Windows local administrator?

Similar Messages

• Autologin on Windows Server 2008 R2 - local Administrator problem

  I needed an user to autologin on a Windows Server 2008 R2 server.
  Configured it following this guide: http://www.danj.co.uk/2011/06/enable-autologon-for-windows-2008-r2.html
  In addition I added the login information by using the Autologon tool from sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb963905.aspx
  Now the user I configured autologins successfully. The only downside is that now you can login with the local Administrator account by just hitting enter, as it now doesn't check the password and instead has a blank one. I think this comes from the User
  accounts screen where I unticked the checkbox and also the Administrator account is listed. When trying to remove the local Administrator it tells me that it will delete the account. I don't want that.
  How do I keep autologin of the user I configured but also have the local Administrator account check his password?

  Hello,
  please see
  http://www.expta.com/2008/04/how-to-enable-autologon-for-windows.html
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Windows 7: Trust Relationship Error - Local Administrator Account Locked.

  I have 2 Windows 7 Professional machines that recently locked me out citing the "Trust Relationship between this workstation and primary domain failed".
   I assumed all I would have to do is log in as local administrator and remove it from the domain and then re-add it.  When I tried to log on, it told me that I have the password was incorrect - which I knew it wasn't.  After a
  few tries I got a different message that said that the account was locked.  No idea how this could have happened.  Every other local account was locked as well.
  I checked the AD on our 2003 server and I didn't see anything out of the norm.  The computers were in the correct OU, and were not disabled in anyway.  I searched online for a solution, but they all required me to be able to log on to the local
  admin, which is disabled.  
  I tried to boot to Safe Mode with a Command Prompt and typed in: net user administrator /active:yes .
   It told me that the change had been made, but when I reboot it still shows the local account as disabled.
  Any suggestions would be greatly appreciated.  
  Edit: It is Windows 7 Professional x64 

  I have had this issue twice as well. However I have been always been able to log in with local admin rights. removing then rejoining to domain seems to never get things back to normal for me. Once it is reset and joined back to the domain all software just
  seems to be missing but still there at the same time. Like Antivirus shows its installed in c:\program files but its not running. If I go to domain users start menu everything is missing but go into c:\program files and its all there. So every time I have
  seen this error a reimage is what I do seems to work a lot better than dealing with the head aches. Sorry I was not any help but that is my two cents.

• How to reset windows 2008 R2 Local Administrator password

  Hi Team,
  I have forget windows 2008 R2 local admin password, the server is not in domain , is it any way to reset local administrator password.
  Regards,
  Triyambak
  Regards, Triyambak

  When your Windows Server 2008 R2 computer is still accessible, you can reset or change your administrator password with ease by the following steps.
  Step 1: Log in your Windows Server 2008 R2 computer through the administrator account.
  Step 2: Click on “Start” on the lower left corner of your screen, and hit “Control Panel”, and then doubt-click on "User Account".  
  Step 3: Choose “Make changes to your user account”, and then click on “Change your password”.
  Step 4: Now you will be asked to enter your current password, type in it.
  Step 5: Enter your new password and retype it to confirm your new password. You are optional to type in a word or phrase as the hint of the new password. It is highly recommended. 
  Another tip, Using a password recovery tool to recover WIndows server 2008 administrator password
  This is a universal WIndows password recovery method which can fix any Windows system password issue.
  1. Get Windows Password Rescuer and install it on another computer.
  2. Burn password reset disk into USB or CD/DVD device with Windows password recovery.
  3. Boot Windows server from password reset USB or CD disk
  4. Reset forgotten Windows server 2008 local or domain admin password without data loss.
  Detailed steps: http://www.wimware.com/how-to/reset-windows-server-2008-password.html
  I also have seen a way that users can use a Windows server 2008 install CD to reset the administrator password, you could search and have a try.  

• Windows server 2003 local administrator password

  hi,
  I have forgot local administrator password on windows 2003 server. There is no other user to login. Please suggest how to reset password of local administrator. or any other way.
  Thanks in advance.

  You can use the DART tool from the MDOP and use the
  locksmith to reset the password.
  or
  http://home.eunet.no/~pnordahl/ntpasswd/
  http://www.petri.co.il/forgot_administrator_password.htm

• Can access domain network resources while logged on as a local administrator on a workstation.

  Please help me in figuring this one out.
  I have a Server 2003 R2 domain with a bunch of workstations and some servers having the same local admin password.
  I know it is not good practice, but that's an issue of it's own.
  The issue is that when I log on as that local admin (WORKSTATION\Administrator) I can suddenly browse to ALL the hidden shares(c$, d$) of ALL the servers and workstations that have the same local admin password. If I change password or disable that account
  the symptom goes away.  I though if I do try accessing hidden shares it should still ask me for credentials, after all these are local credentials on DIFFERENT machines. I checked to make sure that the credentials are not cached and as far as I can tell
  they are not. This really freaks me out.
  This is kind of a big deal because even if I change local passwords on servers, I'm not sure we will be setting up different local Administrator password for each workstation.
  My question is: Is this the a normal/documented Windows behavior? If not why is this happening? Can someone please explain how is this possible?

  Yes, this is the default behavior for workgroup machines - this is so-called pass-through authentication of the NTLM protocol. You can lock down the usage of NTLM with policies.
  I have accidentally just tested pass-through authentication as I am working on a solution that involves a bunch of servers that are not in a domain. Without this sort of authentication you could not do authentication easily against another machine in such
  an environment.
  Admin power is limited though: Even if the user in question is admin on both machines and you try to remotely reset a password in an admin cmd session (e.g. using pspasswd) it will fail because of UAC per default - unless you tweaked UAC or related registry
  keys.
  I tried to find some official documentation: In
  this book (hope it works - link to page via Google books) on Windows security pass-through is explicitly mentioned as the method used in a workgroup environment, this
  MS support article explains NTLM passthrough authn in a domain environment.
  I have seen some articles that say that NTLM is locked down per default on newer OS - but I can confirm if works if e.g. connecting from a W2K8 R2 server to a Windows 7 machine (both workgroup machines, no domain policies applied).
  Elke

• Changing a local administrator username and password using GP preferences permanently

  Windows 2012 AD with W7 clients
  I've recently set a group policy preference to rename the built in local administrator account (which was already renamed from the default Administrator) and set a new password for it. This seems to have worked.
  However, if I remove the computer from the domain, the username reverts back to the previous one and the password seems to get corrupted and is neither the new one or the old one. As the local admin account is of most use when the computer is not connecting
  to the domain for whatever reason this means that it is unusable. Am I doing something wrong or is the implementation of the Group Policy flawed? Any suggestions for a better way?

  Hi Tim,
  >>However, if I remove the computer from the domain, the username reverts back to the previous one and the password seems to get corrupted and is neither the new one or the old one.
  How is it going? I agree with Idan that we can also try to use the setting
  Accounts: Rename administrator account to change the name of administrator to see if the issue persists.
  Regarding the deprecation of password changing function of GPP, this is mainly due to security concern that GPP stores password in Sysvol which is accessible to all domain users.
  If the issue persists or you need further help, please don't hesitate to let us know.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Find out who has given local administrator rights to standard domain user?

  In my Organization i have faced problems with domain administrator, it seem that all of a sudden a standard domain user is having Local administrator rights. Can anyone please help me how to find out who has given local administrator rights to that standard
  domain user account? 

  Hi,
  Based on your requirement, you need to enable the auditing in your Active Directory to identify the user/ group changes and WHO made the change etc.
  Checkout the below steps to enable auditing for AD User Changes,
  1. Open GPMC console, click Start --> Administrative Tools --> Group Policy Management.
  2. Right click the Default Domain Controllers Policy, and then click Edit.
  3. Navigate to Audit Policy node, “Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Audit Policy”.
  4. Now enable the Success auditing for - Audit Account Management and Audit Directory Service Access.
  5. Execute the command “GPUPDATE /FORCE” in the Domain Controller to force apply the GPO settings.
  For Windows Server 2008 R2 and later versions, additional configuration is required in  “Advanced Audit Policy Configuration” section in Default Domain Controller Policy.
  1. Go to the node DS Access (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/DS Access.) 
      Enable Success auditing for the following settings
       - Audit Directory Service Changes
  2. Go to the node Account Management (Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Management.) 
      Enable Success auditing for the following settings
      - Audit User Account Management
  After completing the audit settings, configure SACL in Active Directory Users and Computers console for enabling the geneartion of AD Change events in the eventlog as shown below,
  Checkout the below KB article on complete list on Event ID and Description for AD Changes,
  http://support.microsoft.com/kb/947226/en-us
  Regards,
  Gopi
  JiJi Technologies

• Local user provisioning requires local administrator privileges?

  Hello,
  Scenario: User-A needs to provision User-B as a local administrator on a Windows 2008R2 server.
  Is there a way for User-A to do this without User-A being a member of the local Administrators or Domain Admin group on the said server?
  Thanks

  Is it not possible to make user A part of the administrators group?
  If you are trying to work around the fact that user A does not have administrative rights over the box then  your first course of action is to give user A administrative rights. There are several ways to do this.
  Perhaps a more in depth explanation of why user B has to have administrative rights given to him by user A we may be able to come up with a solution or workaround.
  fr0stsp1re

• How to run cpl as local administrator

  Hi!
  We have a user that works on graphics and he needs to run "Adobe Gamma.cpl".
  But when he tries to run, it shows a message that only administrators can run it:
  "To be able to run Adobe Gamma you must log on with Administrator Privileges".
  I tried run as administrator, the message persists.
  I tried run as domain administrator, the message persists.
  I tried to run as local administrator, it worked!
  I tried put this user on local administrators group, it worked too!
  But I can't give him local administrator password and I must leave him as a simple user on workstation. 
  I was imagining how I can make this executable by simple users.
  Any Ideas?
  Thanks in advance.
  FM
  Fabio Martins MCDST/MCSA Brasil!!!

  There are products like BeyondTrust PowerBroker for Windows that can be configured to attach an administrator token to a process so that it runs in admin context without granting the end user admin privileges.  
  http://www.beyondtrust.com/Products/PowerBrokerforWindows/
  There's a licensing fee when installed and managed at an enterprise level, but it does not require a license to install locally, at least it didn't some time ago.  While it is technically possible to install that on dozens of workstations, it would
  be a bit of a pain to manage and I think it is stretching the interpretation of the license agreement.  The trial might expire now, I haven't used it in years.  The cost wasn't too high and might be worth investigating anyway.
  You could also package a simple script to launch the control panel and advertise it to run in system context with SCCM or some other application distribution tool.  While that may seem heavy handed, if you have the tools it is pretty straightforward
  and solves the problem.
  I hope this post has helped!

• I need help, How could I add Aliases to Local Administrator account via terminal commands???

  I need help, How could I add Aliases to Local Administrator account via terminal commands???
  I want to use commands to add alias for existing administrator account remotly by using ARD.
  Thanks.

  Hi,
  a Windows Domain Controller does not have any local user or groups. So you might add the user to the admin group at Domain level.
  B RGDS,
  Gregor
  Edited by: Gregor Gasper on Jan 9, 2009 1:44 PM

• Disable Windows 7 Administrator Accounts using Novell Script

  Hello, is there a command line I can place in my log in script that will disable the windows 7 administrator account. Or auto log into the administrator account so that I can update the Zimbra connector for 600 users who are using Outlook 2007 and Outlook 2010. The script worked to update the Zimbra connector on 50 of the machines on the network that the users are administrators
  Here are my scripts.
  Zimbra Script
  MAP DISPLAY OFF
  MAP ERRORS OFF
  #msiexec /quiet /i \\ARTEMIS\sys\zimbra32\ZimbraConnectorOLK_7.1.3.63 47_x86.msi
  MAP DISPLAY ON
  END
  User Container_Script
  WRITE "This is container login script"
  WRITE "Good %GREETING_TIME: %CN"
  WRITE "The Time is %HOUR24: %MINUTE"
  DOS SET MAPROOTOFF="1"
  ;MAP F:=ARTEMIS\SYS:
  MAP G:=ARTEMIS\COMMON:
  MAP H:=ARTEMIS\USERS:%CN
  MAP I:=ARTEMIS\APPS:
  IF MEMBER OF "adminReset" THEN
  #NET USE R: \\141.217.157.17\software\vmview5\client T3chsRc00l /user:lrctech
  END
  #G:\LoginScriptInstalls\Admin\changeAP.bat
  IF MEMBER OF "Faculty_OSA_DB" THEN
  #NET USE O: \\selene.nursing.wayne.edu\osa faculty /user:faculty
  @O:\ePOW\k1ePOW.bat
  ;#command /c copy O:\ePOW\k1ePOW.mdb C:\ePOW\k1ePOW.mdb
  ;#command /c copy O:\ePOW\k1ePOW-L.mdb C:\ePOW\k1ePOW-L.mdb
  END
  IF MEMBER OF "osa" THEN
  MAP ROOT J:= ARTEMIS\COMMON:\OSA_COMMON
  #NET USE O: \\selene.nursing.wayne.edu\osa nursing06 /user:osa
  @md C:\OSA2k8
  @O:\OSA2k8\OSA2k8.bat
  ;#command /c copy O:\OSA2k8\osa2k8-L.mdb C:\OSA2k8\osa2k8-L.mdb
  ;#command /c copy O:\OSA2k8\osa2k8.mdb C:\OSA2k8\osa2k8.mdb
  END
  IF MEMBER OF "CoN_Calendar" THEN
  #NET USE X: \\selene.nursing.wayne.edu\web_datashare faculty /user:faculty
  @\\artemis\common\CLASSLISTS\Room_Sch\Calendars.ba t
  END
  REM Novell SP5 Upgrade
  regread "HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName"
  if "%99" = "Microsoft Windows XP" then
  write "Checking for latest version of Novell Client..."
  IF PLATFORM = "WNT" THEN
  @\\artemis\sys\NwCLIENT\WINNT\i386\acu.exe
  IF "@ERROR_LEVEL" = "1" THEN
  EXIT
  END
  END
  END
  REM TimeSync
  regread "HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Da teTime\Servers,0"
  if "%99" = "time.wayne.edu" then
  regread "HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Da teTime\Servers,"
  if "%99" = "0" then
  write "Time is synced with Wayne Time!"
  else
  @\\artemis\common\LoginScriptInstalls\TimeSync\Tim eSync.bat
  endif
  else
  @\\artemis\common\LoginScriptInstalls\TimeSync\Tim eSync.bat
  endif
  REM WSUS
  regread "HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion,ProductName"
  IF "%99" = "Microsoft Windows XP" then
  regread "HKLM,SOFTWARE\Policies\Microsoft\Windows\WindowsU pdate,WUServer"
  IF "%99" = "http://141.217.157.19:8530" then
  write "WSUS is up-to-date!"
  else
  @\\artemis\common\LoginScriptInstalls\WSUS\zoewsus XP.bat
  write "WSUS was just connected to the new and IMPROVED update server!"
  END
  END
  regread "HKLM,SOFTWARE\Policies\Microsoft\Windows\WindowsU pdate,WUServer"
  if "%99" = "http://141.217.157.19:8530" then
  write "WSUS is up-to-date!"
  else
  @\\artemis\common\LoginScriptInstalls\WSUS\zoewsus NEW.bat
  write "WSUS was just connected to the new and IMPROVED update server!"
  endif
  REM SAV temp
  @\\artemis\common\LoginScriptInstalls\Symantec\sav-parent.bat
  REM Novell Server - Artemis default; LDAP Athena
  @\\artemis\common\LoginScriptInstalls\NovellServer \artemis.bat
  REM SAV
  regread "HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Un install\{50E125D1-88E5-48CE-80AE-98EC9698E639},DisplayVersion"
  if "%99" = "10.1.6000.6" then
  regread "HKLM,SOFTWARE\Intel\LANDesk\VirusProtect6\Current Version,Parent"
  if "%99" = "SOPHIA" then
  write "Symantec Antivirus is connected to SOPHIA!"
  else
  @\\artemis\common\LoginScriptInstalls\Symantec\sav-parent.bat
  write "Symantec Antivirus was updated to connect to SOPHIA!"
  endif
  else
  regread "HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Un install\{2085C617-589C-40F8-BE40-EDBC9E2CA2EB},DisplayVersion"
  if "%99" = "10.1.7000.7" then
  regread "HKLM,SOFTWARE\Intel\LANDesk\VirusProtect6\Current Version,Parent"
  if "%99" = "SOPHIA" then
  write "Symantec Antivirus is connected to SOPHIA!"
  else
  @\\artemis\common\LoginScriptInstalls\Symantec\sav-parent.bat
  write "Symantec Antivirus was updated to connect to SOPHIA!"
  endif
  else
  regread "HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Un install\{AD8A1013-4E46-4E02-85C2-3168C3328432},DisplayVersion"
  if "%99" = "10.1.8000.8" then
  regread "HKLM,SOFTWARE\Intel\LANDesk\VirusProtect6\Current Version,Parent"
  if "%99" = "SOPHIA" then
  write "Symantec Antivirus is connected to SOPHIA!"
  else
  @\\artemis\common\LoginScriptInstalls\Symantec\sav-parent.bat
  write "Symantec Antivirus was updated to connect to SOPHIA!"
  endif
  else
  regread "HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Un install\{2EFCC193-D915-4CCB-9201-31773A27BC06},DisplayVersion"
  if "%99" = "11.0.5002.333" then
  write "Symantec EndPoint Antivirus is installed!"
  else
  write "YOUR ANTIVIRUS IS OUT OF DATE!!!"
  write "CONTACT 577-8604 TO HAVE THIS RESOLVED!"
  @\\artemis\common\LoginScriptInstalls\Symantec\sen dmail.bat
  endif
  END

  Ad1082,
  > MAP DISPLAY OFF
  > MAP ERRORS OFF
  > net user administrator /active:yes
  > #msiexec /quiet /i \\ARTEMIS\sys\zimbra32\ZimbraConnectorOLK_7.1.3.63
  > 47_x86.msi
  > MAP DISPLAY ON
  > END
  That should activate the administrator account, yes and then run ine
  installer.
  > Also can you elaborate more on your statement here? "so if you have
  > (another) service login you can try runas or psexec it" I'm confused as
  > to what you mean sorry my expertise is limited when it comes to
  > scripting.
  A command run from the login script, unlike something that is fired off
  by ZCM, has no special rights, ie the net use command above will fail,
  unless the user is a local administrator equivalent.
  One way to get around that is if you have a predefined, local, account
  for service and stuff, in that case you could create a batchfile that
  pushes down psexec
  (http://technet.microsoft.com/en-us/s.../bb897553.aspx)
  Then runs it to run the command, ie:
  #psexec -u user -p password net user administrator /active:yes
  I have done stuff like that in the past, but it is generally a royal pain
  to set up.
  Anders Gustafsson (NKP)
  The Aaland Islands (N60 E20)
  Have an idea for a product enhancement? Please visit:
  http://www.novell.com/rms

• Need to provide local administrator access without domain administrator rights

  Hi All,
  I need to provide local admin access to one account in windows environment without providing domain administrator rights.
  Windows 2008 DC. Desktops : windows 7
  So that we can use this account to install agents like SCCM\SCOM in all servers & desktops.
  Need suggestions.

  Hi,
  I agree with Senne, in addition, we can also use net command to perform local group management.
  More information for you:
  Add a member to a local group
  http://technet.microsoft.com/en-us/library/cc772524.aspx
  How to Make a Domain User the Local Administrator for all PCs
  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Local administrator doesn't seem to have all rights

  Hello everyone,
  We're offering hosted servers to our customers. We always deploy Windows Server 2008 R2 for them. Since last Monday, we began looking into offering Hosted 2012 R2. Everything works as expected except one thing. We use a script to create users, and in that
  script we run a command within the "Run As" command (to open regedit.exe). On Server 2008 R2 this goes without problems but on 2012 R2 I get the warning that the user that executes the run as command doesn't have enough privileges to do so. I've
  tried to create a new user, assign it to the local administrators group and then run the same command and that goes without problems. It looks like our local administrator doesn't have all the administrator rights. UAC is turned off and the server has been
  rebooted a couple of times. There's now domain active, everything is being done locally.
  Help would be appreciated since we're not sure what's going on.
  Kind regards and thanks in advance.

  I'm very sorry for my late reply, I have been sick for some weeks so I didn't had the time to continue on this.
  But I'm very pleased to say that it's fixed! I've changed our script to create users from:
  @ECHO OFF
  set username=%1
  set password=%2
  set fullname=%3
  ECHO [x] Creating user...
  net user %username% %password% /add /fullname:%fullname% /passwordchg:no /scriptpath:script.bat
  ECHO [x] Running reg. Please provide password...
  net localgroup Administrators %username% /add
  runas /user:%computername%\%username% "regedit /s \\%computername%\share\regedit\reg.reg"
  net localgroup Administrators %username% /delete
  to:
  @ECHO OFF
  set username=%1
  set password=%2
  set fullname=%3
  ECHO [x] Creating user...
  net user %username% %password% /add /fullname:%fullname% /passwordchg:no /scriptpath:script.bat
  ECHO [x] Running reg. Please provide password...
  runas /user:%computername%\%username% "regedit /s \\%computername%\share\regedit\reg.reg"
  and that did the trick! The net localgroup Administrators %username% /add
  is necessary in 2008 R2 but not in 2012 R2 and that caused the error
  I would like to thank everyone for their time!

• Are local Administrator rights required to install or run the following pieces of software

  Hello,
  I was wondering if you would be able to assist me. I am currently cataloging various bits of software in use within our company and need to know if they a) require local administrator rights to install on a computer and b) require local administration rights to run after being installed.
  The pieces of software in question are:
  Blackberry Desktop Manager Version 4.3.0.15
  Blackberry Enterprise Server Version 4.1.3.18
  Any assistance gratefully received, or if you could point me in the direction of who I should be asking that would be great.
  Many Thanks,
  Phil Booth
  Group M
  IT Desktop Support technician.
  Phillip Booth
  GroupM
  Technical Support Engineer
  IT
  [email protected]
  Office: 0207 158 5995
  DID: 5995
  124 Theobald's Road London WC1X 8RX United Kingdom
  www.groupm.com

  Superb detail, thank you.
  (1) Download the Windows Installer CleanUp utility installer file (msicuu2.exe) from the following Major Geeks page (use one of the links under the "DOWNLOAD LOCATIONS" thingy on the Major Geeks page):
  http://majorgeeks.com/download.php?det=4459
  (2) Doubleclick the msicuu2.exe file and follow the prompts to install the Windows Installer CleanUp utility. (If you're on a Windows Vista or Windows 7 system and you get a Code 800A0046 error message when doubleclicking the msicuu2.exe file, try instead right-clicking on the msicuu2.exe file and selecting "Run as administrator".)
  (3) In your Start menu click All Programs and then click Windows Install Clean Up. The Windows Installer CleanUp utility window appears, listing software that is currently installed on your computer.
  (4) In the list of programs that appears in CleanUp, select any iTunes entries and click "Remove", as per the following screenshot:
  (5) Quit out of CleanUp, restart the PC and try another iTunes install. Does it go through properly this time?