Home  ›  How to Disable the Administrator Account in Windows 10

How to Disable the Administrator Account in Windows 10

Written By Thursday, November 25, 2021 Add Comment Edit

Windows OS Hub / Windows 10 / How to Enable/Disable the Built-in Administrator Account on Windows 10?

As you know, during Windows 10 installation the system prompts creating a user account and grants local administrator privileges to this account. However, during the installation another built-in (hidden) administrator account is created, which is disabled for security reasons. In this article we'll tell about the built-in Windows 10 Administrator account, what it is used for, how to enable or disable it, and reset the password.

Contents:

  • What is Built-in Administrator Account on Windows?
  • How to Enable the Built-in Administrator Account on Windows 10?
  • Lost Administrator Privileges (Password) on Windows 10

What is Built-in Administrator Account on Windows?

The Administrator account is created automatically during Windows installation and is used to initialize the operating system. This account is then disabled and the user is prompted to create their own account, which is added to the local Administrators group.

The built-in administrator account has full unlimited privileges on a computer. This account is not subject to UAC (User Account Control), and all programs are executed without a UAC prompt (this is an important difference from user accounts with administrator privileges). The built-in Administrator in Windows is somewhat similar to root in Linux – it has maximum rights on the system (not as NT AUTHORITY\SYSTEM, of course, but close ones).

You can enable UAC for the built-in Windows administrator by using the Group Policy option User Account Control: Admin Approval Mode for the Built-in Administrator account.

The built-in Administrator is disabled by default in Windows 10 and Windows Server 2016. This account cannot be removed or excluded from the Administrators group.

If you boot Windows in Safe or Recovery Mode, the administrator account is automatically enabled.

For security reasons, it is recommended to rename the built-in administrator account. This can be done manually, using LAPS or the GPO parameter Accounts: Rename administrator account under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Renaming the administrator account somewhat reduces the risks, but the main problem is that its SID doesn't change. The built-in administrator account always has the well-known SID S-1-5-domain-500.

Tip. By default, the Administrator password is not set (empty).

hidden admiinstrator account on windows 10

Important. Microsoft doesn't recommend keeping the Administrator account enabled (active), or constantly work under it. You only need to enable the "Administrator" account if absolutely necessary to perform a specific task or troubleshoot. Don't use it to automatically log in to Windows.

How to Enable the Built-in Administrator Account on Windows 10?

Let's take a look at some simple ways to enable the built-in Administrator account in Windows 10.

The quickest and easiest way to activate the administrator account is from the command prompt (or PowerShell console) running with elevated privileges.

To do this, run the command:

net user administrator /active:yes

enable built-in admin on windows 10 using cmd: net user administrator /active:yes 

The command completed successfully.

As we said earlier, in modern versions of Windows, there is no password set for the administrator account. If a domain password complexity policy is applied to your computer, you may see the following message when you try to enable the administrator account:

The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

In this case, before enabling the administrator account, you need to set a password for it:

net user administrator *

Don't use a weak password for the built-in administrator (you can generate it using a simple PowerShell script).

can't enable the built-in administrator - The password does not meet the password policy requirements

If the previous command returns "The user name could not be found", most likely the administrator account on the computer has been renamed.

You can find out the name of the built-in administrator account on your computer by its known SID (at the end it necessarily contains -500). Use the command:

wmic useraccount where "SID like 'S-1-5-%-500'" get name

how to check built-in windows administrator account name by well-known SID 500

In this case, the built-in account has been renamed to admin. To enable it, run:

net user admin /active:yes

In order to list all local accounts:

net user

If you get an "System error 5 has occurred. Access is denied" when you try to enable the built-in Windows administrator, make sure that the cmd.exe or powershell.exe console is running as an administrator (elevated). Also check that your account is a member of the local Administrators group.

net user administrator /active:yes ACCESS IS DENIED

List the groups your account is member of:

whoami /all

In this example, user1 is not a member of the local Administrators group, and therefore doesn't have permissions to enable the administrator account.

whoami /all - get list of local groups a user is a member of

You can display a list of users in the local administrators group in Windows like this:

net localgroup administrators
net localgroup administrators - list members of a Windows group using cmd.

In this example, there are only two accounts in the Administrators group. If you don't know the password for any of them, then you don't have administrator rights on the computer. To enable the built-in administrator account and grant your user account local admin permissions, see the next section of the article

Note. This way to activate the built-in administrator account works in all Windows 10 editions. The other methods described below are not applicable to Home editions of Windows 10 which don't have the Computer and User Management snap-ins (compmgmt.msc and lusrmgr.msc) and the Local Group Policy Editor (gpedit.msc).

Open the MMC snap-in Local Users and Groups by entering lusrmgr.msc in the search bar or in the command prompt. In the console window, expand the Users section. Find the account named Administrator and double-click it, then uncheck Account is Disabled. Save the changes.

windows 10 enable built-in admin

The administrator account is now enabled. You can change its password in this console by selecting Set Password option in the context menu.

You can enable the built-in administrator account through the local GPO. Open the Local Group Policy Editor gpedit.msc (or Local Security Policy Editor — secpol.msc). Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Find Accounts: Administrator account status policy and set it to Enable.

Accounts: Administrator account status policy

Update the Group Policy settings with the command: gpupdate /force or just reboot your computer.

After enabling the administrator account in any of the above ways, it will be displayed on the Windows logon screen.

To disable the built-in administrator account, use the command

net user administrator /active:no

If you enabled the built-in Administrator through the Accounts: Administrator account status policy, you will have to disable it (or completely reset all local GPO settings).

Lost Administrator Privileges (Password) on Windows 10

There are situations when you have accidentally disabled your user account with administrator privileges or removed your account from local admins group. Let's look on how to enable the built-in Administrator or add your account to the local Administrators group (even if you can't logon Windows).

You need to boot your computer from a LiveCD (but not an MSDaRT recovery image) or a Windows 10 install media. The easiest way to create a bootable USB stick with a Windows 10 install image is using the Media Creation Tool.

Press Shift + F10 on the Windows Setup screen. A command prompt will open.

windows 10 setup screen

Now you need to determine which drive your Windows is installed on. Run diskpart and enter list vol. In my example, you see that Windows is located on the C: drive. This is the drive letter I will use in the following commands. Type exit to close the diskpart session.

list partiions in winpe mode

Run the following commands to create a copy of utilman.exe (Ease of Access applet) and replace it with the executable cmd.exe:
copy c:\windows\System32\utilman.exe c:\
copy c:\windows\System32\cmd.exe c:\windows\System32\utilman.exe

Reboot your computer:

wpeutil reboot

replace utilman with cmd on windows

Boot Windows normally. On the Windows login screen (with a list of accounts), press the Win + U keys combination.

A command prompt window will open with System privileges. To add your account to the local Administrators group, enable the built-in Windows administrator and reset its password, run the commands:

net localgroup administrators user1 /add
net user Administrator /active:yes
net user administrator *

windows 10 reset admin password from login screen via utilman.exe

Now you can logon Windows under built-in Administrator or your user account, which has been assigned the local administrator permissions.

Be sure to replace the original utilman.exe file. Boot from the install media again and run the command:

copy c:\utilman.exe c:\windows\System32\utilman.exe

How to Disable the Administrator Account in Windows 10

Source: http://woshub.com/enable-built-in-administrator-account-in-windows-10/

0 Response to "How to Disable the Administrator Account in Windows 10"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel