Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Built in Adminstrator acct ?

13 May 2016   #1
RWB

Win7 Home Premium 64bit
 
 
Built in Adminstrator acct ?

I'm re-evaluating my user accts security and also adding a new standard permission user in addition to my old original user acct (which is has Administration priviledges). I've run across some reading about a Built in Admin account that is set to OFF starting with Vista on up. But it says it can be activated without a password.

I kinda feel like I need to activate this built in Admin acct and then give it a password for security.

Appreciate any info on this, as in should I (or do I need to ) do this ?

And what is the best way to go bout doing this ?


My System SpecsSystem Spec
.
13 May 2016   #2
Brink

64-bit Windows 10 Pro
 
 

Hello RWB,

If you like, you could also rename the built-in "Administrator" account using OPTION TWO in the tutorial below so that it no longer has the default "Administrator" name.

Built-in Administrator Account - Change Name

Afterwards, you can enable the built-in Administrator, create a password for it, then disable the account again.

Built-in Administrator Account - Enable or Disable

Password - Create for a User Account
My System SpecsSystem Spec
14 May 2016   #3
RWB

Win7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Brink View Post
Hello RWB,
If you like, you could also rename the built-in "Administrator" account using OPTION TWO in the tutorial below so that it no longer has the default "Administrator" name.
Built-in Administrator Account - Change Name

Afterwards, you can enable the built-in Administrator, create a password for it, then disable the account again.
Built-in Administrator Account - Enable or Disable
Password - Create for a User Account
Thanks, I have Win7 Home Premium edition and I can't get to any of the windows methods of access.
So I tried Option 2 in the Cmd shell. But I ran into a problem, it will not let me activate the acct ?
I've put the output of below.

First I did,
net user administrator /active:yes
I get System error 5 has occurred.
Access is denied.
--------
So then I did this,
net user administrator
and got the following,

User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 11/20/2010 11:57:24 PM
Password expires Never
Password changeable 11/20/2010 11:57:24 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/27/2015 7:41:57 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
-----------
Got any ideas what I'm up against with this ?
My System SpecsSystem Spec
.

14 May 2016   #4
Brink

64-bit Windows 10 Pro
 
 

RWB,

You will need to open an elevated command prompt instead to be able to run the command.

(Right click on cmd.exe, and click on "Run as administrator")
My System SpecsSystem Spec
14 May 2016   #5
RWB

Win7 Home Premium 64bit
 
 

Ok since my last reply I've tried a few things I gathered on a search.
One thing of note though from my previous post, the readout section that gave
---
Password last set 11/20/2010 11:57:24 PM
Password expires Never
Password changeable 11/20/2010 11:57:24 PM
Password required Yes
User may change password Yes
---
Obviously (to me) this designates that this disabled Admin acct has (had) a password (?). I don't remember giving it one, maybe it came like that. Not sure how it is still good since 2010 (when I bought the laptop) because in early 2015 I did a full recover and had to reinstall from the Acer partition recovery of windows and then install my apps and everything. But I guess it's possible the old built in password survives a full recovery (?)
Ok, moving on,
First I booted to safe mode
and then from a cmd shell I tried to activate the Admin again,
net user administrator /active:yes
it gives,
The command completed successfully.
------
and then I tried giving it a new password in like,
net user administrator newpswd
it gives,
The command completed successfully.
-----
So ok I'm moving forward, I guess all I need to do now is (in the cmd shell) disable the Admin acct again.
But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???
So far this seems like wasted sematics.
So then I reboot out of safe mode back to my old user acct. I can now see the Admin Acct in the User Accts of the Control Panel (well at least till I disable it).

But what have I really accomplished if windows will let anybody ativate this acct and change the password in safe mode ?
Well one thing I'd like to express for your comment, is that even though a human sitting at my laptop could do what I did, . . I guess this might make it harder (or impossible ?) for a virus code to use this acct OR could a virus code also reboot to safe mode and do what I just did ?
My System SpecsSystem Spec
14 May 2016   #6
Brink

64-bit Windows 10 Pro
 
 

Yeah, anyone with physical access to the computer will eventual be able to hack it.

You might also rename the built-in Administrator account to make it harder since the default name is not the same anymore.
My System SpecsSystem Spec
14 May 2016   #7
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

RWB, It’s good that you’re striving for precautions, but setting a password on the builtin Administrator account is not going to return much security.

Quote   Quote: Originally Posted by RWB View Post
Password last set 11/20/2010 11:57:24 PM
Password expires Never
Password changeable 11/20/2010 11:57:24 PM
Password required Yes
User may change password Yes
---
Obviously (to me) this designates that this disabled Admin acct has (had) a password (?).
Lies. If you never gave it a password, it never had a password, despite whatever that “Password last set” entry says. The “Password last set” entry will always be populated, whether or not the account actually has a password set. Try the command on a new user and see for your self.

Quote   Quote: Originally Posted by RWB View Post
First I booted to safe mode
Booting into safe mode was not necessary. You’ve taken the long route here.

Quote   Quote: Originally Posted by RWB View Post
So ok I'm moving forward, I guess all I need to do now is (in the cmd shell) disable the Admin acct again.
An account does not have to be active for its password to be changed.

Quote   Quote: Originally Posted by RWB View Post
But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???
Because the account you used to change the password is password protected itself, right?

Quote   Quote: Originally Posted by RWB View Post
But what have I really accomplished if windows will let anybody ativate this acct and change the password in safe mode ?
That ‘anybody’ would have to be logged in to an administrative account—all of which should be password protected.


Sorry, but your comments make Windows seem far less secure than it really is. You shouldn’t need to have to create safeguards like this.
My System SpecsSystem Spec
14 May 2016   #8
RWB

Win7 Home Premium 64bit
 
 

Quote   Quote: Originally Posted by Pyprohly View Post
RWB, It’s good that you’re striving for precautions, but setting a password on the builtin Administrator account is not going to return much security.
. . . . . . . .
Booting into safe mode was not necessary. You’ve taken the long route here.
Oh ok so then since I was in an Admin priviledge acct I could have just ran the Cmd shell AS an Admin.

Quote   Quote: Originally Posted by Pyprohly View Post
An account does not have to be active for its password to be changed.

Quote   Quote: Originally Posted by RWB View Post
But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???
Because the account you used to change the password is password protected itself, right?

Quote   Quote: Originally Posted by RWB View Post
But what have I really accomplished if windows will let anybody ativate this acct and change the password in safe mode ?
That ‘anybody’ would have to be logged in to an administrative account—all of which should be password protected.

Sorry, but your comments make Windows seem far less secure than it really is. You shouldn’t need to have to create safeguards like this.
Thanks to both replies, you've been a big help to an old retired guy. Ok, so then when I booted Safe Mode it went to the previously logged into acct (before rebooting to safe mode). So if instead a person coming thru the guest acct (with no password) rebooted to Safe Mode they'd be still in the guest restricted acct and could not access the Admin acct, or at least I assume without the password.

This sounds better, so then as long as an existing admin acct doesn't setup a new acct with admin privilege and then give that password to a user, then NONE of the other user (non-admin accts) can access any Admin acct or the actions thereof, without the password of the admin acct. They can't even boot to safe mode and do it, OR they can't even run an app "as an adminstrator" .

Am I correct so far ?

Also I noticed when I switch users from one user to another, seems like in my old XP machine it came up showing Icons with the various User Names to chose from. But with this Win7 I'm running it doesn't do that, it just gives you the SWITCH USER button below and when you click it you have to type in the desired User Name on your own. Is this just a facet of the cheaper Home Premium edition or is there a way I can change that ?
My System SpecsSystem Spec
14 May 2016   #9
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Quote   Quote: Originally Posted by RWB View Post
Am I correct so far ?
Affirmative.

Quote   Quote: Originally Posted by RWB View Post
Also I noticed when I switch users from one user to another, seems like in my old XP machine it came up showing Icons with the various User Names to chose from. But with this Win7 I'm running it doesn't do that, it just gives you the SWITCH USER button below and when you click it you have to type in the desired User Name on your own. Is this just a facet of the cheaper Home Premium edition or is there a way I can change that ?
Hm. That isn’t default. It should be like your XP machine, where users are listed as icons and only passwords are required to logon. Though your current configuration is more secure, you may choose to revert to the default setting using Option One, step 2 in the tutorial linked below.

Log On with User Name and Password
My System SpecsSystem Spec
14 May 2016   #10
Alejandro85

Windows 7 Ultimate x64
 
 

The built-in administrator account is just one more account in the system, pretty much like any other admin out there. It has the very same capabilities than any other admin, and has been included in every NT-based Windows version, from 3.51 up to Win10.

There is no point at all in enable/change password/disable, that achieves nothing in terms of security (it doesn't hurts either). By keeping it disabled, you prevent anyone from login into it, even if they knew the right password. The password in fact becomes totally irrelevant for a disabled account, nobody will ever be able to use it until it's enabled.

Now, the only way to enable a user account is to user another user account that has administrative privileges in itself. If an attacker (or a virus, or whatever) gets access to another admin account, they can just use that one to wreak havoc in the system, they're already in, so there is no need to bother enabling the default admin. If the attacker can use a standard account, they won't be able to enable or set passwords for any other account, so you're mostly safe.

The usual recommended setup is to use 2 accounts, one for normal usage without administrative rights and another admin account that you use when touching something system-wide. That's the situation where UAC shines, as it allows easy access to the admin account from within a standard one, given the right user/password.


Quote   Quote: Originally Posted by Brink View Post
If you like, you could also rename the built-in "Administrator"
There is no point in that either. That at most achieves "security though obscurity", as anyone knowing the name will still be able to login, and the name is easy to find out anyway. Usernames are meant to be public (the Windows login loves to disclose the valid usernames for instance). Secrecy should be in the password instead.


Quote   Quote: Originally Posted by RWB View Post
Obviously (to me) this designates that this disabled Admin acct has (had) a password (?).
Yes, that's correct. Every account in Windows always has a password. Just remember that the blank password is a perfectly valid one and will be treated the same as any other (even though it's blatantly wrong to have an empty password, Windows will hapily accept it). That date shows when the password was set to be blank. If not done by you, it could have been at the very least the time of the OS install.


Quote   Quote: Originally Posted by RWB View Post
But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???
The requirement for that to succeed is that the account doing the change must be an administrator in itself. That's one of the "powers" of the admin account, they can reset any password for any account. When using a regular account that cannot be done. And if an attacker gets hold of an admin account, you're toast He can do anything with the system with an admin account, that's why it's important to safeguard those as much as possible, and use a regular account for most normal activities.
Remember your first try, you we're greeted by an "access denied", until you used "run as administrator" as pointed by Brink.


Quote   Quote: Originally Posted by RWB View Post
This sounds better, so then as long as an existing admin acct doesn't setup a new acct with admin privilege and then give that password to a user, then NONE of the other user (non-admin accts) can access any Admin acct or the actions thereof, without the password of the admin acct. They can't even boot to safe mode and do it, OR they can't even run an app "as an adminstrator" .
That's correct. An admin can do literally anything in a system (including access all files, modify anything or setup backdoors). That's why it's important to keep the admin password secret and hard to guess, and never use such account for normal activities that don't strictly requires adminstrative access.
A normal account is restricted to his own profile, and to read some thing in the system, but can't do anything to other accounts passwords or data. "Run as administrator" from a normal account just ask for an admin password, and won't continue without a correct one.
My System SpecsSystem Spec
Reply

 Built in Adminstrator acct ?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
made guest account adminstrator cant change my account to adminstrator
hi, i accidentaly made my guest account adminstrator and also changed the name of the guest account and i cant change it to starndard user and change name,i cant even make my own account adminstrator dont know what to do please help
General Discussion
adminstrator or standard?
this might be a stupid question, but whats the difference between administrator and standard user? thanks
General Discussion
games only showing up in Admin Acct
The last 3 PC CD-games I installed only show up on my Admin Acct. and not in my user accts. Icons are on Admin Acct....no icons on user accts. Also in the user accts the programs are not listed under "Programs" in start menu. I can find them if I go to the Control Panel to install/uninstall...
Gaming
Built-In Adminstrator
I'm logged in as a localadmin. However, I'm getting all kinds of security errors when loading programs. Mostly errors relating to writing to or accessing the event log. Can explain to me what is this "built-in admin" account. And do I need to enable it to have full admin rights. Thanks in...
General Discussion
Adminstrator Password
I am trying to install a program and I am being asked for my Adminstrator Password which I cannot remember. Is there a way to locate this? Thanks jack
General Discussion
Adminstrator/Permissions Help
I just upgraded to Windows 7 from Windows XP Pro. So far the upgrade is going well except for one aspect. My profile is the only profile on this computer. So I am the administrator. It even says so in the User Accounts in the control panel The problem I am having is that I am unable to delete...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:24.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App