Registry hack to disable password change

T

Terry Caleb

I used to be able to do this on Windows2000, but do not find the registry
settings or the offsets for Windows2003. What I would like to do is be able
to set a password on an account, and to not allow anyone at all, including
other administrators, to be able to change the password or the account name.
I have searched through pages upon pages of articles, but have not found
anything. Is this still possible?
 
S

Shenan Stanley

Terry Caleb wrote:
> I used to be able to do this on Windows2000, but do not find the
> registry settings or the offsets for Windows2003. What I would like
> to do is be able to set a password on an account, and to not allow
> anyone at all, including other administrators, to be able to change
> the password or the account name. I have searched through pages
> upon pages of articles, but have not found anything. Is this still
> possible?

Still?

I am pretty sure you could not do that in Windows 2000 either. If someone
is an administrator, they can do whatever they want to anything on the
machine *except* mess with encrypted files (at least not get into them
without the backed-up certificate from the account that encrypted them,
etc.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
T

Terry Caleb

I have written down a registry hack that I used to use to change a bit in
the registry that would not allow ANYONE to change the password (I think also
change the username also, but I never tried it.) of a user, regardless of
their credentials. That included Domain Admins and everything.

Terry

"Shenan Stanley" wrote:

> Terry Caleb wrote:
> > I used to be able to do this on Windows2000, but do not find the
> > registry settings or the offsets for Windows2003. What I would like
> > to do is be able to set a password on an account, and to not allow
> > anyone at all, including other administrators, to be able to change
> > the password or the account name. I have searched through pages
> > upon pages of articles, but have not found anything. Is this still
> > possible?
>
> Still?
>
> I am pretty sure you could not do that in Windows 2000 either. If someone
> is an administrator, they can do whatever they want to anything on the
> machine *except* mess with encrypted files (at least not get into them
> without the backed-up certificate from the account that encrypted them,
> etc.)
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
 
S

Shenan Stanley

Terry Caleb wrote:
> I used to be able to do this on Windows2000, but do not find the
> registry settings or the offsets for Windows2003. What I would
> like to do is be able to set a password on an account, and to not
> allow anyone at all, including other administrators, to be able
> to change the password or the account name. I have searched
> through pages upon pages of articles, but have not found
> anything. Is this still possible?

Shenan Stanley wrote:
> Still?
>
> I am pretty sure you could not do that in Windows 2000 either. If
> someone is an administrator, they can do whatever they want to
> anything on the machine *except* mess with encrypted files (at
> least not get into them without the backed-up certificate from the
> account that encrypted them, etc.)

Terry Caleb wrote:
> I have written down a registry hack that I used to use to change a
> bit in the registry that would not allow ANYONE to change the
> password (I think also change the username also, but I never tried
> it.) of a user, regardless of their credentials. That included
> Domain Admins and everything.

So don't be shy - post it.

I assure you, however - if you can do it as an administrator - anyone with
administrative rights on the same computer can get around it/undo it. If
they have administrative rights on the computer - other than encryption -
you cannot do much to control what they can/cannot do on the computer.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
L

Luuk

"Terry Caleb" <TerryCaleb@discussions.microsoft.com> schreef in bericht
news:E099D2EF-39A5-4DD5-AF7F-BAD624EB3765@microsoft.com...
> I have written down a registry hack that I used to use to change a bit in
> the registry that would not allow ANYONE to change the password (I think
> also
> change the username also, but I never tried it.) of a user, regardless of
> their credentials. That included Domain Admins and everything.
>
> Terry
>
> "Shenan Stanley" wrote:
>
>> Terry Caleb wrote:
>> > I used to be able to do this on Windows2000, but do not find the
>> > registry settings or the offsets for Windows2003. What I would like
>> > to do is be able to set a password on an account, and to not allow
>> > anyone at all, including other administrators, to be able to change
>> > the password or the account name. I have searched through pages
>> > upon pages of articles, but have not found anything. Is this still
>> > possible?
>>
>> Still?
>>
>> I am pretty sure you could not do that in Windows 2000 either. If
>> someone
>> is an administrator, they can do whatever they want to anything on the
>> machine *except* mess with encrypted files (at least not get into them
>> without the backed-up certificate from the account that encrypted them,
>> etc.)
>>
>> --
>> Shenan Stanley
>> MS-MVP
>> --
>> How To Ask Questions The Smart Way
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>
>>
>>

so, you are having something that works on Windows 2000
But you do not want to share this info with us,
and yu want to know how this is done on Windows 2003 ??
......

suc6
:~)
 
T

Terry Caleb

I agree, anyone with admin rights could go in and make the change back to
default, if they knew the correct bit to change and the correct process. This
just stops the "Not so nerdy" admins......
I will post the hack in a little while, I need to check something.

Terry

"Shenan Stanley" wrote:

> Terry Caleb wrote:
> > I used to be able to do this on Windows2000, but do not find the
> > registry settings or the offsets for Windows2003. What I would
> > like to do is be able to set a password on an account, and to not
> > allow anyone at all, including other administrators, to be able
> > to change the password or the account name. I have searched
> > through pages upon pages of articles, but have not found
> > anything. Is this still possible?
>
> Shenan Stanley wrote:
> > Still?
> >
> > I am pretty sure you could not do that in Windows 2000 either. If
> > someone is an administrator, they can do whatever they want to
> > anything on the machine *except* mess with encrypted files (at
> > least not get into them without the backed-up certificate from the
> > account that encrypted them, etc.)
>
> Terry Caleb wrote:
> > I have written down a registry hack that I used to use to change a
> > bit in the registry that would not allow ANYONE to change the
> > password (I think also change the username also, but I never tried
> > it.) of a user, regardless of their credentials. That included
> > Domain Admins and everything.
>
> So don't be shy - post it.
>
> I assure you, however - if you can do it as an administrator - anyone with
> administrative rights on the same computer can get around it/undo it. If
> they have administrative rights on the computer - other than encryption -
> you cannot do much to control what they can/cannot do on the computer.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
 
A

Anteaus

If you could do that, it would be very handy for backup-process credentials-
last year someone changed one or more passwords on a server without knowing
what they were doing, and knocked-out the backup completely. Worse, it
knocked-out the reporting process as well, so it was some time before anyone
realised the backups had stopped.

"Luuk" wrote:

>
> "Terry Caleb" <TerryCaleb@discussions.microsoft.com> schreef in bericht
> news:E099D2EF-39A5-4DD5-AF7F-BAD624EB3765@microsoft.com...
> > I have written down a registry hack that I used to use to change a bit in
> > the registry that would not allow ANYONE to change the password (I think
> > also
> > change the username also, but I never tried it.) of a user, regardless of
> > their credentials. That included Domain Admins and everything.
 
L

Luuk

"Anteaus" <Anteaus@discussions.microsoft.com> schreef in bericht
news:F661C97B-C8B9-44FF-92E4-65AAE55EF4C0@microsoft.com...
> If you could do that, it would be very handy for backup-process
> credentials-
> last year someone changed one or more passwords on a server without
> knowing
> what they were doing, and knocked-out the backup completely. Worse, it
> knocked-out the reporting process as well, so it was some time before
> anyone
> realised the backups had stopped.
>

so, you did not have a backup-process for the backup-process?

always do a daily 'manual' check! This will make sure you 'never'
forget.....

(yes i know its boring to do a manual check every day.... -)
 
T

Terry Caleb

It is not that I do not want to post it, but I wanted to go back through it
and make sure it worked, and if I could change anything else with it. I am
having a little problem with it, and I have tried it on a Windows 2000
server, and I cannot get it to work. Maybe it was that long ago that it was
an NT4 hack, it has been that long since I have had to do something like
this. I do not have my notes with me, but it went something like this:

Run an AT command AT time /Inter "Regedt32.exe"
Then drill down through the HKEY_LOCAL_USER key, under security, and there
is a bit to be changed. I do not have it right here, but will post it later.

Terry

"Luuk" wrote:

>
> "Terry Caleb" <TerryCaleb@discussions.microsoft.com> schreef in bericht
> news:E099D2EF-39A5-4DD5-AF7F-BAD624EB3765@microsoft.com...
> > I have written down a registry hack that I used to use to change a bit in
> > the registry that would not allow ANYONE to change the password (I think
> > also
> > change the username also, but I never tried it.) of a user, regardless of
> > their credentials. That included Domain Admins and everything.
> >
> > Terry
> >
> > "Shenan Stanley" wrote:
> >
> >> Terry Caleb wrote:
> >> > I used to be able to do this on Windows2000, but do not find the
> >> > registry settings or the offsets for Windows2003. What I would like
> >> > to do is be able to set a password on an account, and to not allow
> >> > anyone at all, including other administrators, to be able to change
> >> > the password or the account name. I have searched through pages
> >> > upon pages of articles, but have not found anything. Is this still
> >> > possible?
> >>
> >> Still?
> >>
> >> I am pretty sure you could not do that in Windows 2000 either. If
> >> someone
> >> is an administrator, they can do whatever they want to anything on the
> >> machine *except* mess with encrypted files (at least not get into them
> >> without the backed-up certificate from the account that encrypted them,
> >> etc.)
> >>
> >> --
> >> Shenan Stanley
> >> MS-MVP
> >> --
> >> How To Ask Questions The Smart Way
> >> http://www.catb.org/~esr/faqs/smart-questions.html
> >>
> >>
> >>
>
> so, you are having something that works on Windows 2000
> But you do not want to share this info with us,
> and yu want to know how this is done on Windows 2003 ??
> ......
>
> suc6
> :~)
>
>
>
 
You must log in or register to reply here.

Similar threads

P
How do I disable focus assist through registry? I am not able to see the full calendar because of this focus assist option. The calendar is now shown
Replies
0
Views
10
Prasath S1
P
A
Disable Lock Screen Password asking Option Windows 11
Replies
0
Views
52
anil kocaturk
A
E
RDP and password change SNAFU
Replies
0
Views
13
Eskimojnr
E
M
Hecker change my origin email and password , I was able to change the password, but I can't change the hacker's email.
Replies
0
Views
12
Michal Schloger
M
M
Hecker change my origin email and password , I was able to change the password, but I can't change the hacker's email.
Replies
0
Views
13
Michal Schloger
M
Back
Top Bottom