Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Why is the Administrator account disabled by default?

24 Sep 2009   #11
H2SO4

Win7x64
 
 

Quote   Quote: Originally Posted by Zidane24 View Post
Quote   Quote: Originally Posted by bjp106 View Post
Ok, so now on my Win7 box.

I have 2 accounts:

Administrator (which I dont use and is enabled
And My account, which is also an administrator

I definitely see where you are coming from now. Why have 2 administrator accounts, right? But I just can't see my self switching to a Limited Account. But definitely disable the Administrator account.
There is basically 4 levels to accounts

Admin
Admin (User Based)
Limited (User Based)
Guest

Most people are fine with the second level. The first level is really for the System itself.
There's no functional difference between the in-built admin account and any other admin accounts created post-installation. All administrator accounts have full and unlimited power over the machine. The in-built account has special protection against deletion and lockout (due to lockout policy) for obvious reasons - deleting the last admin account would be unfortunate.

From a strict security perspective, anyone with physical access to a machine is an admin.

Also, the "the System" doesn't tend to use "the Admin" account, much. That's what the "System" account is for


My System SpecsSystem Spec
.
24 Sep 2009   #12
Zidane24

Windows 7 Home Premium x64 - Mac OS X 10.6.4 x64
 
 

Quote   Quote: Originally Posted by H2SO4 View Post
Quote   Quote: Originally Posted by Zidane24 View Post
Quote   Quote: Originally Posted by bjp106 View Post
Ok, so now on my Win7 box.

I have 2 accounts:

Administrator (which I dont use and is enabled
And My account, which is also an administrator

I definitely see where you are coming from now. Why have 2 administrator accounts, right? But I just can't see my self switching to a Limited Account. But definitely disable the Administrator account.
There is basically 4 levels to accounts

Admin
Admin (User Based)
Limited (User Based)
Guest

Most people are fine with the second level. The first level is really for the System itself.
There's no functional difference between the in-built admin account and any other admin accounts created post-installation. All administrator accounts have full and unlimited power over the machine. The in-built account has special protection against deletion and lockout (due to lockout policy) for obvious reasons - deleting the last admin account would be unfortunate.

From a strict security perspective, anyone with physical access to a machine is an admin.

Also, the "the System" doesn't tend to use "the Admin" account, much. That's what the "System" account is for
Thanks for the extended info. I always thought that the higher admin had some additional privileges.
My System SpecsSystem Spec
24 Sep 2009   #13
Zidane24

Windows 7 Home Premium x64 - Mac OS X 10.6.4 x64
 
 

H2SO4...would you recommend using the built in account?
My System SpecsSystem Spec
.

24 Sep 2009   #14
H2SO4

Win7x64
 
 

Quote   Quote: Originally Posted by Zidane24 View Post
H2SO4...would you recommend using the built in account?
Bit of background first...

NT was the first Windows flavour to earn a "C2" security rating. Short version: "this is a sufficiently secure OS for government use, as long as you post an armed guard outside the room and disallow physical access to unauthorised staff."

The implication of physical access is that any software-based security can be circumvented. You've locked down your machine and the admin account has a 64-char random passphrase? No big deal. Somebody with physical access can still boot into another OS and rummage round. This principle is demonstrated all the time by Xbox modders and the like - somebody with physical access has defeated even the most carefully thought-out security scheme, and one which was partially implemented in hardware for that matter.

Differences between in-built and other "admin" accounts:

There are no significant differences, except for the aforementioned deletion protection for the in-built account. Anybody with admin privileges can inspect, modify, disrupt, or destroy the workings of any app or the OS itself, plus they can free themselves from any attempts to hobble their particular account. This is frequently misunderstood by management in large organisations whose "domain admins" groups have over time accumulated 376 separate accounts. They panic because they realise that far too many people have unrestricted access to the company's systems and data, and they seek ways to "limit some of the administrators". That of course fails, because admins cannot be limited, and then they're left with needing to reorganise their security design. Telling Joe from Marketing that he no longer has admin rights is always a political bunfight.

Re "using the in-built admin account":

As with all admin accounts, they should only be used for those system administration tasks which require admin privileges, as I believe you and others have already said on this thread. For daily tasks, a low-privilege (non-admin) account is perfectly sufficient, and it is much safer. Always logging on using (any) admin account, reading email, browsing the web, downloading shareware, and doing everything else as an admin is just askin' for it

EDIT: Oh, one more thing. The in-built admin account is not entirely disabled by default. On non-domain-joined machines, which would include most of ours here, if there are no other admin accounts the in-built one can be used to log on in safe mode, irrespective of whether it has first been "enabled" or not. Again, it's done so that there's no possibility of finding yourself with only one admin account - which happens to be locked out because it was never "enabled"
My System SpecsSystem Spec
25 Sep 2009   #15
davehc
Microsoft MVP

Vista and now 7 in 32 and 64 bit.
 
 

If you open the Control Panel > Administrative Tools > Local Security
Policy > Local Policies > User Rights Management , you can see the different options at a glance.
The computer administrator account is intended for someone who can make system-wide changes to the computer, install programs, and access all files on the computer. Only a user with computer administrator account has full access to other user accounts on the computer. This user can create and delete user accounts on the computer.
Create account passwords for other user accounts on the computer.
Change other people's account names, pictures, passwords, and account types.
There will always be at least one user with a computer administrator account on the computer.

Limited Account
The limited account is intended for someone who should be prohibited from changing most computer settings and deleting important files. A user with a limited account cannot install software or hardware, but can access programs that have already been installed on the computer.
Change his or her account picture and can also create, change, or delete his or her password.
Not change his or her account name or account type. A user with a computer administrator account must make these kinds of changes.
The security aspect (IMO!) is vastly overrated. It is oft quoted from an original statement and I do not consider it any longer appliceable. Hacking and intrusion methods have improved considerably since the remark was first muted. A hacker with average skills could, as easily, get onto your computer and damage any portion of the software, whether you are the Global or user Admin. I do not think the two separate applications of the Adminstartive accounts were ever, by Microsoft, designed for security purposes, other than the careless ability to accidentaly erase something which would be irretrievable. Some may, correctly, interpret this as a security feature.
My System SpecsSystem Spec
07 Oct 2010   #16
alexpinca

Win 7 64bit
 
 

Ok, so this is protecting my system from me...but it is also stopping me from using my laptop. I have a number of jpg that i restored from a backup that it won't let open. I am in as an administrator but I'm starting to understand re-installing windows 7 is for guru's and not novices. How do I get full control of my system.
My System SpecsSystem Spec
08 Oct 2010   #17
bobtran

Windows 7 Ultimate x64
 
 

Activate the built-in Administrator account:
In an elevated (run as admin) command prompt -> "net user administrator /active"
It will now show up as an additional account on the login screen.

Now go and password protect the account with a STRONG password and only use it as the account of last resort (ie: if your normal user admin acct gets crosswise or corrupt). Do NOT use it for normal day to day anything.
My System SpecsSystem Spec
08 Oct 2010   #18
gregrocker

 

I've always run as hidden Administrator and never had any problem. I can reimage my HD in 15 minutes if need be but have never had to because of running as Admin.

I try to discourage friends from running as hidden Admin but a number have insisted I install it that way for them. None of them have any problems because they know what they're doing and use common sense.

Those who work in the Security field are like paramedics who see so many accidents they want safety bars on everything. I respect them and their views. But I do installs and am always trying to smooth the sailing for owners, who may insist they want to take on the risk for the extra freedom.

Turning off UAC gives you much the same thing. Again: you need to know what you're doing.
My System SpecsSystem Spec
10 Jun 2011   #19
osama79

Windows 7 pro
 
 

Thanks everyone this is news tome. I never knew this. My questions is i am deploying 80 Dell computers and they come with windows 7. During the setup the setup asks you name a user name. Do i make that administrator? this would be the sencond level admin? as above mentioned and keep the admin account disabled? Thanks guys.
My System SpecsSystem Spec
10 Jun 2011   #20
fseal

Windows 7 x64 Ultimate
 
 

Quote   Quote: Originally Posted by alexpinca View Post
Ok, so this is protecting my system from me...but it is also stopping me from using my laptop. I have a number of jpg that i restored from a backup that it won't let open. I am in as an administrator but I'm starting to understand re-installing windows 7 is for guru's and not novices. How do I get full control of my system.
You HAVE full control.

If you want to transfer or add ownership of the jpegs from your old account to a new one then you use your inbuilt admin powers that you have right now to do so.

If you did not transfer or copy your user account id from whoever made those images to your laptop then Windows thinks they belong to another user. You can fix that using the admin powers of your user account. (Assuming that it really is a permission issue)

One nice quick way is this: Take Ownership Shortcut

It's the same on Linux and even Mac where you run as a normal user then you elevate yourself to admin when neccessary to perform admin tasks but then are back at user level for the other 99% of the time you are on the machine.
My System SpecsSystem Spec
Reply

 Why is the Administrator account disabled by default?




Thread Tools




Similar help and support threads
Thread Forum
User Administrator Account won't allow Administrator Privilages
Hi, I'm running Win 7 Pro x64 and Office 2007. I installed a Bluetooth transceiver recently and developed a problem when replying to email in Outlook 2007. When I select an email to reply, the email editor pops up with a "Custom UI Runtime Error in Send to Bluetooth." The solution to this issue...
General Discussion
How to copy my profile settings to the default Administrator account
I need to replace the system's Administrator profile settings with my own -- or copy my profile to that account. (I know. It's dangerous. Bla bla bla! I built this computer myself and I run my other Win7-x86 computer this way. I NEED the extra access the account provides.) This is Windows...
General Discussion
Renaming the administrator account back to Administrator
Hi, I have an Acer laptop which came with one user account, Acer, with the administrator right. When I tried to rename it to Administrator or administrator, I got an messages saying that user name has already existed. How do I rename Acer to Administrator? Thanks.
General Discussion
Default User Account (Administrator) acts like Standard Account
I am using Windows 7 Pro 64x and apparently the default user account (Owner) that I use is not working correctly. Unless I have UAC set to Never Notify, I cannot open Control Panel or UAC again. When I try, I get the error message listed below. I have created a second user account as Administrator...
General Discussion
registry editing disabled from administrator account
i cannot edit the registry from my administrator account. is it a default setting in windows 7 or something is wrongly configured???. if wrongly configured then what to do to enable it???thanks in advance!!
General Discussion
Admin Account Disabled By Default
Just loaded 7 and the administrator account is disabled by default. Now since the only account available is a guest account, how do I get logged in as the administrator? How do I make it active with no admin rights?
Installation & Setup


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 21:49.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App