\[Editor's Note: Share your security discoveries, comments, problems, solutions, and experiences with products. Email your contributions (500 words or less) to [email protected]. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]
A while back, in my role as a systems administrator, I was running User Manager to view my Windows NT 4.0 accounts to see whether the account information was current. I noticed what appeared to be two group accounts named Administrators, and I wondered how two accounts could have the same name. On closer examination, I saw that one of the accounts was the built-in Administrators group account. The other account had an additional character appended to the account name—this character displayed as a black square after the account name's final letter.
Each time I tried to delete or otherwise manage the account with the invalid appended character, I received the error message The group properties cannot be edited or viewed at this time. At first, I thought an intruder might have added the account. But the Security event log showed that a local systems administrator had created the account. Although the account didn't seem to be serving any purpose, I couldn't figure out how to delete it.
A colleague directed me to the Microsoft article "Invalid Accounts Created with ADDUSERS.EXE" (http://support.microsoft.com/?kbid=141791), which suggests that the Microsoft Windows NT Server 4.0 Resource Kit's addusers.exe utility can handle invalid characters in a username. When I entered
addusers /?
at a command prompt, I received the syntax and information that Figure 1, page 15, shows.
First, I used the /d switch and piped the output to a text file containing all the users and groups in the domain. I then deleted all the lines in the text file except the line containing the account in question, which I saved as group.txt. I used debug.exe, from \winnt\system32\debug.exe, to examine this file and saw that the name administrators had a hexadecimal 09 at the end, as Figure 2 shows. This output confirmed my suspicion that the account name included an invalid character—that is, the hex 09. To delete the account, I opened a command prompt and entered addusers \\domainPDC /e group.txt.