Built in Adminstrator acct ?

I'm re-evaluating my user accts security and also adding a new standard permission user in addition to my old original user acct (which is has Administration priviledges). I've run across some reading about a Built in Admin account that is set to OFF starting with Vista on up. But it says it can be activated without a password.

I kinda feel like I need to activate this built in Admin acct and then give it a password for security.

Appreciate any info on this, as in should I (or do I need to ) do this ?

And what is the best way to go bout doing this ?

Brink said:

Hello RWB, :)
If you like, you could also rename the built-in "Administrator" account using OPTION TWO in the tutorial below so that it no longer has the default "Administrator" name.
Built-in Administrator Account - Change Name

Afterwards, you can enable the built-in Administrator, create a password for it, then disable the account again.
Built-in Administrator Account - Enable or Disable
Password - Create for a User Account

Thanks, I have Win7 Home Premium edition and I can't get to any of the windows methods of access.
So I tried Option 2 in the Cmd shell. But I ran into a problem, it will not let me activate the acct ?
I've put the output of below.

First I did,
net user administrator /active:yes
I get System error 5 has occurred.
Access is denied.
--------
So then I did this,
net user administrator
and got the following,

User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 11/20/2010 11:57:24 PM
Password expires Never
Password changeable 11/20/2010 11:57:24 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/27/2015 7:41:57 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
-----------
Got any ideas what I'm up against with this ?

Ok since my last reply I've tried a few things I gathered on a search.
One thing of note though from my previous post, the readout section that gave
---
Password last set 11/20/2010 11:57:24 PM
Password expires Never
Password changeable 11/20/2010 11:57:24 PM
Password required Yes
User may change password Yes
---
Obviously (to me) this designates that this disabled Admin acct has (had) a password (?). I don't remember giving it one, maybe it came like that. Not sure how it is still good since 2010 (when I bought the laptop) because in early 2015 I did a full recover and had to reinstall from the Acer partition recovery of windows and then install my apps and everything. But I guess it's possible the old built in password survives a full recovery (?)
Ok, moving on,
First I booted to safe mode
and then from a cmd shell I tried to activate the Admin again,
net user administrator /active:yes
it gives,
The command completed successfully.
------
and then I tried giving it a new password in like,
net user administrator newpswd
it gives,
The command completed successfully.
-----
So ok I'm moving forward, I guess all I need to do now is (in the cmd shell) disable the Admin acct again.
But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???
So far this seems like wasted sematics.
So then I reboot out of safe mode back to my old user acct. I can now see the Admin Acct in the User Accts of the Control Panel (well at least till I disable it).

But what have I really accomplished if windows will let anybody ativate this acct and change the password in safe mode ?
Well one thing I'd like to express for your comment, is that even though a human sitting at my laptop could do what I did, . . I guess this might make it harder (or impossible ?) for a virus code to use this acct OR could a virus code also reboot to safe mode and do what I just did ?

RWB, It’s good that you’re striving for precautions, but setting a password on the builtin Administrator account is not going to return much security.

RWB said:

Password last set 11/20/2010 11:57:24 PM
Password expires Never
Password changeable 11/20/2010 11:57:24 PM
Password required Yes
User may change password Yes
---
Obviously (to me) this designates that this disabled Admin acct has (had) a password (?).

Lies. If you never gave it a password, it never had a password, despite whatever that “Password last set” entry says. The “Password last set” entry will always be populated, whether or not the account actually has a password set. Try the command on a new user and see for your self.

RWB said:

First I booted to safe mode

Booting into safe mode was not necessary. You’ve taken the long route here.

RWB said:

So ok I'm moving forward, I guess all I need to do now is (in the cmd shell) disable the Admin acct again.

An account does not have to be active for its password to be changed.

RWB said:

But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???

Because the account you used to change the password is password protected itself, right?

RWB said:

But what have I really accomplished if windows will let anybody ativate this acct and change the password in safe mode ?

That ‘anybody’ would have to be logged in to an administrative account—all of which should be password protected.


Sorry, but your comments make Windows seem far less secure than it really is. You shouldn’t need to have to create safeguards like this.

Pyprohly said:

RWB, It’s good that you’re striving for precautions, but setting a password on the builtin Administrator account is not going to return much security.
. . . . . . . .
Booting into safe mode was not necessary. You’ve taken the long route here.

Oh ok so then since I was in an Admin priviledge acct I could have just ran the Cmd shell AS an Admin.

Pyprohly said:

An account does not have to be active for its password to be changed.

RWB said:

But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???

Because the account you used to change the password is password protected itself, right?

RWB said:

But what have I really accomplished if windows will let anybody ativate this acct and change the password in safe mode ?

That ‘anybody’ would have to be logged in to an administrative account—all of which should be password protected.

Sorry, but your comments make Windows seem far less secure than it really is. You shouldn’t need to have to create safeguards like this.

Thanks to both replies, you've been a big help to an old retired guy. Ok, so then when I booted Safe Mode it went to the previously logged into acct (before rebooting to safe mode). So if instead a person coming thru the guest acct (with no password) rebooted to Safe Mode they'd be still in the guest restricted acct and could not access the Admin acct, or at least I assume without the password.

This sounds better, so then as long as an existing admin acct doesn't setup a new acct with admin privilege and then give that password to a user, then NONE of the other user (non-admin accts) can access any Admin acct or the actions thereof, without the password of the admin acct. They can't even boot to safe mode and do it, OR they can't even run an app "as an adminstrator" .

Am I correct so far ?

Also I noticed when I switch users from one user to another, seems like in my old XP machine it came up showing Icons with the various User Names to chose from. But with this Win7 I'm running it doesn't do that, it just gives you the SWITCH USER button below and when you click it you have to type in the desired User Name on your own. Is this just a facet of the cheaper Home Premium edition or is there a way I can change that ?

RWB said:

Am I correct so far ?

Affirmative.

RWB said:

Also I noticed when I switch users from one user to another, seems like in my old XP machine it came up showing Icons with the various User Names to chose from. But with this Win7 I'm running it doesn't do that, it just gives you the SWITCH USER button below and when you click it you have to type in the desired User Name on your own. Is this just a facet of the cheaper Home Premium edition or is there a way I can change that ?

Hm. That isn’t default. It should be like your XP machine, where users are listed as icons and only passwords are required to logon. Though your current configuration is more secure, you may choose to revert to the default setting using Option One, step 2 in the tutorial linked below.

Log On with User Name and Password

The built-in administrator account is just one more account in the system, pretty much like any other admin out there. It has the very same capabilities than any other admin, and has been included in every NT-based Windows version, from 3.51 up to Win10.

There is no point at all in enable/change password/disable, that achieves nothing in terms of security (it doesn't hurts either). By keeping it disabled, you prevent anyone from login into it, even if they knew the right password. The password in fact becomes totally irrelevant for a disabled account, nobody will ever be able to use it until it's enabled.

Now, the only way to enable a user account is to user another user account that has administrative privileges in itself. If an attacker (or a virus, or whatever) gets access to another admin account, they can just use that one to wreak havoc in the system, they're already in, so there is no need to bother enabling the default admin. If the attacker can use a standard account, they won't be able to enable or set passwords for any other account, so you're mostly safe.

The usual recommended setup is to use 2 accounts, one for normal usage without administrative rights and another admin account that you use when touching something system-wide. That's the situation where UAC shines, as it allows easy access to the admin account from within a standard one, given the right user/password.

Brink said:

If you like, you could also rename the built-in "Administrator"

There is no point in that either. That at most achieves "security though obscurity", as anyone knowing the name will still be able to login, and the name is easy to find out anyway. Usernames are meant to be public (the Windows login loves to disclose the valid usernames for instance). Secrecy should be in the password instead.

RWB said:

Obviously (to me) this designates that this disabled Admin acct has (had) a password (?).

Yes, that's correct. Every account in Windows always has a password. Just remember that the blank password is a perfectly valid one and will be treated the same as any other (even though it's blatantly wrong to have an empty password, Windows will hapily accept it). That date shows when the password was set to be blank. If not done by you, it could have been at the very least the time of the OS install.

RWB said:

But I'm thinking ? how is this secure if I (anyone in safe mode with an Admin acct privilege) just change the password without having to know the old password ???

The requirement for that to succeed is that the account doing the change must be an administrator in itself. That's one of the "powers" of the admin account, they can reset any password for any account. When using a regular account that cannot be done. And if an attacker gets hold of an admin account, you're toast He can do anything with the system with an admin account, that's why it's important to safeguard those as much as possible, and use a regular account for most normal activities.
Remember your first try, you we're greeted by an "access denied", until you used "run as administrator" as pointed by Brink.

RWB said:

This sounds better, so then as long as an existing admin acct doesn't setup a new acct with admin privilege and then give that password to a user, then NONE of the other user (non-admin accts) can access any Admin acct or the actions thereof, without the password of the admin acct. They can't even boot to safe mode and do it, OR they can't even run an app "as an adminstrator" .

That's correct. An admin can do literally anything in a system (including access all files, modify anything or setup backdoors). That's why it's important to keep the admin password secret and hard to guess, and never use such account for normal activities that don't strictly requires adminstrative access.
A normal account is restricted to his own profile, and to read some thing in the system, but can't do anything to other accounts passwords or data. "Run as administrator" from a normal account just ask for an admin password, and won't continue without a correct one.