Some days ago, I stumbled across an article over at MS Windows Vista Compatible Software that explains how to enable or disable the Windows 7 built-in Administrator account. At first I thought that Microsoft must have changed something in Windows 7 with regard to the local administrator account. However, after reading the article, it became clear that everything is as is in Vista.

Latest posts by Michael Pietroforte (see all)

But, this is not the topic of this post. It is about the "word of caution" at the beginning of the article. Sekhy, the author of the article, warns his readers not to "tamper around" with the Administrator account. Ever since Microsoft decided to disable the built-in Administrator account in Windows Vista, there is a myth about the magical powers of the "true administrator account" circulating on the net. Hence, those people who don't really know about these true powers should not dare to use the supersecret administrator account.

Enable-built-in-administrator-account There are myriads of articles on the web that explain how to enable the built-in Administrator account in Windows Vista. Usually they tell you the "command line trick" (net user administrator /active: yes) which makes the whole thing look like even more of a secret, that is, knowledge only real hackers have. (You probably know this other myth that "true administrators" work on the command prompt.) Usually these articles don't tell you that the built-in Administrator account can also just be enabled through the Local Users and Groups snap-in or simply Computer Management, just like the Guest account which is also disabled by default. What I find interesting is that I wasn't able to find one article that also tells you what these magical, super secret, true administrator powers are.

Well, there are indeed a few differences between members of the administrators group and the built-in administrator account. Let's see how powerful they really are:

The built-in Administrator account and UAC (User Account Control)

Approval mode for the local Administrator account is disabled by default. There is a special Group Policy setting where this behavior can be changed: "Admin Approval Mode for the Built-in Administrator account". Running Vista in Admin Approval Mode is nothing other than running Vista with UAC enabled. Hence, this simply means that UAC is disabled by default for the built-in Administrator account.

UAC-built-in-accountOf course you can change these setting also for all other administrator accounts by disabling UAC through the User accounts applet in the Control Panel or by disabling the policy "Run all administrators in Admin Approval Mode". Note that this doesn't just disable the UAC prompts like if you set the policy "Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Elevate without prompting". It disables UAC altogether, which basically means that every program an administrator launches will be elevated automatically. You can test this if you save a file with notepad in the Windows folder. If UAC is enabled you can't do that if you didn't elevate notepad before.

Thus the main difference between the built-in Administrator account and all other admins is that every program will run with elevated privileges. Since these default settings can be changed for the built-in admin account and the other administrator accounts there are no super secret powers involved here.

The local Administrator account and the "run as administrator" function

Another myth is that every time you launch a program with admin privileges it runs under the built-in Administrator account. I suppose Windows’ "run as administrator" function is the origin of this myth. The fact that you can use this function even if the local Administrator account is disabled should make it clear that there is no such connection between the two. You also can't launch a program under the local Administrator account using the runas command line tool if this account is disabled. Perhaps the term "run as administrator" is a bit misleading. What this function really does is to run programs with elevated privileges or more precisely at the high integrity level, which can be done by every account that is a member of the Administrators group.

Modifying the built-in Administrator account

Another difference to other accounts is that the local Administrator account can't be deleted. Moreover, you can't remove this account from the built-in Administrators group. However, as noted above, it can be disabled which is the case by default. It is also possible to rename the local Administrator account.

Legacy applications and the built-Administrator account

There are some legacy applications that can only be installed or run using the built-in Administrator account. I haven't encountered such an application for a while. As far as I know, this behavior has nothing to do with special capabilities of the local Administrator account; it is just a matter of bad programming. If you rename the built-in Administrator account and create a new one called "Administrator" these programs will just use this new account.

Basically the super powers of the Administrator account boil down to the differences with regard to the default UAC settings. As far as I know, there is nothing that can be done with the built-in Administrator account which can’t be done with a member account of the administrators group. Please, tell me if I am wrong.

By the way, Vista really has this super powerful account, just that it is not the built-in Administrator. It is the TrustedInstaller service (Windows Module Installer service), which can modify everything on a Vista machine, in particular system files. However, that is the topic of another story.

Subscribe to 4sysops newsletter!

In one of my next posts, I will address a related myth, the myth about the standard user in Windows Vista.

  1. Avatar
    Lukas Beeler 15 years ago

    As an addition, the local Administrator account also has a “well known SID”.

    I’ve seen an application that checked if your SID ended in 500 and otherwise refused to work.

  2. Avatar
    anonymuos 15 years ago

    Is this the same admin account that TweakUI can enable/disable? Then it’s been the same from Windows XP, not Windows Vista. In Windows 2000, the admin account was the default. In Windows XP, the blue OOBE wizard forces you to create another account different from the admin account. If you Ctrl+Alt+Del after the OOBE wizard starts, you can login using the Admin account without creating another admin account.

  3. Avatar

    Lukas, yes you are right. There are no limits when it comes to bad programming.

    anonymuos, if I remember it right, then the built-in admin account in Windows XP is hidden by default for standalone machines. On domain members the built-in admin account is not disabled.

  4. Avatar
    brian 11 years ago

    not sure what has happen work laptop,I had same pass word, 6years, just bought 13 year old son windows 8, my lap top is a 32 bit windows vista, tried f8 & hit wrong button now it want go back ther on windows 8 I dont have a way to down load it. I tried downloading a free copy to reset pass words now I cant get that computer to work and its a special nuilt Dell to run our printers, for our printing company.wellborn promotiomal printing on Facebook or Brian wellnorn im shut down umtill I get some.body that knows whats goimg on.

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account