Monday, June 23, 2008

[THIN] Re: Terminal Services Configuration

2008/6/23 Berny Stapleton <berny@technology.net.au>:
> The administrator account on this host is disabled, and I am trying to
> replace it. Effectively, I want the Administrator SID to be useless,
> unfortunately from what I have seen so far is that Windows is hard coded in
> places to use the Administrator SID, so this is going to be impossible. I
> would like to get as close to it as possible though.
>
> The only way I can get the admin account back now is to boot off a CD and
> modify the registry offline.
>

You should be able to regain access to the Administrator account by
using the bootdisk at:
http://home.eunet.no/pnordahl/ntpasswd/

- it will unlock and enable the administrator account, as well as
reset the password.

To allow non-admins the rights to modify the TS configuration, I'd run
some regmon/filemon traces to see where the config is kept.
Then create a group (eg TermServAdmins) and grant modify permissions
on those files/keys for that group.

Start by looking at HKLM\Software\Policies\Microsoft\Windows
NT\Terminal Services
and
HKLM\Software\Windows NT\Current Version\Terminal Server

and seeing what the current permissions are. You might be able to
fine-tune the permissions a bit (so some TS admins can do certain
things, but not others).

--
AdamT
"At times one remains faithful to a cause only because its opponents
do not cease to be insipid." - Nietzsche
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
NEW! Follow Thin List on Twitter!
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
HOT! Thinlist MOBILE Feed!
http://thinlist.net/mobile
Thinlist quick pick
http://thinlist.net
************************************************

No comments: