Administrator Account

ByLine
How to Enable or Disable the Real Built-in Administrator Account in Vista
Synopsis
The hidden built-in Administrator account in Vista acts like the one in XP with full rights and no UAC. This will show you how to enable or disable the real built-in Administrator user account.
How to Enable or Disable the Real Built-in Administrator Account in Vista


information   Information
In Vista, even though you are using an administrator account, you still run with Standard account privileges. When a program or a action by you tries to run with administrators rights, you must first give it permission before it is allowed. This is the User Account Control (UAC). The hidden real Built-in Administrator Account does not use UAC and is like the one in XP with full rights on your computer. For more information, see: Microsoft Help and Support: KB942956
warning   Warning
If you enable the hidden Built-in Administrator Account, it is recommended that you do not use this account all the time since everything installed and running on your computer will also have full access to computer too. Instead, I would recommmend that you use it for administrative purposes only, and then use a Standard or normal administrator user account that is restricted for everyday tasks for better security.
Note   Note

  • This will not delete your current account. It just adds a new account named Administrator that is the real administrator account in Vista.
  • If you do not have any other administrator account on your computer, then you will automatically startup into the built-in Administrator account when you boot into Safe Mode.





Here's How:
2. To Enable the Hidden Built-In Administrator Account
A) In the elevated command prompt, type the command in bold below and press Enter. (See screenshot below)​
net user administrator /active:yes
CMD_Enable.jpg

B) Go to step 7.​

3. To Disable the Hidden Built-in Administrator Account
WARNING: Make sure you are not logged into the built-in Administrator account when trying to disable it. You must be logged into a normal administrator account to do this instead. It will not work if you try to disable the built-in Administrator account while you are still logged on to it.​
A) In the elevated command prompt, type the command in bold below and press Enter. (See screenshot below)​
net user administrator /active:no
CMD_Disable.jpg


4. You will get the message, The command completed successfully. If not, repeat the step.​
NOTE: If you are still unable to enable the built-in Administrator account from here, then try this again in Safe Mode instead.
5. Close the elevated command prompt.​
6. Log off (in Start Menu) and you will see your new built-in Administrator account next to your current account(s).​
LogOff.jpg

7. Click on the new Administrator account display picture icon and log on to it.​
8. You should create a password for this account for better security.​
9. You will then need to set up it's desktop preferences like any other account.​
That's it,
Shawn




 
Last edited by a moderator:
Shawn Brink

Comments

Hello Gary,

I don't mind at all. :)

Q1) By default, there is not a password set for the built-in Administrator account. This could vary with OEM systems though. If the OEM set a password at the factorym then they will usualy have instructions letting you know what the default password is so that you will be able to use and change it later.

Q2) It will not affect UAC at all for any other user account on the computer. Only a standard user account will still have to provide any administrator's password in a UAC prompt to allow it.

Q3) The built-in Administrator account is an elevated administrator that has full access and control of everything on the computer without ever getting a UAC prompt asking for permission first. Even with UAC turned on and set to the top level. It's not recommended to use the built-in Administrator for everyday use because of this. Since the built-in Administrator has full access, so does everything that is running while logged in to the built-in Administrator. Enabling the built-in Administrator, setting a strong password, and disabling the built-in Administrator would be smart decision to help keep people from being able to log on to it. Another good idea would be to also rename the built-in Administrator to something other than "Administrator" to help prevent people from trying to reset the password for it as well.

Hope this helps.
Hi Shawn,
Sounds fine. I enabled the root Administrator, managed the account to rename it and set a password, then disabled it again. I did a few things and got an elevated Administrator prompt, which worked fine when clicking "OK". So, it seems to be unaffected by the changes. The name change is just for the full name, as apparently the username remains the same. That makes sense, as the registry would need some significant updates to revise all of the references.
But anyway, in order to enable the root administrator, someone needs to be logged on as an administrator anyway, so there isn't any real security improvement with the rename and password change. If you're an admin, you can manage anyone's account to remove a password and then set a new one as well. Despite all this, in the end it can't hurt anyway. :)
 
Last edited by a moderator:
Nope, because you could also enable the built-in Administrator at boot through a command prompt, and with several other hacks as well. A rename and password protection helps to prevent this.
 
Nope, because you could also enable the built-in Administrator at boot through a command prompt, and with several other hacks as well. A rename and password protection helps to prevent this.
Ah, I see what you mean now. This would have to be a break-in at the computer itself, because someone couldn't trigger a reboot remotely and then have access to the command prompt, right?
 
Top