ASP.NET Machine account help.

#1
Hello, I followed someone's suggestion of using a Standard Account for everyday use. So I went to Manage user accounts. And found 3 accounts listed:
-Andrew
-ASP.NET Machine Account
-Guest

I assumed ASP.NET was part of Microsoft and was OK to use. So I set ASP.NET as the admin, and changed Andrew to a Standard User. Mistake. After a restart and some use, any UAC prompt requires a password for ASP.NET of which I do not know of. I've read that it generates random passwords. Also, I've tried safe mode to access Vista's back-up admin, it was a no go. Any help for setting Andrew back to admin?

-I cannot get through any UAC prompts.
-I cannot install most programs that require a UAC prompt.
-I do not have a Vista DVD due to it being pre-installed.
-I have not created a Recovery disc offered from HP. ...My fault.
-Safe mode does not show Vista's back-up Admin account.
-I run Vista HOME PRENIUM.

Any help?
 

mqudsi

Mostly Harmless
Staff member
#2

JustinW

Super Moderator
Staff member
#3
I might be wrong here (correct me if I am). I don't think system restore puts user accounts back the way there were. And I really can't see how the built in ASP.NET account could have been made the only administrator of the system. Windows is usally smart enough and prevents you from downgrading an administrator account.

Anyway, you well need to make that HP recovery disc (or obtain it) if system restore doesn't fix it. For future reference, this was a problem mainly with older versions of Windows. The purpose of Vista's UAC was to run every user as a standard user until administrative actions need to be performed. If still want to use seperate accounts anyway, either create two accounts for yourself or set the password for the Administrator account and use that for administering the computer.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#4
Kairo,

You have to remember that Vista doesnt use a dedicated Admin account for the user when they create it. The account is just a power user account with Admin Rights. The Admin account is actually hidden.

That is why you can reduce teh account to a limited account unlike in XP where the accoutn created is a Admin account.

Cheers,
Mak
 

JustinW

Super Moderator
Staff member
#5
The admin account can still be used though. If not accessed through the GUI, you can use the command line to configure it. Besides, you could turn off UAC and use the two account method as you would in XP.
 
Last edited:

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#6
Yes. But the truth is that the account that is created upon installing is not a true admin account and its permissions can be lowered. The Admin account can still be used by turning it on. If you can access the PC. Since this user cant there is no way for them to turn it on. :wink:
 

mqudsi

Mostly Harmless
Staff member
#7
The admin account can still be used though. If not accessed through the GUI, you can use the command line to configure it. Besides, you could turn off UAC and use the two account method as you would in XP.
Actually, in Windows Vista the "Administrator" account is set to "Disabled" by default (like the "Guest" account on Windows XP), so you'll have to enable it first, then use it.
 
#8
Hmm, seems the only way I'm able to fix this is too enable Vista's admin. I am able to use this computer as a Standard User. Maybe some of the suggested bottom solutions can solve this?

1) Use the Recovery CD provided by NeoSmart to run the CMD and enable the Vista Admin by typing in: Net user administrator active:/yes

2) Suggested by Jimmah, his site is down (http://www.jimmah.com) but I managed to get another copy of his instructions:

1 Click on the start orb. Write down your username (the name listed right below your picture on the start menu).
2 Place your Windows Installation DVD into your DVD drive
3 Restart your computer
4 When prompted, press a key on your keyboard to boot from the DVD
5 Select your language options and click Next (See picture)
6 Select the option at the bottom to repair your computer (See picture)
7 Select your Windows installation from the list. Make sure you notate what drive letter it is installed on.
8 Select the last option from the list to open a Command Prompt (See picture)
9 Type the following command, and press enter:

regedit

10 On the left, click on HKEY_LOCAL_MACHINE
11 Click the File menu at the top, and then click Load Hive
12 Open "computer"
13 Double-click on the drive that Windows is installed on (you wrote
this drive letter down in step 7)
14 Double-click on the folder called Windows
15 Double-click on the folder called System32
16 Double-click on the folder called Config
17 Click on the file called SAM and click Open
18 Type "Target SAM" into the box and click OK
19 Expand the HKEY_LOCAL_MACHINE folder by clicking on the triangle next
to it
20 Expand the Target SAM folder by clicking on the triangle next to it
21 Expand the SAM folder by clicking on the triangle next to it
22 Expand the Domains folder by clicking on the triangle next to it
23 Expand the Accounts folder by clicking on the triangle next to it
24 Expand the Users folder by clicking on the triangle next to it
25 Click on the folder named 000001F4
26 Double-click the item in the right called "F"

You are now presented with an editor. You will see two columns: a list
of letters and numbers grouped in pairs on the left, with a list of
symbols on the right. We will only be using the list of letters and
numbers on the left.

27 Find the spot in the left column that says "11".
28 Click to the immediate right of the 11, so that the flashing
insertion line is to the immediate right of 11
29 Press backspace to make the 11 disappear
30 Using the keyboard, type the number 10

This should change the information in the left column from

02,00,01,00,00,00,00,00,80,8c,d7,b2,e9,97,c7,01,00,00,00,00,00,00,00,
00,1f,ea,fd,ad,e9,97,c7,01,00,00,00,00,00,00,00,00,de,ad,60,9b,e9,97,
c7,01,f4,01,00,00,01,02,00,00,11, ...

TO:

02,00,01,00,00,00,00,00,80,8c,d7,b2,e9,97,c7,01,00,00,00,00,00,00,00,
00,1f,ea,fd,ad,e9,97,c7,01,00,00,00,00,00,00,00,00,de,ad,60,9b,e9,97,
c7,01,f4,01,00,00,01,02,00,00,10, ...

31 Click OK
32 Close regedit
33 Close the command prompt window and click on the 'Restart' button on
the window that gives you the list of options.
34 When your computer restarts, log in with the account named
'Administrator'. Use this emergency Administrator account to fix your
normal administrator account by using the user accounts control panel.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#9
Hello,

Just enable the hidden admin account.

How to enable the hidden Admin account in Vista

From there log off and log on as the Admin. Once you do that you can reset all accounts to what you want or jsut continue to use the Admin account and remove all the other accounts.

Cheers,
Mak
 

JustinW

Super Moderator
Staff member
#10
Is the admin account's password blank though its disabled? Unless you have set it before, I think the system randomally generates a password for it. So even if you just enabled it, you would still not know the password needed to login under that account.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#11
The Admin password will be blank by default. Unless you set one up during install. Only the ASP.NET account does a random password which is the problem he ran into here. But for a prebuilt machine with Vista installed the Admin account password will be blank.

I have done this many times on various machines to get around having to use a user account to get a job done. The Admin account doesnt have UAC enabled either.
 
#12
I cannot enable the hidden admin account through the steps listed by Makaveli213, as both of those methods require a UAC prompt. I can run the CMD but it runs as a standard CMD prompt and is not elevated. Doing net user Admin.... active:/yes gives me a "Access is Denied" wording.

Typing in secpol.msc in search doesn't show up either.
 

mqudsi

Mostly Harmless
Staff member
#14
Will detect and offer to unlock locked or disabled out user accounts!
That would do the trick :smile:
 

Terry60

Knows where his towel is.
Staff member
#15
Secpol is only available in Vista Ultimate, Home users (like me) don't have it.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#16
There is more than just Ultimate that has it. It is with Business and Enterprise as well. There is a way for Home Premium and Basic users to do it as well. I just have to find that information again. I posted it up so long ago on a site....

Here we go full instructions for every version of Vista.

Remember that cute "Administrator" account you see when you login to safe mode? That's the built-in administrator account that's installed by default, and disabled by default too, after a little digging-in I made this tutorial that'll let you enable and use this account in normal mode, and with a little other tweak, enjoying an XP-like administrator experience, while UAC is left ON (or off, it doesn't matter), but with no prompts or right clicks.

For Windows Vista Ultimate/Business/Enterprise:

1- Click Start, and type "secpol.msc" in the search area and click Enter. (You may receive a prompt from UAC, approve/login and proceed)
2- In the left list, choose "Local Policies", then "Security Options"
3- Set "Accounts: Administrator account status" to Enabled.
4- Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

For Windows Vista Home Basic/Home Premium:

1- Click Start, and type "cmd" in the search area, right click on "Command Prompt" and select 'Run as Administrator".

2- In the command prompt type "net users Administrator /active'" (Note the capital "A" in Administrator) and press Enter, you will get a confirmation as "The command completed successfully".

3- Click Start, and type "regedit" in the search area and click Enter, navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]
Double click on "FilterAdministratorToken" and set it to "0"

*************************************

Now log-off, and you'll see new account named "Administrator" is available, click on it to login.

Now you are the master of your domain! I recommend if you're going to use this method is to apply it as soon as you do a fresh install of Windows, so you can simply delete whatever administrator you've created in the setup process, and make this one the "real" administrator for your PC, also you can rename this new admin account or change its password like any other account from "User Accounts" in the Control Panel.

A last note: Please apply this procedures only if you know what you're doing. Disabling security features in the operating system is not something recommended to the average Joe, and for sure I won't be held accountable for any damaging happens to your system or files resulting from running a full administrator account all the time.
 
Last edited:

JustinW

Super Moderator
Staff member
#17
Very useful for reference. Thanks for posting that.

However, there are some other things I'd like to add:

1) secpol was designed for the business enviornment anyway. It just happens to be in Ultimate because MS promises that that version supports all of the features short of being a server. Not the other way around.

2) Renaming the Administrator account in control panel well only change the account's fullname property, not the actual name of the account. When an account's fullnmae property is set, a user can login under that acccount using either the actual account's name or fullname as the username. Suppose I had a jdoe account set up and set the fullname to "John Doe". I could supply jdoe or John Doe for the username when logging in. So keeping this in mind from a security persepective, renaming the account isn't any more secure because I could still use Administrator for the username. There might be other methods to actually rename the account itself, but I've found the only way to get the exact name you want for an account is to type that in as you are creating it.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#18
Kario,

Sorry but your number 2 is incorrect. Partially.

If you change hte name it will be changed. You can not then access the account via the Administrator name anymore but the files and that are still stored under the Amdinistrator folder in the User section.

I have tried several times to access my own PC after renaming the Administrator account even from my own network with using hte Admin name and it doesnt work. Once you change the name that becomes the account name that you have to use for everything then. Just by saying that you can access the Admin info by useing the Admin name is not correct. You will need to use the renamed account name to access the data.

Cheers,
Mak
 

JustinW

Super Moderator
Staff member
#20
It isn't an app you run inside of Windows. You must boot it from a CD. As long as you follow the instructions at the site and on screen, it should work fine.

Mak:

Thanks for the info. It has me curious so I'm experimenting myself. I've renamed and enabled the Administrator account. It is now called "Admin". It even shows in the UAC prompt as "Admin", but a quick net user of it in the command prompt well still display the administrator account if i type net user administrator. Logging in using Administrator for the username after this worked for me anyway. No UAC prompts were shown though as you explained.

I can kind of understand your explanation there, but you haft to keep in mind that unless you have your login enviornment setup where you must first type in a username (rather then click on it), you wouldn't know. This is because Windows well show the fullname of the account for any place in the GUI if its fullname property has been set. This can be the login screen if you have it setup where you click on a username, the start menu when logged in under that user, the control panel under the user accounts applet, the UAC prompt, and so on.

It makes sense anyway as in a peer-to-peer enviornment, Windows refers to the account you are loging in with to determine the user's home directory. Renaming the directory would cause Windows to create a new one for the user the next time they login. I can confirm this because I had never used the Adminstrator account. When I logged in after the account's fullname property had been set, it still created a user directory called "Administrator" for the account's user directory.
 

Attachments

Last edited: