It is possible to disable the administrator account via local security policy and that's exactly how we are doing it. I have written up a security policy that we are applying to the machine, and I have a batch file of subinacl commands that make permissions changes to the registry and filesytem for the new users and administrators groups. I am trying to limit scope, and there are things that I want the new admin user to be able to do, and others that I don't. Changing TS config is one thing that I would like them to be able to do; acting as part of the operating system, I don't. It's an un-attended install for us, so ghosting the server I don't care too much about, I just rebuild the box, drop a couple of software components on it, re-harden it, and drop it back off into the wild. I can have it back within a day, and that's good enough for the business. Berny 2008/6/23 Joe Shonk <joe.shonk@xxxxxxxxx>: > Is that really necessary? It is not recommended (nor possible via normal > means) to disable the administrator's account. If you're worried about > someone getting in the machine and having admin rights then keep the scope > of the administrators group to the local administrator and keep a ghost > image of the server for easy recovery. > > Joe > > > On Mon, Jun 23, 2008 at 5:15 AM, Berny Stapleton <berny@xxxxxxxxxxxxxxxxx> > wrote: > >> The administrator account on this host is disabled, and I am trying to >> replace it. Effectively, I want the Administrator SID to be useless, >> unfortunately from what I have seen so far is that Windows is hard coded in >> places to use the Administrator SID, so this is going to be impossible. I >> would like to get as close to it as possible though. >> >> The only way I can get the admin account back now is to boot off a CD and >> modify the registry offline. >> >> Berny >> >> >> 2008/6/23 Joe Shonk <joe.shonk@xxxxxxxxx>: >> >> Run with elevated rights? >>> >>> Joe >>> >>> On Mon, Jun 23, 2008 at 4:23 AM, Berny Stapleton < >>> berny@xxxxxxxxxxxxxxxxx> wrote: >>> >>>> Hi all, >>>> >>>> Does anyone know how to allow permissions to modify / configure the >>>> Terminal Services Configuration without adding someone to the >>>> Administrators >>>> group? >>>> >>>> I have given the user Full Control on the permissions tab, but they >>>> can't modify the configuration... >>>> >>>> Thanks, >>>> >>>> Berny >>>> >>> >>> >> >