At work all our machines are running Windows 10. When we were all running Windows 7, I was able to map to a specific folder on the C: drive of another computer. Since installing Windows 10, I haven't been able to do that.
Posted by3 years ago
Archived
The problems I've encountered so far:
Can anyone help me?
8 comments
-->
Applies to
Describes the best practices, location, values, and security considerations for the Accounts: Limit local account use of blank passwords to console logon only security policy setting.
Reference
The Accounts: Limit local account use of blank passwords to console logon only policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords. If this policy setting is enabled, a local account must have a nonblank password to be used to perform an interactive or network logon from a remote client.
This policy setting does not affect interactive logons that are performed physically at the console or logons that use domain accounts. It is possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting.Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to log on to systems.
Devices that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can log on by using a user account that does not have a password. This is especially important for portable devices.
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
Possible values
Best practices
Location
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
Policy management
This section describes features and tools that are available to help you manage this policy.
Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
Policy conflict considerations
The policy as distributed through the GPO takes precedence over the locally configured policy setting on a computer joined to a domain. On the domain controller, use ADSI Edit or the dsquery command to determine effective minimum password length.
Group Policy
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. Starting with Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.
Countermeasure
Enable the Accounts: Limit local account use of blank passwords to console logon only setting.
Potential impact
None. This is the default configuration.
Related topics
I am trying to run Notepad as admin so I can edit my hosts file from the command line.
I have tried
runas /user:(myusername)administrator 'notepad c:windowssystem32driversetchosts' I then input my password and I get
RUNAS ERROR: Unable to run - notepad c:windowssystem32driversetchosts 1327: Account restrictions are preventing this user from signing in. For example: blank pa sswords aren't allowed, sign-in times are limited, or a policy restriction has been enforc ed.
PS: I know if I give permission to my user account I can edit it without running as admin. But I'd like to know how to do this without having to change permissions on the hosts file.
Kirill FuchsKirill Fuchs
3 Answers
Ok, the reason this doesn't work is the security model in Windows Vista and newer. An account in the administrators group still runs everything not explicitly elevated as a limited user. The exception is the
Administrator account, which runs everything elevated. For this reason, it is considered generally bad to use as your login account, and is normally disabled.
You could enable it and then
runas to invoke as that account. That introduces a few problems - now you're running with the environment of a different user, which could have different environment variables set.1
The better way to do this would be actually elevate as your current user via UAC. Unfortunately, the standard command prompt doesn't include that capability - but both third party programs and the built-in PowerShell and WSHell (VBScript) can do so.
Borrowing from my other answer, you can invoke the PowerShell command directly with
powershell -c :
which basically tells PowerShell to run the following (
start is aliased to Start-Process ):
The trick here is passing the verb
runas , triggering UAC.
Neither
Start-Process -Verb runas nor the standard cmd runas will pass the current working directory, so always use the full path in any commands you elevate in this fashion.
Also note that some arguments like
-c may clash with Start-Process arguments, so the safest way is:
1 Note: this only applies to the user's environment variables. Environment variables you set in a parent process are not passed on by UAC! This also applies to
runas , and it's even worse there because you won't even get the correct user's vars.
Community♦
BobBob
47.5k2020 gold badges145145 silver badges177177 bronze badges
Most likely, you haven't yet enabled the administrator account.
Here are instructions for enabling the administrator account.
You'll also find more info on runas on the Microsoft site.
Nicole HamiltonNicole Hamilton
8,66911 gold badge1212 silver badges3636 bronze badges
One thing that you could try is opening command prompt as admin and running notepad through there. Just type
Notepad . After you do that from there you can click file then open and navigate to the hosts file and open it. Finally, you can just save like normal.
TylerDaNerdTylerDaNerd
Not the answer you're looking for? Browse other questions tagged command-lineadministratorhosts-filerunas or ask your own question.-->
Applies to
Lock the taskbar windows 10. The Live Tiles on the right of the start menu can be moved around and put beneath custom subheadings for easy access. The Start menu also lets you shut down your computer and diving into system settings.
Describes the best practices, location, values, management, and security considerations for the Accounts: Block Microsoft accounts security policy setting.
Reference
This setting prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
There are two options if this setting is enabled:
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
Possible values
By default, this setting is not defined on domain controllers and disabled on stand-alone servers.
Best practices
Location
Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
Policy managementAccount Restrictions Are Preventing This User From Signing In Yahoo
This section describes features and tools that are available to help you manage this policy.
Restart requirementAccount Restrictions Are Preventing This User From Signing In Windows 2012
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure implementation.
Vulnerability
Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult. Longest time critical path in microsoft project 2016 free download full version product key.
Countermeasure
Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the Users can’t add Microsoft accounts setting option so that users will not be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
Potential impact
Establishing greater control over accounts in your organization can give you more secure management capabilities, including procedures around password resets.
Related topics
Hello
I Want To map network from PC A(Client) TO PC B(SERVER).But When I want To go to PC B(server) through PC A(Client) This Message Appear **'ACER-PC is not accessible.You might not have permission to use this network resource contact the adminstrator of this server to find out if you have access permission Account restrictions are preventing this user from signing in.For example: blank passwords aren't Allowed,sign-in times are limited,or a policy restriction has been enforced'** thank you for helping Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |