When Guest is the administrator

Nommo was kind enough to point me to his latest blog entry which discusses a troubleshooting case where the Guest account had somehow wound up being the only active administrator account on a Windows Vista computer.  This was reasonably easy to reproduce (although I used Windows 7 instead) and, indeed, user management tools don’t work as might be expected.

This is interesting.  In most other respects the Guest account still functions as an administrative account.  At first I thought I understood exactly why this happened (to do with the way LAN Manager handled security way back in the days of DOS) but a bit of experimentation showed I was wrong.  It now looks as though a Guest logon is tagged in some way and prohibited from doing any user management – the Guest account can’t even look up its own details – unless you elevate to it from another account, in which case it has user-level access to account management but not administrator-level.  Weird, huh?

Only the actual Guest account is affected; other accounts that are in both Administrators and Guests are not.

Because only account management is blocked, you can get around this in a few ways.  Probably the simplest in most cases is to download the psexec tool from Microsoft.  Start an elevated command-line window by typing “cmd” into the “Search Programs and Files” box in the Start Menu and pressing Control-Shift-Enter.  Then type:

cd /d c:\directory\where\psexec\was\downloaded\to
psexec -s \\127.0.0.1 net localgroup Administrators /add myusername

pressing ENTER after each line and changing “myusername” to the username of the other (currently non-administrative) account.

Alternately, you could edit the registry as described in my earlier post but you don’t need to boot from external media:

1. Go to the Start Menu and type “regedit” and press ENTER.
2. Open HKEY_LOCAL_MACHINE, then SYSTEM, then Setup.
3. Double-click on SetupType in the right-hand pane.  Enter 2 and press OK.
4. Double-click on CmdLine.  Enter cmd.exe and press OK.
5. Reboot the machine.  A command window should appear.
6. Type “net localgroup Administrators /add myusername” and press ENTER.
7. Type: “exit” and press ENTER.

Again, “myusername” should be replaced with the username of an existing, non-administrative account.  After this procedure, the account is administrative.  You could also use “net user myusername newpassword” to change the password if necessary.  (The same caveat applies as in my previous post: doing this permanently locks you out of any encrypted files in the account.)

Now, obviously Guest shouldn’t be an administrator.  The fact that things behave oddly in this situation is not a bug.  However, if Guest is an administrator the normal recovery options don’t work properly.  In particular you are supposed to be able to log in as Administrator if no usable administrative accounts exist, and in this situation you can’t, and this is a bug.

Hope this helps.

Wikileaks vs. Facebook

Authors note: I was recently involved in a discussion on a private mailing list about Julian Assange’s recent diatribe against Facebook concerning privacy.  I suggested this was hypocritical, and was asked why I thought Wikileaks had invaded people’s privacy.  This is my reply, with only a few minor edits.

I believe that employees, including government/diplomatic employees (such as ambassadors) are entitled to a reasonable degree of privacy with regards to their work in the absence of evidence that they have misused it.  This privacy was violated, IMO, by the public release of confidential advice (the diplomatic cables) that they had given their employer.

For my part I would certainly consider my privacy violated if my work email was publicly released, although I don’t think I have a great deal to be embarrassed about.

Mr. Assange is reported to have said that diplomats should only “write reports they are proud of” or something to that effect.  This doesn’t make sense to me.  A diplomat might be justifiably proud of accurate reporting and/or insight, but this doesn’t mean that the report won’t cause embarrassment, and quite possibly harm their career, if made public.

Facts exist, they aren’t something to be proud of or not.  It is in the interest of everybody that the people making decisions know the facts as accurately as is possible, even if it is not reasonable under the circumstances to release them publicly.  (For example, the public release of allegations of misconduct or criminal activity when you are unable to provide evidence would be unfair to the accused; the public release of information on the idiosyncrasies of foreign leaders would lead to your diplomatic service being expelled.)

HOWEVER, even if you disagree that diplomats have any right to privacy, the release of the cables also invaded the privacy of those that the diplomats were writing about.  Making public various allegations of misconduct, when you have no knowledge yourself of the truth or falsity of these allegations, surely counts as an invasion of privacy?

Mr. Assange is also reported to have complained about the public release of the Swedish police report concerning the allegations against him.  I see this as an even clearer case of hypocrisy, since the police (like the diplomats) are a Government agency; if the US diplomatic service shouldn’t keep secrets about third parties from the public, why should the Swedish police do so?

If only those cables (if any) that spoke to misconduct of the diplomats or of the US government had been released, I wouldn’t have any complaints.  But so far I don’t think I’ve heard of a single released cable meeting that criteria.  (If you would like to propose an example, please post a comment.)