Export (0) Print
Expand All
6 out of 29 rated this helpful - Rate this topic

Enable and Disable the Built-in Administrator Account

Updated: October 20, 2013

Applies To: Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

The built-in Administrator account helps you run programs and apps as an administrator before a user account is created. This account is used when you log into the system by using audit mode, or when you add scripts to the auditUser configuration pass.

Did you mean…

  • For information about Windows notifications that ask for an administrator account, see User Account Control.

You can enable the built-in Administrator account during unattended installations by setting the AutoLogon setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in the AdministratorPassword setting.

You can create an answer file by using Windows® System Image Manager (Windows SIM).

The following sample answer file shows how to enable the Administrator account, specify an Administrator password, and automatically log on to the system.

noteNote
Both the Microsoft-Windows-Shell-Setup\Autologon section and the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword section are needed for automatic logon in audit mode to work. The auditSystem configuration pass must include both these settings.

The following XML output shows how to set the appropriate values:

   <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
         <Password>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </Password>
         <Username>Administrator</Username> 
         <Enabled>true</Enabled> 
         <LogonCount>5</LogonCount> 
      </AutoLogon>
      <UserAccounts>
         <AdministratorPassword>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </AdministratorPassword>
      </UserAccounts>
   </component>

To prevent having to enter a password for the built-in Administrator account after you complete the out-of-box experience, set Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword in the oobeSystem configuration pass.

The following XML output shows how to set the appropriate values:

            <UserAccounts>
                <AdministratorPassword>
                    <Value>SecurePasswd123</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

For Windows Server® 2012, the built-in Administrator password must be changed at first logon. This prevents the built-in Administrator account from having a blank password by default.

If the computer has not yet gone through Out-Of-Box Experience (OOBE), you can enter the built-in Administrator account by re-entering audit mode. For more information, see Boot Windows to Audit Mode or OOBE.

Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).

  1. Open MMC, and then select Local Users and Groups.

  2. Right-click the Administrator account, and then select Properties.

    The Administrator Properties window appears.

  3. On the General tab, clear the Account is Disabled check box.

  4. Close MMC.

Administrator access is now enabled.

For new installations, after the end user creates a user account in OOBE, the built-in Administrator account is disabled.

For upgrade installations, the built-in Administrator account remains enabled when there is no other active local administrator on the computer, and when the computer is not joined to a domain.

  1. Run the sysprep /generalize command

    When you run the sysprep /generalize command, the next time that the computer starts, the built-in Administrator account will be disabled.

  2. Use the net user command

    Run the following command to disable the Administrator account:

    net user administrator /active:no
    

    You can run this command after you configure the computer and before you deliver the computer to a customer.

Original equipment manufacturers (OEMs) and system builders are required to disable the built-in administrator account before delivering the computers to customers. To do this, you can use either of the following methods.

  • When you run the sysprep /generalize command on Windows Server 2012 and Windows Server 2008 R2, the Sysprep tool resets the built-in Administrator account password. The Sysprep tool only clears the built-in Administrator account’s password for server editions, not for client editions. The next time that the computer starts, Setup displays a prompt for a password.

    noteNote
    In Windows Server 2012, Windows Server 2008 R2, and Windows Server® 2008, the default password policy requires a strong password for all user accounts. To configure a weak password, you can use an answer file that includes the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword setting. You cannot configure a weak password, either manually or by using a script such as the net user command.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.