Why is the Administrator account disabled by default?

[bjp106]

What is the point in disabling the Administrator account by default?

 

[Zidane24]

What is the point in disabling the Administrator account by default?

Security and more Security...If you enable the full Admin account and a virus gets control of your system than be prepared to waive the white flag...

 

[Zidane24]

Having the Admin account disabled allows a layer of safety. It is for your own good to leave that admin account disabled...

 

[Lordbob75]

It is also for protection against yourself. If you are full admin, and make a bad install, or delete something you should not, your screwed. That is why as well.

~Lordbob

 

[toughbook]

Oh hell:shock: I better make some changes

 

[Lordbob75]

Oh hell:shock: I better make some changes

Yeah, you don't want to use that as your default. Even a regular admin is better.

Limited would be best, but most people don't do that.

~Lordbob

 

[bjp106]

Ok, so now on my Win7 box.

I have 2 accounts:

Administrator (which I dont use and is enabled
And My account, which is also an administrator

I definitely see where you are coming from now. Why have 2 administrator accounts, right? But I just can't see my self switching to a Limited Account. But definitely disable the Administrator account.

 

[Zidane24]

Ok, so now on my Win7 box.

I have 2 accounts:

Administrator (which I dont use and is enabled
And My account, which is also an administrator

I definitely see where you are coming from now. Why have 2 administrator accounts, right? But I just can't see my self switching to a Limited Account. But definitely disable the Administrator account.

There is basically 4 levels to accounts

Admin
Admin (User Based)
Limited (User Based)
Guest

Most people are fine with the second level. The first level is really for the System itself.

 

[bjp106]

Ok thanks,

so then why NEED the full administrator account then?

 

[Lordbob75]

Ok thanks,

so then why NEED the full administrator account then?

For certain higher level activities that most people would never even need to think about.

~Lordbob

 

[H2SO4]

Ok, so now on my Win7 box.

I have 2 accounts:

Administrator (which I dont use and is enabled
And My account, which is also an administrator

I definitely see where you are coming from now. Why have 2 administrator accounts, right? But I just can't see my self switching to a Limited Account. But definitely disable the Administrator account.

There is basically 4 levels to accounts

Admin
Admin (User Based)
Limited (User Based)
Guest

Most people are fine with the second level. The first level is really for the System itself.

There's no functional difference between the in-built admin account and any other admin accounts created post-installation. All administrator accounts have full and unlimited power over the machine. The in-built account has special protection against deletion and lockout (due to lockout policy) for obvious reasons - deleting the last admin account would be unfortunate.

From a strict security perspective, anyone with physical access to a machine is an admin.

Also, the "the System" doesn't tend to use "the Admin" account, much. That's what the "System" account is for

 

[Zidane24]

Ok, so now on my Win7 box.

I have 2 accounts:

Administrator (which I dont use and is enabled
And My account, which is also an administrator

I definitely see where you are coming from now. Why have 2 administrator accounts, right? But I just can't see my self switching to a Limited Account. But definitely disable the Administrator account.

There is basically 4 levels to accounts

Admin
Admin (User Based)
Limited (User Based)
Guest

Most people are fine with the second level. The first level is really for the System itself.

There's no functional difference between the in-built admin account and any other admin accounts created post-installation. All administrator accounts have full and unlimited power over the machine. The in-built account has special protection against deletion and lockout (due to lockout policy) for obvious reasons - deleting the last admin account would be unfortunate.

From a strict security perspective, anyone with physical access to a machine is an admin.

Also, the "the System" doesn't tend to use "the Admin" account, much. That's what the "System" account is for

Thanks for the extended info. I always thought that the higher admin had some additional privileges.

 

[Zidane24]

H2SO4...would you recommend using the built in account?

 

[H2SO4]

H2SO4...would you recommend using the built in account?

Bit of background first...

NT was the first Windows flavour to earn a "C2" security rating. Short version: "this is a sufficiently secure OS for government use, as long as you post an armed guard outside the room and disallow physical access to unauthorised staff."

The implication of physical access is that any software-based security can be circumvented. You've locked down your machine and the admin account has a 64-char random passphrase? No big deal. Somebody with physical access can still boot into another OS and rummage round. This principle is demonstrated all the time by Xbox modders and the like - somebody with physical access has defeated even the most carefully thought-out security scheme, and one which was partially implemented in hardware for that matter.

Differences between in-built and other "admin" accounts:

There are no significant differences, except for the aforementioned deletion protection for the in-built account. Anybody with admin privileges can inspect, modify, disrupt, or destroy the workings of any app or the OS itself, plus they can free themselves from any attempts to hobble their particular account. This is frequently misunderstood by management in large organisations whose "domain admins" groups have over time accumulated 376 separate accounts. They panic because they realise that far too many people have unrestricted access to the company's systems and data, and they seek ways to "limit some of the administrators". That of course fails, because admins cannot be limited, and then they're left with needing to reorganise their security design. Telling Joe from Marketing that he no longer has admin rights is always a political bunfight.

Re "using the in-built admin account":

As with all admin accounts, they should only be used for those system administration tasks which require admin privileges, as I believe you and others have already said on this thread. For daily tasks, a low-privilege (non-admin) account is perfectly sufficient, and it is much safer. Always logging on using (any) admin account, reading email, browsing the web, downloading shareware, and doing everything else as an admin is just askin' for it

EDIT: Oh, one more thing. The in-built admin account is not entirely disabled by default. On non-domain-joined machines, which would include most of ours here, if there are no other admin accounts the in-built one can be used to log on in safe mode, irrespective of whether it has first been "enabled" or not. Again, it's done so that there's no possibility of finding yourself with only one admin account - which happens to be locked out because it was never "enabled"

 

[davehc]

If you open the Control Panel > Administrative Tools > Local Security
Policy > Local Policies > User Rights Management , you can see the different options at a glance.
The computer administrator account is intended for someone who can make system-wide changes to the computer, install programs, and access all files on the computer. Only a user with computer administrator account has full access to other user accounts on the computer. This user can create and delete user accounts on the computer.
Create account passwords for other user accounts on the computer.
Change other people's account names, pictures, passwords, and account types.
There will always be at least one user with a computer administrator account on the computer.

Limited Account
The limited account is intended for someone who should be prohibited from changing most computer settings and deleting important files. A user with a limited account cannot install software or hardware, but can access programs that have already been installed on the computer.
Change his or her account picture and can also create, change, or delete his or her password.
Not change his or her account name or account type. A user with a computer administrator account must make these kinds of changes.
The security aspect (IMO!) is vastly overrated. It is oft quoted from an original statement and I do not consider it any longer appliceable. Hacking and intrusion methods have improved considerably since the remark was first muted. A hacker with average skills could, as easily, get onto your computer and damage any portion of the software, whether you are the Global or user Admin. I do not think the two separate applications of the Adminstartive accounts were ever, by Microsoft, designed for security purposes, other than the careless ability to accidentaly erase something which would be irretrievable. Some may, correctly, interpret this as a security feature.

 

[alexpinca]

Ok, so this is protecting my system from me...but it is also stopping me from using my laptop. I have a number of jpg that i restored from a backup that it won't let open. I am in as an administrator but I'm starting to understand re-installing windows 7 is for guru's and not novices. How do I get full control of my system.

 

[bobtran]

Activate the built-in Administrator account:
In an elevated (run as admin) command prompt -> "net user administrator /active"
It will now show up as an additional account on the login screen.

Now go and password protect the account with a STRONG password and only use it as the account of last resort (ie: if your normal user admin acct gets crosswise or corrupt). Do NOT use it for normal day to day anything.

 

[gregrocker]

I've always run as hidden Administrator and never had any problem. I can reimage my HD in 15 minutes if need be but have never had to because of running as Admin.

I try to discourage friends from running as hidden Admin but a number have insisted I install it that way for them. None of them have any problems because they know what they're doing and use common sense.

Those who work in the Security field are like paramedics who see so many accidents they want safety bars on everything. I respect them and their views. But I do installs and am always trying to smooth the sailing for owners, who may insist they want to take on the risk for the extra freedom.

Turning off UAC gives you much the same thing. Again: you need to know what you're doing.

 

[osama79]

Thanks everyone this is news tome. I never knew this. My questions is i am deploying 80 Dell computers and they come with windows 7. During the setup the setup asks you name a user name. Do i make that administrator? this would be the sencond level admin? as above mentioned and keep the admin account disabled? Thanks guys.

 

[fseal]

Ok, so this is protecting my system from me...but it is also stopping me from using my laptop. I have a number of jpg that i restored from a backup that it won't let open. I am in as an administrator but I'm starting to understand re-installing windows 7 is for guru's and not novices. How do I get full control of my system.

You HAVE full control.

If you want to transfer or add ownership of the jpegs from your old account to a new one then you use your inbuilt admin powers that you have right now to do so.

If you did not transfer or copy your user account id from whoever made those images to your laptop then Windows thinks they belong to another user. You can fix that using the admin powers of your user account. (Assuming that it really is a permission issue)

One nice quick way is this: http://www.sevenforums.com/tutorials/1911-take-ownership-shortcut.html

It's the same on Linux and even Mac where you run as a normal user then you elevate yourself to admin when neccessary to perform admin tasks but then are back at user level for the other 99% of the time you are on the machine.