Is there any way to encrypt (EFS or similar) the entire administrator's
profile folder (C:\Documents and Settings\Administrator) so as to prevent a
user from login in to the computer if he changes the password with a dos
utility? (CIA Commander for example).

There's no point in having domain policies if the user can login as the
administrator and do whetever he wants with the computer!

What else do you suggest? (please don't say "put a bios password" or "forbid
physical access to the computer")

Thanks a lot!

Kirsten wrote:
Is there any way to encrypt (EFS or similar) the entire
administrator's profile folder (C:\Documents and
Settings\Administrator) so as to prevent a user from login in to
the computer if he changes the password with a dos utility? (CIA
Commander for example).
There's no point in having domain policies if the user can login as
the administrator and do whetever he wants with the computer!

What else do you suggest? (please don't say "put a bios password"
or "forbid physical access to the computer")

Why is this user able to logon as an administrative level account in the
first place?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

He's not, but there are several utilities that easily disable the
administrator account.

"Shenan Stanley" wrote in message
...
Kirsten wrote:
Is there any way to encrypt (EFS or similar) the entire
administrator's profile folder (C:\Documents and
Settings\Administrator) so as to prevent a user from login in to
the computer if he changes the password with a dos utility? (CIA
Commander for example).
There's no point in having domain policies if the user can login as
the administrator and do whetever he wants with the computer!

What else do you suggest? (please don't say "put a bios password"
or "forbid physical access to the computer")

Why is this user able to logon as an administrative level account in the
first place?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Kirsten wrote:
He's not, but there are several utilities that easily disable the
administrator account.


Sounds like some discipline is in order. If this is a workplace, make it
a sackable offence to install or use any software not authorised by the
company. If a home environment, just deny physically, access to the
machine until the user learns to respect computer security.


--
Asking a question?
Please tell us the version of the application you are asking about,
your OS, Service Pack level
and the FULL contents of any error message(s)

Kirsten wrote:
Is there any way to encrypt (EFS or similar) the entire
administrator's profile folder (C:\Documents and
Settings\Administrator) so as to prevent a user from login in to
the computer if he changes the password with a dos utility? (CIA
Commander for example).
There's no point in having domain policies if the user can login as
the administrator and do whetever he wants with the computer!

What else do you suggest? (please don't say "put a bios password"
or "forbid physical access to the computer")

Shenan Stanley wrote:
Why is this user able to logon as an administrative level account
in the first place?

Kirsten wrote:
He's not, but there are several utilities that easily disable the
administrator account.

Did you mean 'disable' or 'allow them to use' the administrator account?

You didn't want to hear it because you know it's true... "Physical access,
time and a little knowledge means anyone who sits at the machine basically
can own it..."

Are you protecting what's in the administrator account (should be much of
nothing) or is it you just don't want them using the account?

If the latter - your battle is lost before it was started. Encrypt all you
want - physical access can give the user another/the same administrative
account with a little effort and a few tools and time. Maybe not so much
the data in the profile - but there should be nothing in (files, etc) the
actual built-in administrator's account of importance anyway, IMO.

I think you need to divulge what it is you hope to accomplish in order to
better narrow the possible answers. What is the actual problem and need?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

You can use a full disk encryption product to encrypt the entire hard drive.
FDE will prevent offline access to the hard drive, meaning you would not be
able to boot the computer into another OS and access the drive. Windows
Vista with BitLocker should do the trick. Vista SP1 made some improvements
to BitLocker.

--
Mel K.
MCSA: M

"Kirsten" wrote in message
...
Is there any way to encrypt (EFS or similar) the entire administrator's
profile folder (C:\Documents and Settings\Administrator) so as to prevent
a
user from login in to the computer if he changes the password with a dos
utility? (CIA Commander for example).

There's no point in having domain policies if the user can login as the
administrator and do whetever he wants with the computer!

What else do you suggest? (please don't say "put a bios password" or
"forbid
physical access to the computer")

Thanks a lot!

I need to encrypt my personal (admin) profile this very weekend, so that I can send my laptop in for service. Lenovo Repair requests unfettered access to an admin account, a separate one of which I have newly created. But I wish to keep my existing data, including online account passwords stored by browsers, private.

I've backed up the disk, by the way, in its entirety, so that if the laptop comes back to me with a clean slate, I can restore. But I would prefer to not wipe the internal disk clean if it is not needed.

This would seem to be a case that requires profile encryption of some sort, as complete access to the machine is given to a third party.