Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Client TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Vista
Deployment
 Enable and Disable the Built-in Adm...
Enable and Disable the Built-in Administrator Account

In Windows Vista, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.

An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows Vista.

noteNote
For upgrade installations, the built-in Administrator account is kept enabled when there is no other active local Administrator on the computer. However, the built-in Administrator account is disabled by default for new installations and upgrades on domain-joined computers, regardless of whether there are other active local Administrators on the domain-joined computers.

In audit mode, Windows Setup will implicitly enable the built-in Administrator account as the last action in the auditSystem configuration pass if the built-in Administrator is not already enabled. The first action in the auditUser configuration pass is to disable the built-in Administrator account. This enables you to run programs and applications as an Administrator. When you complete your customizations in audit mode and log out, the built-in Administrator account will be disabled. Unless you want to explicitly leave the built-in Administrator account enabled, there’s no need to re-enable the built-in Administrator account in audit mode.

Enable the Built-in Administrator Account for Windows Vista

There are two ways to enable the built-in Administrator account.

  • Use the AutoLogon unattended Setup setting
    You can enable the built-in Administrator account during unattended installations by setting the AutoLogon setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in the AdministratorPassword setting.
    You can create an answer file by using Windows System Image Manager (Windows SIM).
    The following sample answer file shows how to enable the Administrator account, specify an Administrator password, and automatically log onto the system.
   <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
         <Password>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </Password>
         <Username>Administrator</Username> 
         <Enabled>true</Enabled> 
         <LogonCount>5</LogonCount> 
      </AutoLogon>
      <UserAccounts>
         <AdministratorPassword>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </AdministratorPassword>
      </UserAccounts>
   </component>
  • Use the Local Users and Groups MMC console
    Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).
    1. Open the MMC console and select Local Users and Groups.
    2. Right-click the Administrator account and select Properties.
      The Administrator Properties window appears.
    3. On the General tab, clear the Account is Disabled check box.
    4. Close the MMC console.
    Administrator access is now enabled.

Enable the Built-in Administrator Account for Windows Server 2008

For Windows Server® 2008, the built-in Administrator password must be changed at first logon. This prevents the built-in Administrator account from having a blank password by default.

Both Microsoft-Windows-Shell-Setup | Autologon and Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword sections are now needed for autologon in audit mode to work. Both of these settings should be added to the auditSystem pass.

The following XML output shows how to set the appropriate values.

            <UserAccounts>
                <AdministratorPassword>
                   <Value>yourBApasswordhere</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

         <AutoLogon>
            <Enabled>true</Enabled>
            <Username>Administrator</Username>
             <Password>
              <Value> yourBApasswordhere </Value>
              <PlainText>true</PlainText>
             </Password>
         </AutoLogon>

Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword can be used in oobeSystem pass to prevent having to enter a password for the built-in Administrator account after you complete the out-of-box experience.

The following XML output shows how to set the appropriate values.

            <UserAccounts>
                <AdministratorPassword>
                    <Value> yourBApasswordhere</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

Disabling the Built-in Administrator Account

Original equipment manufacturers (OEMs) and system builders are required to disable the built-in Administrator account before delivering the computers to customers.

  • Run the sysprep /generalize command
    When you run the sysprep /generalize command, the next time the computer starts, the built-in Administrator account will be disabled.
    -or-
  • Use the net user command
    Run the following command to disable the Administrator account.
    net user administrator /active:no
     You can run this command after configuring the computer, before delivering the computer to a customer.
Community Content   What is Community Content?
Add new content RSS  Annotations
yes      anuar30   |   Edit   |   Show History
enable
Tags What's this?: Add a tag
Flag as ContentBug
CAUTION!      jmac711   |   Edit   |   Show History 
      NUMBER ONE:
      

      

      ALWAYS make sure there are TWO or MORE user accounts
with administrative rights AT ALL TIMES! Do this to make sure your
plain "B" has a plain "C". In fact, allow a geust account WITHOUT
GIVING IT A PASSWORD administrative rights temporaly, just to insure
your plain "C" has even a plain "D", this action should only be done by
the OWNER, just as an insurerance that control over the computer will
never be lost, by simply useing another user account in the case one
account is deactivated or deleted.
      

      

      

      NUMBER TWO:
      

      

      It is
not always nessasery to create a new password for your defualt or any
administrator, while using it just for a couple modifacations. Theres
always a good chance you might forget your new passwords while trying
to keep up with all your other file transformations, you need to do at
the time. It also NOT nessusary to turn off system restore during this
action, as you can always defrage data files later.
      

      

      

      NUMBER THREE:
      

      

      NEVER
under any sercumstances should the defualt administrator, be
deactivated BY the defualt administrator mistakingly, using "net user
administrator /active:no" WITHOUT haveing another user account WITH
administrative rights, you will no longer have any control over your
computer, thus no downloading, no installing/removing, no property
changes, no system restore, etc, etc.
      

      

      

      

      AND FINALY:
      

      

      If
you simply must deactivate your default administrator, USE one of your
other user account with administrative rights TO DO SO.
      

      

      

      

      WHAT YOU MIGHT HAVE TO DO IF YOU SCREW UP:
      

      

      Burn all your documents, videos, pictures, and any programs you can to DVD-R, and kiss the rest of it good bye, then:
      

      

      

      RE-INSTALL WINDOWS, PRAYING YOU REGAIN CONTROL OVER YOUR COMPUTER, AND NEVER DO THAT AGIAN!!!!!

This advice is incredibly poor and even dangerous.

ALWAYS password protect account access, administrator or otherwise. Make a password reset disk for Windows accounts and keep it in a safe place. NEVER give the Guest user in Windows or any other routine user administrative or superuser access.

ALWAYS backup your data on a regular basis and test your backups. Your data is MUCH more valuable than your machines or software. That way WHEN (not if) your hardware, software, OS or another human hoses your installation, you can restore your data with little or no loss of it.

Most of the advice from that post is contrary to best practices. The remainder just doesn't make any sense or is entirely ridiculous. At first, it seemed like an attempt to deliberately misdirect users to configure their systems to be vulnerable to attack. However, it may just be the misguided rantings of a user who damaged their system through their own inexperience.


NUMBER THREE: Steps for enabling disabled administrator account      Andrey Zakharov   |   Edit   |   Show History
If you havent any administrator accounts, and was disabled Administrator account, you can reboot PC in Safe Mode (administrator account will be enabled, but just for Safe Mode), login with administrator account and then manualy enable it (it was still have disabled account icon :)). Now you can reboot PC in normal mode and login with Administrator.
Tags What's this?: Add a tag
Flag as ContentBug
BEFORE YOU DO IT !!!!!!!      milesware   |   Edit   |   Show History
I think people should know all the RISK involved before even attempting activating the DEFAULT ADMIMINASTRATOR ACCOUNT!
These words of advice are just from somebody's first hand experince in screwing it up. You won't have to take any word for it.

Before you start this proccess, make sure your computer is not hooked up to an active INTERNET SURVER or PHONE LINE.

OK NOW......

NUMBER ONE:

ALWAYS make sure there are TWO or MORE user accounts with administrative rights AT ALL TIMES! Do this to make sure your plain "B" has a plain "C". In fact, allow a geust account WITHOUT GIVING IT A PASSWORD administrative rights temporaly, just to insure your plain "C" has even a plain "D", this action should only be done by the OWNER, just as an insurerance that control over the computer will never be lost, by simply useing another user account in the case one account is deactivated or deleted.


NUMBER TWO:

It is not always nessasery to create a new password for your defualt or any administrator, while using it just for a couple modifacations. Theres always a good chance you might forget your new passwords while trying to keep up with all your other file transformations, you need to do at the time. It also NOT nessusary to turn off system restore during this action, as you can always defrage data files later.


NUMBER THREE:

NEVER under any sercumstances should the defualt administrator, be deactivated BY the defualt administrator mistakingly, using "net user administrator /active:no" WITHOUT haveing another user account WITH administrative rights, you will no longer have any control over your computer, thus no downloading, no installing/removing, no property changes, no system restore, etc, etc.



AND FINALY:

If you simply must deactivate your default administrator, USE one of your other user account with administrative rights TO DO SO.



WHAT YOU MIGHT HAVE TO DO IF YOU SCREW UP:

Burn all your documents, videos, pictures, and any programs you can to DVD-R, and kiss the rest of it good bye, then:


RE-INSTALL WINDOWS, PRAYING YOU REGAIN CONTROL OVER YOUR COMPUTER, AND NEVER DO THAT AGIAN!!!!!
Flag as ContentBug
© 2012 Microsoft. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker