Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions About The Administrator Account, User accounts & Encryption


  • Please log in to reply
6 replies to this topic

#1 MaryBet82

MaryBet82

  • Members
  • 446 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 27 March 2010 - 02:17 PM

1 winxp pro, 1 winxp tab ed, & 1 2k computer
Any answers/thoughts on any of the below questions would be appreciated.

My understanding is that when you type in a password during windows installation & setup that is the pw for The Administrator account. Per my reading, that original pw is necessary to use recovery console [I think winxp inside/outside]. So if you change the pw per security recommendations you still need to use the original pw to access recovery console.

Q1. Other than access to the recovery console I haven't found anything that the administrator on a local computer [not connected to a domain] can do that any other administrator can't. Has anyone found something else?

Q2. My understanding of user accounts, including The Administrator account, is that when you first set up an account it is assigned its security identifier [SID]. If you delete the account you lose access to that account's files, but you can change both the pw and user name [the SID doesn't change]. Is that correct?

Q3. Does anyone know if a deleted account's files are still accessible if you have them in Shared Documents or if ntfs permissions or share permissions were set prior to deleting the account?

Q4. If you want to delete an account, can you move the files to another user's folder, should you copy so that the new user's folder's permissions are inherited or should an administrator take ownership prior to deleting the files and move the files to another folder [if they're in the soon-to-be-deleted user's My Documents folder]?

Q5. SIDs of The Administrator account are supposed to end in 500 and that is true on my win2k & winxp tablet. The SID under %userprofile%\app data\microsoft\protect in what I thought was The Administrator account on the winxp desktop doesn't end in 500. But the pw that I used to access the recovery pw is the one to that account. I did a search for the SID ending in 500 cking system & hidden files and nothing was found. Any ideas why?

Q6. Recs for using window's encryption protocol is to have a strong pw on the account in which you set up the encrypted folders because the key is partly based on the pw. I'm assuming you can later change the pw & the key, like the SID, remains unaffected, but I haven't read it anywhere. And I'm assuming you can later change the name/pw of the security agent account you set up to prevent locking yourself out of your encrypted files. Has anyone actually done this - set up encrypted folders and then changed pw's?

Per my recent experience doing a system restore, I think you also want to delete any restore points prior to when you set up these two accounts. I had to do a system restore and it deleted a user account and there's now a SID on ntfs permissions that doesn't resolve into a user name. Fortunately the user had no files - that was the account set up to be the recovery agent if I can ever figure out this encryption business.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

BC AdBot (Login to Remove)

 


#2 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:05:47 AM

Posted 27 March 2010 - 09:38 PM

If you change the password on the Admin account the recovery console should use the new password also.

1.Certain files are not viewable without the Admin account such as certain instances of temporary internet files other than that not much.

2.This is correct with the exception that files linked to the account still can be accessed by taking ownership of the files with another account that has Admin privilges.

3. See above.

4. If you can access them you can move them or copy them. Your choice. You will not need to take ownership unless access has been denied.

5. http://support.microsoft.com/kb/243330 is a list of the well known SID numbers

6. Encryption is not really based on the password but a seperate unique ID associated with the account when encryption is initially set up. You can and should back up this key since if you need to restore from a backup you will need it. The reason to have a strong password is to prevent account access because the encryption does squat if they can access your account. Once you set up encryption for a particular account that key never changes. You could set up a specific account to be the recovery agent but why bother the local admin account is a recovery agent by default.
Get your facts first, then you can distort them as you please.
Mark Twain

#3 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 446 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 31 March 2010 - 07:21 PM

Thanks so much Baltboy. That was very helpful. I had the impression if I deleted an account the files would disappear unless I took ownership first, which wouldn't help if I deleted the account by accident rather than intent. Even if I was doing an intentional delete I wasn't sure I wouldn't unintentionally lock myself out of the files.

If I remember correctly, assigning a recovery agent is in case sam gets damaged/corrupted and the user/owner of the files gets locked out. It might be easier to make a backup of sam - or even just that user's branch if it exists/can be found. Only I haven't figured out how to make a limited backup of that part of the registry yet from the thinkpad. I think I could backup the sam hive from the recovery console in the dell desktop, but I need the encryption on the thinkpad.

If I understood the directions, an administrator becomes the recovery agent by creating a data recovery certificate. He uses a pw in the process and I guess that's where I got confused. Altho The Administrator usually acts as recovery agent, I created an second admin acct since recs are to have more than one administrator account and I tried to generate the certificate [unsuccessfully] from that accnt since I was there, so to speak.

http://support.microsoft.com/kb/243330 is where I read that 500 is The Administrator's account, so I don't know why, even if the account I thought was The Administrator of my desktop isn't, I couldn't find an SID ending in 500 whose string matches the other user strings doing a search s/ hidden & system checked. This is winxp prof, so I didn't think The Administrator was hidden.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

#4 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:05:47 AM

Posted 01 April 2010 - 07:08 AM

You can back up the encryption key as well to ensure files are not locked out. http://support.microsoft.com/kb/241201

Recovery agents are good if you are on a domain otherwise they are a pain because you would have to establish one on every system. Besides I would rather just log in as the Builtin admin on the occassion I needed it.

I read around and I believe microsoft may have removed/hid the 500 designation for the Admin account because of the obvious security problems associated with anyone being able to figure out what the account is.
Get your facts first, then you can distort them as you please.
Mark Twain

#5 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 446 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 02 April 2010 - 01:44 AM

Thanks Baltboy - for the link and the heads up that MS may be "losing" the well known 500.

Hiding the 500 makes sense but I've still got the 500 on the sp3 computer and am missing the 500 on the sp2 computer, which isn't as up to date w/ its security patches because I'm trying to get it backed up so I can reformat/reinstall and I'm afraid to sneeze around it. The sp3 should be up to date w/ all its security patches. So should the win2k sp4 which also has a 500 - actually those that have 500's have some extra 500 accounts I'm trying to account for. [sorry] Recently w/ windows I feel like I'm in the Twilight Zone a lot.

I thought whether it was The Administrator or another administrator account acting as a recovery agent the steps were the same as far as generating a certificate and exporting the key. Can the key generated by the encrypting user be used by The Administrator in The Administrator's account as opposed to another administrator having to generate a 2nd key to use in his/her account? Is that what I'm not getting?

So designating a recovery agent gives you 2 keys as well as two user pw's to access the encrypted files? But if you are confident you won't lose the encrypting user's exported PEK, you can skip setting up a designated recovery agent and use The Administrator account if the encrypting user loses his/her pw or sam gets corrupted? What I read may have been in error, but according to that source the PEK was based on the user's pw - that is the encrypting algorithm used the pw in its calculation. And the designated recovery agent uses a pw to generate the pcx file. So I thought the PEK's were somehow linked to the SIDs.

Encrypted folders can be shared - I can't remember where I have those notes. Maybe if I just add all my user accounts I won't have to worry about designated recovery agents. My intent is to enable me in any account to access any of my docs and keep everyone else out.

I also read that if you generate the 2nd key [or key set], anyone who gets their hands on that key can access the encrypted folders - so apparently the keys aren't linked to the pw. Also, the redundancy seems to add a big security risk.

I hoped doing the steps to backup up the key and set up the recovery agent and backup up that key would help me understand what I was reading, but I couldn't find the pcx file I generated when I went to import the "certificate". The instructions in the link you provided are different than the ones I had so I was going to try again - but now I think I'll see if I can just add my other accounts to the folder(s).

The article from the above link says

Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent.



That article links to another article which says

A default local recovery policy is automatically created when an administrator account logs on to the computer for the first time. When this process occurs, that administrator becomes the default recovery agent. In some situations, the first administrator to log on to Windows 2000 is not the local administrator account.



They seem to contradict each other. I thought maybe the 1st article meant a workgroup as compared to a domain, but domains aren't mentioned in that article. And the 2nd articles seems to say that being in a domain w/out a set recovery agent policy can prevent The Administrator being the default EFS recovery agent - not being in a workgroup. I'm not sure, but I think the scenario described in the 2nd article where the local administrator doesn't become the "default encrypting file system recovery agent" is when the computer is running a server os in a domain where recovery agent policy hasn't been set. So it doesn't seem to be about winxp or a computer in a workgroup.

Maybe the 1st article meant designated rather than default.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

#6 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:05:47 AM

Posted 02 April 2010 - 12:00 PM

From what I know as long as you have the built in admin setup (meaning they have logged in and established their account) ten they are a recovery agent. Best practices calls for the establishing of a seperate recovery agent and the backup of the PEK. The PEK itself is linked through the user account only and not dependent on the password. I'm not sure how it is linked but I would assume it must be linked via the SID to be user dependent.
Get your facts first, then you can distort them as you please.
Mark Twain

#7 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 446 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 16 April 2010 - 09:47 AM

Thanks Baltboy,

This stuff is so complicated. The 2nd article seems to be saying what you are saying - that the administrator is by default the recovery agent - at least in my type situation. If you encrypt your folders in an account other than The Administrator I don't know why they are suggesting establishing a separate recovery agent. Unless it's for the same reason you rename The Administrator account and change its description.

Maybe if I reread my notes now they will make more sense. For my computers that don't leave the house encryption seems more risk/work than worth, but for my thinkpad I absolutely need to have my files encrypted if I'm going to utilize its mobility.
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users