| Author |
Message |
Roberto Clemente
Guest
|
 Posted:
Fri Jan 21, 2005 4:10 am Post subject:
Why isn't Administrator password accepted for all accounts? |
|
|
I've been looking for a way to let users choose their own passwords, yet let
me, as Administrator, logon to their accounts as them for troubleshooting.
And I began to wonder why the Administrator password doesn't work for all
accounts? After all, if someone knows the password, they've got access to
anything they want, one way or another, so where is the risk?
There's no provision for multiple passwords per account, is there? Where the
second password could be the same for all accounts and known only to the
Administrator? |
|
| Back to top |
|
 |
Jeff Cochran
Guest
|
| Posted:
Fri Jan 21, 2005 4:45 am Post subject:
Re: Why isn't Administrator password accepted for all accoun |
|
|
On Thu, 20 Jan 2005 14:10:04 -0800, "Roberto Clemente"
<rc@pirates.com> wrote:
| Quote: | I've been looking for a way to let users choose their own passwords, yet let
me, as Administrator, logon to their accounts as them for troubleshooting.
And I began to wonder why the Administrator password doesn't work for all
accounts? After all, if someone knows the password, they've got access to
anything they want, one way or another, so where is the risk?
There's no provision for multiple passwords per account, is there? Where the
second password could be the same for all accounts and known only to the
Administrator?
|
Nope. What you do is change their password, log in as them, set the
password to generic one and set User Must Change Password At Next
Logon.
Jeff |
|
| Back to top |
|
|
Colin Nash [MVP]
Guest
|
| Posted:
Fri Jan 21, 2005 6:47 am Post subject:
Re: Why isn't Administrator password accepted for all accoun |
|
|
"Roberto Clemente" <rc@pirates.com> wrote in message
news:euFxFzz$EHA.4004@tk2msftngp13.phx.gbl...
| Quote: | I've been looking for a way to let users choose their own passwords, yet
let me, as Administrator, logon to their accounts as them for
troubleshooting. And I began to wonder why the Administrator password
doesn't work for all accounts? After all, if someone knows the password,
they've got access to anything they want, one way or another, so where is
the risk?
There's no provision for multiple passwords per account, is there? Where
the second password could be the same for all accounts and known only to
the Administrator?
|
The risk is the fact that what you propose would leave no audit trail... or
at least a trail that is very difficult to follow. When an administrator
accesses a user's files or resets a password, its possible to set security
auditing that will record these actions. If an alternate password was
allowed, it would be hard to hold anyone accountable for what they do.
I can think (very generally) of some ways that Microsoft could work around
it but it would need a bit of a redesign of their user security model.... I
don't see it happening but there are some benefits, I admit. For example,
the security logs could log the fact that "at 8:59:03 AM, the user BOB used
his admin powers to assume the identity of BETTY" and "BOB ceased
impersonating BETTY at 9:12:23 AM"
As an aside, Unix has the "su" command that lets the superuser (root) become
another user bypassing authentication.
As another aside, the built-in Administrator account is usually best left
unused because if you have multiple administrator people who know this
password, you can't track who actually did something. Create accounts with
memberships of the administrators group (and preferably, have another
regular account for day-to-day use.) I guess it doesn't matter if you are
the only admin. :)
--
Colin Nash
Microsoft MVP
Windows Shell/User |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 21, 2005 3:02 pm Post subject:
Re: Why isn't Administrator password accepted for all accoun |
|
|
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:41f13445.1151281375@msnews.microsoft.com...
| Quote: | On Thu, 20 Jan 2005 14:10:04 -0800, "Roberto Clemente"
rc@pirates.com> wrote:
I've been looking for a way to let users choose their own passwords, yet
let
me, as Administrator, logon to their accounts as them for
troubleshooting.
And I began to wonder why the Administrator password doesn't work for all
accounts? After all, if someone knows the password, they've got access to
anything they want, one way or another, so where is the risk?
There's no provision for multiple passwords per account, is there? Where
the
second password could be the same for all accounts and known only to the
Administrator?
Nope. What you do is change their password, log in as them, set the
password to generic one and set User Must Change Password At Next
Logon.
Jeff
|
But do be aware that doing as Jeff outline may break the account's
ability to access its EFS encrypted files (if any).
--
Roger Abell |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 21, 2005 3:08 pm Post subject:
Re: Why isn't Administrator password accepted for all accoun |
|
|
In order to meet certain criteria defined for secure behaviors
that an operating system must demonstrate, an account needs
to be able to have private storage. Doing as you suggest would
make meeting that requirement more difficult.
You said
| Quote: | And I began to wonder why the Administrator password doesn't work for all
accounts? After all, if someone knows the password, they've got access to
anything they want, one way or another, so where is the risk?
but this is not so. An administrator does not automatically have |
access to EFS encrypted data, or for that matter other private
data stored using the DPapi. There are possibly other examples,
like the "identities" Office products have stored into the account's
profile (accessible using that application's binaries only after that
account logs in), etc..
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Roberto Clemente" <rc@pirates.com> wrote in message
news:euFxFzz$EHA.4004@tk2msftngp13.phx.gbl...
| Quote: | I've been looking for a way to let users choose their own passwords, yet
let
me, as Administrator, logon to their accounts as them for troubleshooting.
And I began to wonder why the Administrator password doesn't work for all
accounts? After all, if someone knows the password, they've got access to
anything they want, one way or another, so where is the risk?
There's no provision for multiple passwords per account, is there? Where
the
second password could be the same for all accounts and known only to the
Administrator?
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in