Microsoft KB Archive/237889

{|
 * width="100%"|

Users Group Member Can Add New Users in Windows 2000 Professional

 * }

-

The information in this article applies to:


 * Microsoft Windows 2000 Professional

-

SUMMARY
When a member of the Users group tries to use the Users and Passwords tool in Control Panel in Windows 2000 Professional, the user is prompted for the Administrator password:

You must be a member of the Administrators group on the computer to open the Users and Passwords control panel. You are logged in as Machine_name\User_name, which is not a member of the Administrators group.

Specify the user name and password of an Administrator on this computer to continue:

User name:

Password:

You can change your password without opening the Users and Passwords control panel by pressing CRTL-ALT-DEL and selecting Change Password.

However, the Administrator account and password is ignored if the user runs the Administrative Tools tool in Control Panel. The user can then gain access to the Computer Management tool and the Local Users and Groups subtree it contains. Upon gaining access, a member of the Users group can add a new user to the computer. The user can also change the password for the created account. Members of the Users group cannot promote the new user to the Administrators group, nor can they change another account's password.

MORE INFORMATION
This behavior is the default configuration in Windows 2000 Professional only. This is not the default behavior in Windows 2000-based servers or domain controllers.

To disable this functionality, revoke the "NT Authority\Authenticated Users" security principal from the Power Users group:


 * 1) Log on to the Windows 2000 Professional-based computer using an account with administrator rights.
 * 2) Click Start, point to Settings, and then click Control Panel.
 * 3) Double-click Administrative Tools, and then double-click Computer Management.
 * 4) Double-click Local Users and Groups, and then click the Groups folder.
 * 5) In the right pane, double-click Power Users.
 * 6) Click NT AUTHORTY\INTERACTIVE, and then click Remove.
 * 7) Click OK.

Additional query words:

Keywords : kbenv kbtool

Version : WINDOWS:2000

Platform : WINDOWS

Issue type : kbinfo

Technology :