From: "Geo" 

"Mike N."  wrote in message
news:fjrhn0peigga7bjplujomv5ul5i0rdg4ce{at}4ax.com...

>   Assuming I never created a password reset disk, there's still no way
into
> the SAM to create a password reset disk.   Someone could replace the SAM
> and log in as Administrator, but that still gives them no access to the
> LSA, EFS keys, or original accounts..

I don't remember for sure but I believe there is a way by replacing less of
the registry than is specified in that procedure.

>   If you have a laptop, you still need to be able to take it offsite /
> offnetwork and function standalone.   So the domain member is not
practical
> in my case.

That's sort of what I was getting at, I think there is another issue. Here
is why. You are a domain member, you login as domain admin to the laptop
one time and it creates your desktop and whatever. Ok now shutdown and
unplug the laptop from the network then boot it back up and login as domain
admin again, it works. That's because the domain admin login information is
cached on the machine.

Until you disable that (I forget how it's done) I don't think you are
secure. That's why I like being a domain member better, it makes it easy to
tell if you have this disabled or not. You can still login as local machine
account, it's just a good way to test your settings.

Geo.

--- BBBS/NT v4.01 Flag-5