End User Software Management When Running as Normal Users on Windows
-
@brianlittlejohn said:
@scottalanmiller I think the only SID that can be easily identified as and admin account is the default Administrator account.
That's what I've always believed.
-
@Dashrender said:
Boy that's pretty sad if the SID of the local admin is either static across all Windows machines, or if not static is somehow easy for non admin users of the system to discover that fact - that seems wrong..
Same on UNIX. Common UID (UNIX SID) across all OSes.
-
A list of well known SID info:
-
@Brett Depending on what FFL or DFL you are on, you won't even be able to use GPP to create a user because of the lack of password access in newer versions. I tried and it wouldn't work because I had to have a password per the policy but I couldn't add one per the change in GPP. The workaround was a script that I have for new machines that adds a local account via GPO startup script then adds it to the local administrators group. The new PC stays in a temporary OU for a few things to be installed, then moved to the permanent OU where the remaining items are run, including the installation of LAPS, which then changes the newly-created local admin password.
Here is the bat file that is called in the startup:
net user "My Admin" mypassword /add /passwordreq:yes /fullname:"My Admin"
net localgroup Administrators "My Admin" /add
