Thursday, June 12, 2008

Administering Vista Security

Restoring the Administrator

You go to log onto Vista for the first time, and want to log on as the Administrator, just as you always have. But there's this hitch because, well, there doesn't seem to be an Administrator account anymore. Arrgh.

Actually, the Administrator account's still there and can be logged onto. It's just disabled. So here's how to get it back.

First, log onto the Vista system as a local administrator. If you're on a domain, that means that you'll probably need to log on with a domain administrator account, or, if you're not in charge of your domain, then ask your domain administrator to put your domain account in the Administrators group of your Vista machine. If you're using a computer that's a member of a domain, but you can't do either of those things then you're probably stuck, unless you reinstall the Vista box as a member of a workgroup rather than a domain.

Making Your Own Administrator

If, on the other hand, you're running a Vista box that is not a member of a domain, then Vista will prompt you to create a user account when it first starts up. Vista then automatically puts that account in the Administrators group, just as XP did. It won't force you to give that account a password, but it's a good idea to do it anyway because Vista, like XP and 2003, treats accounts with blank passwords as sort of second-class citizens in that they can't be used over a network.

Because that first account is a local administrator, you may not actually need to revivify the Administrator account.

Activating the Administrator Account

Do you, then, need to activate the Administrator account? Probably not. I figured out how to activate the Administrator account in the early days of Vista, but soon realized that I could accomplish anything with that account that Vista prompted me to create that I could do with the Administrator account. In fact, when testing Vista builds 5472, 5536, and RC1 I never even bothered with activating the Administrator account.

I have heard of people needing the Administrator for application compatibility; as some folks have apps coded to run using the Administrator account (not a good idea, but, again, I've been told that some need it). In any case, if you need the Administrator back, then here's the sequence. First, the Administrator account needs a password, as it's currently blank and, as we all know, having an account on a system named "Administrator" with a blank password and that is a member of the Administrators group is a terribly bad idea.

Also, if your system is a member of a domain that has minimum password requirements installed, then you won't be able to activate an Administrator account with a blank password. (Not that the error message that you get from Windows is crystal clear in explaining why it errors out when you try to activate an Administrator account with a lame password; you tell it to activate the Administrator account and it replies something to the effect that "the password does not meet the minimum requirements of this system." You then scratch your head and say, "I wasn't trying to do anything with a password!")

We'll give the Administrator a good password and activate it at the same time. Here's how.

Note that in my instructions, I'm using the "Classic Start menu." You'll see that I also run using the Windows Classic theme, which leads to my Vista desktops looking sort of like Windows 2000. I do that mainly for the sake of better speed and quicker response time.

Log onto your Vista system with whatever local administrator account you've wangled.

Start up a command prompt: click the Start button (it doesn't say "Start" anymore, but it's in the same place as the old Start button, the lower left-hand corner by default and is a circular representation of the Windows flag). Then click All Programs, and then Accessories.

I know, I've lulled you into a false sense of "I know what I'm doing now," and you're about to click the Command Prompt icon. Don't. Instead, right-click the Command Prompt icon and choose "Run as administrator." You will see your desktop go gray and you'll see a dialog box warning you that you're about to do something administrator-like, and did you really mean to do that? You then click either a Continue or Cancel button.

This is called the "Consent user interface" because the program that kicks it off is called consent.exe. It's part of User Account Control (UAC). You'll see this dialog box every time you do something that requires even mildly "administrator-ness" to work right. It stays up for two minutes, and if you don't respond in those two minutes, you get a dialog box announcing that Windows won't run the program because "The operation returned because the timeout period expired." In any case, click Continue to get Vista to open a command prompt.

Now that you've got the command prompt, set the Administrator's password to something other than blank. (And, if necessary, something that makes your domain's group policies happy.) That command looks like net user administrator newpassword. In my case, I'll type net user administrator swordfish to give it the password "swordfish." As with virtually all Windows command-line commands, case does not matter except in the password itself, and you've got to press the Enter key once done. You should get "The command completed successfully."


But what if you didn't? If you get "System error 5 has occurred. Access is denied," then you didn't start up the command prompt by right-clicking and choosing "Run as administrator." Yes, I know, you're logged on as an administrator, you should be able to do administrator things…but it's a longer story having to do with UAC, and we'll cover it later. For now, just please remember to always start your command prompts with "Run as administrator" if you want to do anything administrative.

Now we've got an administrator with a good password; finish the job and activate the account. From the command prompt, type net user administrator /active:yes and press Enter.


I did that as two commands for clarity's sake, but you can do it in one: net user administrator swordfish /active:yes will work as well.


And no matter which path you took, be sure to clear your screen or prying eyes might see that new password. In fact, closing the command prompt window at that point might be a good idea so that no one can press the Up arrow to see what you typed.

*.* Source of Information : Administering Windows Vista Security: The Big Surprises

No comments: