본문 바로가기
유용한 정보/· ETC

Biometry not allowed by operating system policies

by 넷둥이파파 2011. 12. 4.

Link
http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/d6cb3aa9-c4eb-4763-ba8b-a8f90c7a3555/


The built-in administrator account is not supported by Microsoft WBF and in their policy guidance FMAs are advised to inform organizational admins that biometry is unavailable for built-in administrator and guest accounts. However, there is a work-around to the ever annoying:

Error Code: E7210005 "Operation is not allowed by operating system policies."

First, you have to understand how Fingerprint Software works, at least UPEK, Inc. in this case. Put simply, the UPEK software takes your username and password and links that data to a biometric fingerprint which is given its own unique identifier.

Every username created in Windows is also given a unique identifier, a numerical "fingerprint." This is by design and is separate from the Biometry that comes later. Because the UPEK software does not record this unique user identifier or process it in any way, its fairly simple circumvent Microsoft's Built-In Operating System policy:

 
  1. You will never be able to enroll fingerprints in a built-in admin or guest account directly, you must import them.
  2. If you are going to use this feature in contravention to Microsoft operating system policy you are going to have to come up with some renaming conventions.
  3. Use Windows Key +R (Run) and type "control userpasswords2"
  4. Create a new user with a password and admin rights, choose a username that you will want to rename the built-in Administrator account to, i.e. SysAdmin, or Admin etc.
  5. Log Off Administrator and log on to the new account. Enroll all the fingerprints you are going to want to use. Then use the application to "Export" to a file in the root of C or some commonly accessible area.
  6. Once this file is exported, log off the new user, log on to the built-in Administrator, first delete the newly created user via Run: "control userpasswords2";
  7. Next you want to rename your built-in Administrator account in the Advanced tab to the username you just deleted. It must be the same username exactly.
  8. Once you have renamed your built-in Administrator account. Log off. Then Log back on.
  9. Start your UPEK suite or Biometry application, and go through the Import process. Once you select your exported file for import, you will generally need to enter the password you created for it when you exported it, but its important to remember that you will only be able to use the fingerprints you enrolled under the other user, you will never be able to add new fingerprints to enroll, or otherwise edit the enrolled fingerprints.
  10. For office environments, there are 10 slots so a maximum of 10 users could theoretically have biometric access to the built-in Administrator account in direct violation of operating system policy, a very dumb operating system policy.

 
Proposed As Answer by Biometric EngineerTuesday, October 13, 2009 1:10 PM

'유용한 정보 > · ETC' 카테고리의 다른 글

정규식 표현  (0) 2012.04.04
블루스크린 오류 목록  (0) 2011.12.15
HDTV 안테나 만들기  (4) 2011.04.20
QoS 패킷 스케쥴러 설정하기 (로컬 그룹 정책 편집기를 이용)  (0) 2011.02.28
mecro  (1) 2011.01.21