest mgr Posted November 14, 2008 Posted November 14, 2008 Nigel, Thanks, that makes sense. Again, I appreciate the help. mgr -- mgr Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.