Share via


Enable and Disable the Built-in Administrator Account

In Windows Vista, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.

An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows Vista.

Note

For upgrade installations, the built-in Administrator account is kept enabled when there is no other active local Administrator on the computer. However, the built-in Administrator account is disabled by default for new installations and upgrades on domain-joined computers, regardless of whether there are other active local Administrators on the domain-joined computers.

In audit mode, Windows Setup will implicitly enable the built-in Administrator account as the last action in the auditSystem configuration pass if the built-in Administrator is not already enabled. The first action in the auditUser configuration pass is to disable the built-in Administrator account. This enables you to run programs and applications as an Administrator. When you complete your customizations in audit mode and log out, the built-in Administrator account will be disabled. Unless you want to explicitly leave the built-in Administrator account enabled, there’s no need to re-enable the built-in Administrator account in audit mode.

Enable the Built-in Administrator Account for Windows Vista

There are two ways to enable the built-in Administrator account.

  • Use the AutoLogon unattended Setup setting
    You can enable the built-in Administrator account during unattended installations by setting the AutoLogon setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in the AdministratorPassword setting.
    You can create an answer file by using Windows System Image Manager (Windows SIM).
    The following sample answer file shows how to enable the Administrator account, specify an Administrator password, and automatically log onto the system.
   <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
         <Password>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </Password>
         <Username>Administrator</Username> 
         <Enabled>true</Enabled> 
         <LogonCount>5</LogonCount> 
      </AutoLogon>
      <UserAccounts>
         <AdministratorPassword>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </AdministratorPassword>
      </UserAccounts>
   </component>
  • Use the Local Users and Groups MMC console
    Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).
    1. Open the MMC console and select Local Users and Groups.
    2. Right-click the Administrator account and select Properties.
      The Administrator Properties window appears.
    3. On the General tab, clear the Account is Disabled check box.
    4. Close the MMC console.
      Administrator access is now enabled.

Enable the Built-in Administrator Account for Windows Server 2008

For Windows Server® 2008, the built-in Administrator password must be changed at first logon. This prevents the built-in Administrator account from having a blank password by default.

Both Microsoft-Windows-Shell-Setup | Autologon and Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword sections are now needed for autologon in audit mode to work. Both of these settings should be added to the auditSystem pass.

The following XML output shows how to set the appropriate values.

            <UserAccounts>
                <AdministratorPassword>
                   <Value>yourBApasswordhere</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

         <AutoLogon>
            <Enabled>true</Enabled>
            <Username>Administrator</Username>
             <Password>
              <Value> yourBApasswordhere </Value>
              <PlainText>true</PlainText>
             </Password>
         </AutoLogon>

Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword can be used in oobeSystem pass to prevent having to enter a password for the built-in Administrator account after you complete the out-of-box experience.

The following XML output shows how to set the appropriate values.

            <UserAccounts>
                <AdministratorPassword>
                    <Value> yourBApasswordhere</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

Disabling the Built-in Administrator Account

Original equipment manufacturers (OEMs) and system builders are required to disable the built-in Administrator account before delivering the computers to customers.

  • Run the sysprep /generalize command
    When you run the sysprep /generalize command, the next time the computer starts, the built-in Administrator account will be disabled.
    -or-

  • Use the net user command
    Run the following command to disable the Administrator account.

    net user administrator /active:no
    

    You can run this command after configuring the computer, before delivering the computer to a customer.