Windows 10 October Update Can Now Disable Your Administrator Account

[descendency]

If you need admin, use psexec.

[joacortez]

this happened to me and i had to install windows from scratch.

[LAwLz]

22 hours ago, leadeater said:

To be slightly fair current best practice is to leave the Administrator account disabled and never use it. You should actually use a different administrator privileged account instead, I have done this for years now. There is a good reason for this, it's a known account that attackers can try and exploit or brute force the password. If you don't know the username of the administrator privileged account brute forcing the password is a heck of a lot harder. 

I can't put my finger on it, but it feels like using a separate account is just a false sense of security.

If someone is in the position where they can brute force the Administrator password, then chances are they can detect the usernames anyway. I haven't thought it all through yet, but my gut tells me that using a different account name is similar to just hiding the SSID (which is to say, delays the attack by like a minute at best). Ophcrack doesn't need to know the username to list all the local accounts and their passwords for example. It probably fetches that info from some local database within Windows.

 

 

22 hours ago, mynameisjuan said:

Exactly and this applies for all OSes as well. 

Not really, no.

 

 

21 hours ago, jammiescone said:

I'm not sure it was intentional, because I think Microsoft knows that there are still sysadmins out there who use it responsibly when it's required. It will be an accidental security improvement for regular users who had it activated without knowing, but I don't reckon there's many of those around since it's not something you can really enable by accident! More likely to just cause minor headaches for those using it as a last resort tool!

I know quite a few customers who use it.

It's widely used in small companies where they are big enough to have AD and some privilege management, but small enough that the IT people want to just be able to walk up to any computer unprepared, and login to a local admin account without having to look up some randomly generated password specific to that computer (which is the proper way of doing it).

 

 

20 hours ago, BuckGup said:

It's like being root the whole time in linux 

Nope, not similar at all.

Administrator is still a normal account, but with administrator privileges. It doesn't run things with escalated privileges at all times.

Disabling UAC and running with an account that has administrator privileges (any admin account, not just Administrator) would kind of be like running as constantly running as root in GNU/Linux. Although even that has some differences.

 

 

17 hours ago, Jito463 said:

Disabling the built-in Administrator account was surely done on purpose, given that the built-in Administrator account is actually broken in many ways in Windows 10 (and has been since launch), especially when accessing Settings.  Apart from using it to repair broken installs or user profiles, there's really no reason to have it enabled. 

Broken how exactly? Like I said, I know quite a few small businesses that use it, and it works fine for them.

 

16 hours ago, Jito463 said:

It's possible this has been fixed, but last I checked the Settings menu wasn't working correctly and neither was the Start menu.  I don't recall the specifics, but I pretty much just accessed PowerShell, did what I needed to and then exited because it wasn't useful beyond that.

Sounds like the Administrator profile was broken in some way. Can happen to any account, Administrator or not.

 

 

 

6 hours ago, joacortez said:

this happened to me and i had to install windows from scratch.

You shouldn't have had to do that. This particular bug/issue seems to only happen if you have a second account with admin privileges already. So you should have been able to still login with a different account.

 

And before someone says it's a feature not a bug/issue, Microsoft disabling accounts on computers without warning is an issue, even if it was done "for a good cause".

[Guest]

What is the reason to strict Administrator access on every a physical system?

 

If you got physical access to a machine you can compromise it even with a boot lock by just unplugging the HDD, unless it's encrypted, but if it's encrypted what is still the reason you need to disable the Administrator account too?

 

As brute forcing is required just in this case but manually, I mean slamming basically the keyboard as when it's decrypted is the only way to obtain data, I mean the login screen of Windows, here you need to guess password and usernames after someone decrypts it and leaves the system alone, also applies for the password for decryption, yeah disabling the administrator account would be a point to start but lol

 

On the other case, where is not encrypted, why brute forcing when you got all the files by just plugging the HDD, you can even get the usernames and passwords in Windows, in Linux are hashed in /etc/passwd but still you can retain the files and usernames

 

You can access the files anyway, am I wrong?

 

I could find it reasonable for Linux systems they often disable even account access (even though only in ssh) to prevent any brute force attempt on SSH and just using RSA certificates 

 

Could make sense if the system has remote desktop enabled, where you can try to brute force it, aren't there any certificates in this case? In this case you have to guess both username and password and disabling administrator account makes sense

[Jito463]

1 hour ago, LAwLz said:

Sounds like the Administrator profile was broken in some way. Can happen to any account, Administrator or not.

I had it happen multiple times across multiple computers, but it has been a while since I checked, so maybe it was just an issue with the early builds of Windows 10.  I'll have to try again when I get a chance.

[leadeater]

2 hours ago, LAwLz said:

I can't put my finger on it, but it feels like using a separate account is just a false sense of security.

If someone is in the position where they can brute force the Administrator password, then chances are they can detect the usernames anyway. I haven't thought it all through yet, but my gut tells me that using a different account name is similar to just hiding the SSID (which is to say, delays the attack by like a minute at best). Ophcrack doesn't need to know the username to list all the local accounts and their passwords for example. It probably fetches that info from some local database within Windows.

Kind of depends on situation, escalation of privilege is harder on a true standard user account or when UAC settings have not been lowered. Without a higher privilege it's not as easy to scan the system for user accounts and check permissions of them but you could just hit them all, any you find etc.

 

A lot of the reason why it's disabled by default is the SSID of that account is known to start with the same pattern and there were some known exploits in the past where you could scan the system for SSIDs of that pattern and as long as you actually knew the correct SSID could do a escalation of privilege. I'm not actually sure how applicable that is post Windows 7/8.1 anymore but it's still best to just leave that account alone and use a different one. It's such an easy thing to do it comes under the why not condition.

 

Edit:

You can use a GPO to ensure the administrator account of the name you want is on every computer, doing that makes it functionally no different to the built-in administrator account. It'll be on every computer joined to the domain, the other option is to have the account in the OS image or have it created as part of the OS deployment another way through MDT/SCCM Task Sequence step or a OOBE First Run script. Plenty of options to get your company standard administrator account on to computers.

[LAwLz]

2 minutes ago, leadeater said:

Kind of depends on situation, escalation of privilege is harder on a true standard user account or when UAC settings have not been lowered. Without a higher privileged it's not as easy to scan the system for user accounts and check permissions of them but you could just hit them all, any you find etc. 

I just checked. You do not need administrator privileges to check the database of local accounts. Any user can view the usernames of all existing local accounts on a machine.

You can even check which users has administrator privileges without yourself having it.

Try it out for yourself if you don't believe me. Create a new standard user, open cmd and run:

Quote

net users

and

Quote

net localgroup administrators

 

And if you block access to cmd through some group policy, there are still other ways to get to it such as computer management, or third party programs that shows it. Since you don't need administrator privileges to access the user database, anyone can view it.

 

 

So no, I do not see how using a different account name for a local admin account provides any extra security. It saves an attacker one command.

 

 

 

16 minutes ago, leadeater said:

A lot of the reason why it's disabled by default is the SSID of that account is known to start with the same pattern and there were some known exploits in the past where you could scan the system for SSIDs of that pattern and as long as you actually knew the correct SSID could do a escalation of privileged. I'm not actually sure how applicable that is post Windows 7/8.1 anymore but it's still best to just leave that account alone and use a different one. It's such an easy thing to do it comes under the why not condition.  

When I said SSID I meant WiFi SSID. Maybe you thought I meant the SID?

Anyway, it was just a comparison I made, saying that using a different username provides about as much security as hiding your SSID (which is to say, not at all because your router still broadcasts it so any attacker can view it if they want).

[leadeater]

29 minutes ago, LAwLz said:

When I said SSID I meant WiFi SSID. Maybe you thought I meant the SID?

Yea, wasn't paying too much attention, just assumed you meant SID and just run with it and the wrong name apparently. Kinda late here .

 

29 minutes ago, LAwLz said:

And if you block access to cmd through some group policy, there are still other ways to get to it such as computer management, or third party programs that shows it. Since you don't need administrator privileges to access the user database, anyone can view it.

 

So no, I do not see how using a different account name for a local admin account provides any extra security. It saves an attacker one command.

There are proper ways to get it completely locked down as well as lock out computer management and prevent user account scanning though going to that extent is usually unnecessary or overbearing in most cases. I go with at least trust your users a little bit rather than do everything in your power to annoy them and make them hate you.

 

Only exception to that is school students and their accounts, I give them zero trust. Typical configuration for those accounts blocks CMD through GPO as well as Applocker policies, also use GPO to hide and restrict access to the C drive, you only have indirect access to it through starting applications but you cannot from within the application access the C drive or see it either.

 

I also block all applications from running within user appdata\local\temp location so no running executables from open zip files you downloaded, and also block them from running from removable media and disc drives etc. Edit: Oh and I block executable from running from student home drives.

 

You can block the net command you used using Applocker policies as well. There are other ways beyond the net command but I think that requires admin perms or can also be blocked, I don't dive to much in to complete system hardening often and it's more about stopping those idiot/untrusted users than anything else.

 

If you're insane you could even go with white-list only Applocker policy....... truly insane though I know people have done that.

 

Edit:

Bloody auto emoji's, fixed. 

[LAwLz]

5 hours ago, leadeater said:

There are proper ways to get it completely locked down as well as lock out computer management and prevent user account scanning though going to that extent is usually unnecessary or overbearing in most cases. I go with at least trust your users a little bit rather than do everything in your power to annoy them and make them hate you.

Well yeah of course. For example AppLocker like you mentioned, but my point was that using a different account name for the local admin seems to me to do very little to prevent something like a brute-force attack.

If you implement all the other security measurements necessary to make it impossible to just view the account names then you already have very tight security, and that extra protection does very little.

 

It's like painting your nuclear shelter with 3 layers of paint instead of 2. That extra layer of paint does provide a bit more mass between you and the nuclear blast, but it's an insignificant amount in my opinion. I mean, if we're talking about proper security measurements then you should be using full drive encryption with TPM, and a random password for the local admin account for each individual computer, 10+ characters with uppercase, lowercase, numbers and special characters. Someone would have to brute force that by hand, and that would take such a long time that not even our grandchildren would have to worry.

[mynameisjuan]

9 hours ago, LAwLz said:

Not really, no.

Yes, yes really.

 

Not having administrative privileges lowers many risk to decimal level percentages. Its security 101

[LAwLz]

Just now, mynameisjuan said:

Yes, yes really.

 

Not having administrative privileges lowers many risk to decimal level percentages. Its security 101

I think you misunderstood leadeater's post.

He is not talking about administration privileges in general. It's a specific account called Administrator, and that only applies to Windows.

[mynameisjuan]

15 minutes ago, LAwLz said:

I think you misunderstood leadeater's post.

He is not talking about administration privileges in general. It's a specific account called Administrator, and that only applies to Windows.

Yes and this account is the root account on unix machines which is disabled by default unless you call for the account. 

 

This post is about people getting locked out of their administrator accounts which I am saying should never be used to begin with. 

[leadeater]

2 hours ago, LAwLz said:

Well yeah of course. For example AppLocker like you mentioned, but my point was that using a different account name for the local admin seems to me to do very little to prevent something like a brute-force attack.

If you do everything but not leave the administrator account disabled then you'd still be able to try and brute force it. There isn't a single perfect security defense measure, not using the built-in administrator account may not do much but it's still something on the list of things you can do.

[Guest]

8 hours ago, leadeater said:

Only exception to that is school students and their accounts, I give them zero trust. Typical configuration for those accounts blocks CMD through GPO as well as Applocker policies, also use GPO to hide and restrict access to the C drive, you only have indirect access to it through starting applications but you cannot from within the application access the C drive or see it either.

Lol back when I was to school I would definitely steal the HDD from the case and get the passwords in another way, if I wanted to obtain data, or also some Linux USB drive

[leadeater]

Just now, Lukyp said:

Lol back when I was to school I would definitely steal the HDD from the case and get the passwords in another way, if I wanted to obtain data

Case locks 

 

Most people forget to disable CD or USB boot anyway so just using hirens boot cd is enough to enable and/or reset built-in administrator.

[LAwLz]

1 hour ago, mynameisjuan said:

Yes and this account is the root account on unix machines which is disabled by default unless you call for the account.  

Depends on what you mean by "unix", and "disabled". Disabled accounts does not function the same way in Windows as they do in *nix.

You can't really draw parallels here because *nix OSes and Windows works completely different. The Administrator account is not like root. Administrator privilege (not the account) is kind of like running things as sudo root. This thread is about the account Administrator though. That account is nothing like root, just like my account I use for everyday tasks is nothing like root.

 

 

1 hour ago, mynameisjuan said:

This post is about people getting locked out of their administrator accounts which I am saying should never be used to begin with. 

"never be used" is a strong word. There are reasons why you might want to use it. For example like I mentioned earlier, it is very useful as the default admin account used by IT staff in a small business environment.

 

 

8 minutes ago, leadeater said:

If you do everything but not leave the administrator account disabled then you'd still be able to try and brute force it. There isn't a single perfect security defense measure, not using the built-in administrator account may not do much but it's still something on the list of things you can do.

Yes, brute force it a single password at a time, on the exact machine you're trying to compromise, manually. At that point it doesn't matter if they know the account name or not, because it will take thousands of years to get the password assuming you have a decent one.

Congratulations the difficulty of brute forcing a computer went from 10,000 years to 50,000 years, and that's assuming you didn't leave a single way of obtaining the account name for the local admin to begin with, which as I explained earlier is super easy and can be done in multiple ways since you do not need admin privileges to view which users has admin privileges to begin with.

 

It's like arguing that having a 101 character long password is better than having a 100 character long password. Technically it is better, but in practice that extra character doesn't offer any more protection. If someone is getting into something protected by a 100 character password, they will be able to get into the same system if it used a 101 character long password.

[Guest]

2 minutes ago, leadeater said:

Case locks 

Not when I used to bring my personal drill with me at school

 

3 minutes ago, leadeater said:

Most people forget to disable CD or USB boot anyway so just using hirens boot cd is enough to enable and/or reset built-in administrator.

They did, they also put a password bios, isn't putting case locks also expensive? Well anyway there could also be cmos resets, or during the summer where they don't power them the battery would eventually reset the settings, there are some crappy bios losing the password during this 

[Arika]

9 minutes ago, Lukyp said:

Not when I used to bring my personal drill with me at school

for what reasonable purpose did you have to bring a drill to school?....

[Guest]

16 minutes ago, LAwLz said:

Depends on what you mean by "unix", and "disabled". Disabled accounts does not function the same way in Windows as they do in *nix.

You can't really draw parallels here because *nix OSes and Windows works completely different. The Administrator account is not like root. Administrator privilege (not the account) is kind of like running things as sudo root. This thread is about the account Administrator though. That account is nothing like root, just like my account I use for everyday tasks is nothing like root.

Not only, they even behave differently on the respective Nix flavour, Linux is more likely FreeBSD where MacOS has consistent changes as well as something like HP-UX

 

@Arika S

 

More reasonable than you can thought, my school was a technical institute and we could do projects by ourself with the help of our teachers in the spare time

[mynameisjuan]

4 minutes ago, LAwLz said:

Depends on what you mean by "unix", and "disabled". Disabled accounts does not function the same way in Windows as they do in *nix.

You can't really draw parallels here because *nix OSes and Windows works completely different. The Administrator account is not like root. Administrator privilege (not the account) is kind of like running things as sudo root. This thread is about the account Administrator though. That account is nothing like root, just like my account I use for everyday tasks is nothing like root.

Disabled in the sense that its not an actual accessible account until active and is similar to Root as in the account has full permission to the system (with exceptions). Root can be logged into but is highly suggested not to and run run a command as if you have root permissions (sudo). Windows Administrator account has administrator permissions which gives you full permissions to the system. Whether you think so or not, in the end they are similar in use case. 

 

15 minutes ago, LAwLz said:

"never be used" is a strong word. There are reasons why you might want to use it. For example like I mentioned earlier, it is very useful as the default admin account used by IT staff in a small business environment.

I know when its to be used but even when you want an admin account you create another admin account or use radius. I am arguing on the security side of things where Administrator/admin/Root accounts should be disabled and account permissions should be done on an account by account basis. 

[LAwLz]

1 hour ago, mynameisjuan said:

Disabled in the sense that its not an actual accessible account until active and is similar to Root as in the account has full permission to the system (with exceptions). Root can be logged into but is highly suggested not to and run run a command as if you have root permissions (sudo). Windows Administrator account has administrator permissions which gives you full permissions to the system. Whether you think so or not, in the end they are similar in use case.  

The Administrator account functions NOTHING like root. I am not sure why you are trying to shoehorn it into this conversation.

When an account is disabled in Windows, it does not function like a disabled account in *nix. In *nix, you can still do things like run things as a disabled account through sudo. That's why you can have it disabled and still use it.

In Windows, the Administrator account is just another account which has administration privileges. If it's disabled, you can't access it.

 

Stop trying to draw parallels to OSes which functions completely differently. It serves no purpose to this thread and probably just confuses people, because what you're saying doesn't make any sense.

 

 

1 hour ago, mynameisjuan said:

I know when its to be used but even when you want an admin account you create another admin account or use radius. I am arguing on the security side of things where Administrator/admin/Root accounts should be disabled and account permissions should be done on an account by account basis. 

1) Why create another admin account? It serves no purpose. Like I said earlier, the local account database is fully accessible to anyone who has access to the system. No admin privileges necessary. Using a different username for a local administration account does not increase security in any meaningful way.

Anyone who can brute-force an account password in a reasonable time-frame will be able to see the account name in plain text in minutes, even if you use a different account name. Anyone who can't brute-force the password won't be a threat.

 

2) No, you should not use RADIUS instead. First of all, we're talking about Windows accounts here, for logging into Windows. That does not use RADIUS. Secondly, if you do not have a local account in case of emergency then you're begging to have troubles. You would have no way of fixing things like a computer who has lost connection to the domain (because of for example too big time difference between the client and AD).

 

3) What do you mean by "account permissions"? In Windows you either have a standard user or administrator. All accounts belong to either one of those two categories. I get that you are arguing for using GPOs to control permissions, but that is completely unrelated to this conversation, where we're talking about administration accounts. There is no middle-ground when it comes to categorizing accounts.

 

 

Anyway, to get back to your original post.

The two points leadeater made, which you claimed applied to all OSes were:

Quote

1) It's best practice to leave the Administrator account disabled and never use it.

Well, no OS outside of Windows has an Administrator account. The closest equivalence you can find is root (although that would be more like the System user), but even then "disabled" means different things in Windows and *nix. So you can't even "disable" the root user in the same way the Administrator account is disabled. So the account doesn't exist, and it can't be disabled like in Windows. That's why I don't think this point applies to OSes other than Windows.

 

Quote

2) You should use an account that's identical to the Administrator account privileges wise, but with a different name.

Serves no purpose like I explained above. Also, since the root account can't be made inaccessible in the same way Administrator can be in Windows it doesn't matter if you make another account or not. People will still be able to target the root user (and this is not a problem because knowing the username is not a vulnerability). So that does not apply to OSes other than Windows either.

[YourNewPalAlex]

Guys, it's January. What you on about

[mynameisjuan]

40 minutes ago, LAwLz said:

The Administrator account functions NOTHING like root. I am not sure why you are trying to shoehorn it into this conversation.

When an account is disabled in Windows, it does not function like a disabled account in *nix. In *nix, you can still do things like run things as a disabled account through sudo. That's why you can have it disabled and still use it.

In Windows, the Administrator account is just another account which has administration privileges. If it's disabled, you can't access it.

2 hours ago, mynameisjuan said:

Root can be logged into but is highly suggested not to and run run a command as if you have root permissions (sudo).

Clearly said as if you had the same permissions as root. With Windows if you want to run as Administrator you need to login as it or run as and login. So yeah clearly it wont work if its disabled. Mirroring vs actually accessing an account. 

 

40 minutes ago, LAwLz said:

Stop trying to draw parallels to OSes which functions completely differently. It serves no purpose to this thread and probably just confuses people, because what you're saying doesn't make any sense.

Its not derailing, point being dont login or run everything off an account that has full system permissions. Which this thread is based on people being locked out because they used the Administrator account. Simple straightforward comment but you are overlooking the shit out of it.

 

40 minutes ago, LAwLz said:

1) Why create another admin account? It serves no purpose

1.AD is down/no connection

2.Admin accounts for individuals in the IT dept.

3.Exploits target that account

 

40 minutes ago, LAwLz said:

2) No, you should not use RADIUS instead. First of all, we're talking about Windows accounts here, for logging into Windows. That does not use RADIUS.

Radius/AD, same @^@#$^ concept. 

 

40 minutes ago, LAwLz said:

Serves no purpose like I explained above. Also, since the root account can't be made inaccessible in the same way Administrator can be in Windows it doesn't matter if you make another account or not. People will still be able to target the root user (and this is not a problem because knowing the username is not a vulnerability). So that does not apply to OSes other than Windows either.

Again you are overlooking the hell out of my comment. 

 

Dont enable and dont login to Administrator/Root accounts, thats it, thats the point. 

[LAwLz]

2 minutes ago, mynameisjuan said:

Clearly said as if you had the same permissions as root. With Windows if you want to run as Administrator you need to login as it or run as and login. So yeah clearly it wont work if its disabled. Mirroring vs actually accessing an account.  

I honestly have no idea what you're trying to say here. I can not follow your train of thought.

What do you mean by "mirroring vs actually accessing an account" and how is that relevant how to things work in *nix?

 

 

6 minutes ago, mynameisjuan said:

Its not derailing, point being dont login or run everything off an account that has full system permissions. Which this thread is based on people being locked out because they used the Administrator account. Simple straightforward comment but you are overlooking the shit out of it.

You do know that the Administrator account does not run everything with Administrator privileges, right? There is nothing special about the Administrator account.

Running something as the Administrator user, and running something with administrator privileges are two very, very different things.

"Run as admin" does not run something as the Administrator user.

 

Administrator is just a regular account with administrator privileges. It is not different in any way shape or form, other than being automatically created and disabled when you install Windows, to your average "Juan" account that has administrator privileges.

Administrator is not like root.

 

 

11 minutes ago, mynameisjuan said:

1.Radius is down/no connection

2.Admin accounts for individuals in the IT dept.

3.Exploits target that account

1) Please stop saying RADIUS. It's nitpicking, but AD does not use RADIUS. At least say Kerberos (which is what Windows uses to authenticate user logins). But anyway, using the standard Administrator account would service the same purpose.

2) Not sure what you mean. Are you saying each person in the IT department should have their own local account on every computer? I guess that could work, but seems like a big security risk. More users and passwords = higher risk of one being compromised, especially since they are stored locally on a computer other people have access to.

3) Please, explain to me in detail how exploits target the Administrator account, and how that is a bigger threat than if you had an account called "Backup_Admin". Any half-assed exploit you have to worry about will just check which accounts exists, and which of them have administrator privileges before picking a target to attack. This is not the 90's. Malware is a bit more clever than to just assume a certain account is used (especially an account that's disabled by default) and then only try to attack that.

 

 

24 minutes ago, mynameisjuan said:

Dont login to Administrator/Root accounts, thats it, thats the point.  

I agree that you should not login and use the root account in *nix OSes. There is no point in doing that since you can just use sudo, which is safer.

I disagree that you shouldn't login to the Administrator account. Home users shouldn't, but in a small to medium corporate environment I would even recommend it as a backup account.

[leadeater]

53 minutes ago, LAwLz said:

Well, no OS outside of Windows has an Administrator account. The closest equivalence you can find is root (although that would be more like the System user), but even then "disabled" means different things in Windows and *nix. So you can't even "disable" the root user in the same way the Administrator account is disabled. So the account doesn't exist, and it can't be disabled like in Windows. That's why I don't think this point applies to OSes other than Windows.

Some Linux distros still get you to set a root account password during install, like CentOS, which is sort of weird to me since most others also go with the don't use root and don't set a password for it so it can't be used principle. 

 

By default on Ubuntu server it's not actually possible to login as root or switch user to root without booting in to single user mode, sudo is all you should need. I mean it's a good model which is why Windows copied it and why UAC was created. UAC is the real security improvement not so much the leaving disabled of built-in administrator but you're still adding to security by also doing that.

 

2 hours ago, LAwLz said:

Yes, brute force it a single password at a time, on the exact machine you're trying to compromise, manually. At that point it doesn't matter if they know the account name or not, because it will take thousands of years to get the password assuming you have a decent one.

One password at a time? Do you mean by that as in being physically at the computer? Brute forcing a password is technically one password at a time regardless of how it is done unless you parallel thread it and split up something like a dictionary attack.

 

But you do know you can still get a script to run on a standard user account trying passwords against the built-in administrator account, with or without the logged in user knowing.

 

Not every attack is done by some super smart person or the scripts they make/find/use always that sophisticated, sometimes they aren't even trying to crack the account just get it locked out to be annoying. I've had instances where schools have requested account lockouts be disabled because students/classes are purposely being annoying and locking out their teachers accounts or other students, sometimes all you're doing is cleaning up shit so anything to prevent one less pile of shit to be cleaned up is good in my book.