Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Determine administrator account 1

Status
Not open for further replies.
tvbruwae

tvbruwae

Programmer
Aug 9, 2001
224
EU
Hi

Is there a procedure or tool that can help me to determine the built-in administrator account on NT and W2K systems? On most of these systems the local admin account has been renamed and its comments have been removed so it's rather hard to find out which admin account is the built-in one.

Thanks.

Tim
 
Sort by date Sort by votes
The built in Administrator account always has a SID ending in 500, e.g. S-1-2-34-1234567890-123456789-123456789-500

So, one way to do it is to open up regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There'll be a list of SIDs there for every account that has interactively logged on to the machine. The one ending in -500 is your admin account. Have a look to see which user name is associated with that account in the ProfileImageFlag key.

HTH!
 
Upvote 0 Downvote
I found the keys and SIDs, but I can't associate the username with them since the ProfileImageFlag key does not seem to exist. Or is it located in another registry key?
 
Upvote 0 Downvote
Hmmm, OK then. That would imply that the local admin account has never logged on. Never mind, plan B. There's a command line utility called sid2user that will give you the account name. You can download it from here:


and plug in the SID ending in -500. That should do it.

The syntax will be something like
sid2user 2 34 1234567890 123456789 123456789 500
(based on the SID I used above).

See how that goes!
 
Upvote 0 Downvote
Found the tools and they work great. Thanks a lot, you' ve been a great help!
 
Upvote 0 Downvote
I thought this was interesting so I tried it, and found that you in fact can get this info from the Registry.

When you have expanded ProfileList and have the list of SID keys, open one of them and look at the value named ProfileImagePath. Scroll right and you'll see that it contains the path to the account profile, such as "%SystemRoot%\Profiles\Administrator". I think that's what we're talking about, since that identifies the user.

Now I'm going to try sid2user. Good tip!
 
Upvote 0 Downvote
The last part of the ProfileImagePath does indeed indicate the associated username. However, it always points to the SID's profile folder that was created upon first login of the user. When the username is changed (renamed), both the folder and the registry key still point to the original username. That's why I couldn't use this approach.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
334
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
270
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Continuous RDP disconnection/reconnection for administrator user
Replies
5
Views
152
goombawaho
goombawaho
Kiwica
  • Locked
  • Question
Locked out domain account
Replies
4
Views
97
Kiwica
Kiwica
Mindly
  • Locked
  • Question
Can't log into SBS 2011 server with accounts that have administrator priviledges
Replies
0
Views
73
Mindly
Mindly

Part and Inventory Search

Sponsor

Back
Top