Windows 2003 Administrator not all powerful?

matt

Distinguished
Apr 2, 2004
321
0
18,780
Archived from groups: microsoft.public.win2000.active_directory (More info?)

FROM WINDOWS:

Windows 2003 Password Resetting:

Preventing data loss from password resets.

To keep protected information secure, ******after a user's password is
reset, some types of information are no longer accessible, including the
following: ******

E-mail that is encrypted with the user's public key
Internet passwords that are saved on the computer
Files that the user has encrypted
To avoid such data loss, do not reset a user's password. When a new
local user account is created, have the user create a password reset
disk. Then, if the user forgets the password, the password reset disk
can be used to reset the password without data loss.

******If a user forgets the password to a domain user account, the
password must be reset manually.******

For more information about how to create a password reset disk, see To
create a password reset disk.


*************COMMENTARY*************
What would posses Microsoft to make it so that A) you loose information
if the password is reset.. and B) you can't do anything BUT reset a
password on a domain account? Seeing as the administrator is the only
one who can reset an account password, why is it necessary to do this?
Does anyone know?
Why does Microsoft also insist on making it so that the administrator
can not end processes running on a system (Access Denied).
Why is the Administrator not all ruling and reigning, as root is in Linux?

~ Matt
 
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Matt,

You'll notice that none of the issues outlined below have anything to do
with the password reset directly. These all have to do with the user
account and its associated certificates in the PKI. The only time you would
see this happen would be in encrypted stores like in EFS or Exchange. You
can see that this would especially be an issue in a case where you were
using a smart card or other token.

This is the reason that things like the password restore disk have been
incorporated in 2003 are to allow for the appropriate management of these
things rather than having to invalidate the certificate by messing with the
account.

One other thing... The administrator is not the only person who can change
passwords. With delegations, any user can be given control over other OUs
and groups of accounts. This makes it more complicated than just minding
your administrator accounts.

As to Linux, you'll find many levels of administration between the admins
and su accounts. You'll also see the same issues on data loss in the event
that you are implementing encrypted stores against your PKI.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Matt" <spammers@are.bad.com> wrote in message
news:cutaq7021nn@enews1.newsguy.com...
> FROM WINDOWS:
>
> Windows 2003 Password Resetting:
>
> Preventing data loss from password resets.
>
> To keep protected information secure, ******after a user's password is
> reset, some types of information are no longer accessible, including the
> following: ******
>
> E-mail that is encrypted with the user's public key
> Internet passwords that are saved on the computer
> Files that the user has encrypted
> To avoid such data loss, do not reset a user's password. When a new
> local user account is created, have the user create a password reset
> disk. Then, if the user forgets the password, the password reset disk
> can be used to reset the password without data loss.
>
> ******If a user forgets the password to a domain user account, the
> password must be reset manually.******
>
> For more information about how to create a password reset disk, see To
> create a password reset disk.
>
>
> *************COMMENTARY*************
> What would posses Microsoft to make it so that A) you loose information
> if the password is reset.. and B) you can't do anything BUT reset a
> password on a domain account? Seeing as the administrator is the only
> one who can reset an account password, why is it necessary to do this?
> Does anyone know?
> Why does Microsoft also insist on making it so that the administrator
> can not end processes running on a system (Access Denied).
> Why is the Administrator not all ruling and reigning, as root is in Linux?
>
> ~ Matt
 
Archived from groups: microsoft.public.win2000.active_directory (More info?)

As others have mentioned there are some specific reasoning behind the EFS stuff.
Think out all of the security implications before going back after the concept
that it is bad. You need to protect that data from people who somehow gets
someone's password reset. The data can be recovered, it just takes knowledge.

On the killing processes, a knowlegable admin who understand how Windows works
will generally be able to kill any process they want. If you don't understand
securable objects in Windows and the methods to secure them, you will never
figure it out. Start learning about ACLs and what the control and what kinds of
objects have them.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Matt wrote:
> FROM WINDOWS:
>
> Windows 2003 Password Resetting:
>
> Preventing data loss from password resets.
>
> To keep protected information secure, ******after a user's password is
> reset, some types of information are no longer accessible, including the
> following: ******
>
> E-mail that is encrypted with the user's public key
> Internet passwords that are saved on the computer
> Files that the user has encrypted
> To avoid such data loss, do not reset a user's password. When a new
> local user account is created, have the user create a password reset
> disk. Then, if the user forgets the password, the password reset disk
> can be used to reset the password without data loss.
>
> ******If a user forgets the password to a domain user account, the
> password must be reset manually.******
>
> For more information about how to create a password reset disk, see To
> create a password reset disk.
>
>
> *************COMMENTARY*************
> What would posses Microsoft to make it so that A) you loose information
> if the password is reset.. and B) you can't do anything BUT reset a
> password on a domain account? Seeing as the administrator is the only
> one who can reset an account password, why is it necessary to do this?
> Does anyone know?
> Why does Microsoft also insist on making it so that the administrator
> can not end processes running on a system (Access Denied).
> Why is the Administrator not all ruling and reigning, as root is in Linux?
>
> ~ Matt
 
Archived from groups: microsoft.public.win2000.active_directory (More info?)

this procedure is required for preventing people using password reset
software for accessing confidential information (encrypted files for
example). This is working only for local accounts.

Admin account is ruling ... but it depends on what are you trying to
accomplish.


--
Andrei Ungureanu
www.eventid.net
Free Windows event logs reports
http://www.altairtech.ca/evlog/

"Matt" <spammers@are.bad.com> wrote in message
news:cutaq7021nn@enews1.newsguy.com...
> FROM WINDOWS:
>
> Windows 2003 Password Resetting:
>
> Preventing data loss from password resets.
>
> To keep protected information secure, ******after a user's password is
> reset, some types of information are no longer accessible, including the
> following: ******
>
> E-mail that is encrypted with the user's public key
> Internet passwords that are saved on the computer
> Files that the user has encrypted
> To avoid such data loss, do not reset a user's password. When a new
> local user account is created, have the user create a password reset
> disk. Then, if the user forgets the password, the password reset disk
> can be used to reset the password without data loss.
>
> ******If a user forgets the password to a domain user account, the
> password must be reset manually.******
>
> For more information about how to create a password reset disk, see To
> create a password reset disk.
>
>
> *************COMMENTARY*************
> What would posses Microsoft to make it so that A) you loose information
> if the password is reset.. and B) you can't do anything BUT reset a
> password on a domain account? Seeing as the administrator is the only
> one who can reset an account password, why is it necessary to do this?
> Does anyone know?
> Why does Microsoft also insist on making it so that the administrator can
> not end processes running on a system (Access Denied).
> Why is the Administrator not all ruling and reigning, as root is in Linux?
>
> ~ Matt