Administrator account in Windows 7 Professional

This may be a simple question and I may be reading into this too much

I have several brand new Dell PC's running Window 7 Professional that I support running as a standalone PC or on a "peer to peer" network attached connected to a Windows Server 2003 or Windows Server 2008. (If in Active Directory, I wouldn’t be posting this)

My Question:
In Windows XP, the local Administrator account is always "Enabled" by default.
In Windows 7, Pro, it's "Disabled" by default. Why is that?

I've run into situations where the I needed the Administrator account but couldn’t logon because it was disabled. Some programs like the "awful TrendMicro AV program" that glues itself to the O/S makes it difficult to uninstall at times. Sometimes it’s not an option to NOT include it when ordering a new Dell computer. Even though the account I created is an Administrator equivalent, the program, on  a few occasions, wanted me to log on as the administrator. So I logged on as the user, enabled the Administrator account, logged on as the administrator and was able to delete the TrendMicro AV program

Anyway, in other circumstances, I had an issue where the user logon profile was corrupted and needed to log on as the Administrator. I had to boot the PC with a Linux tool to enable the Administrator account and I was able to logon as the Administrator

If I leave the Administrator account enabled with a secure password, then obviously the Administrator account shows up on the Logon screen (unlike XP). I’m sure there is a setting to disable seeing the administrator account on the desktop.

As an IT support person, I know it’s a “security thing” but it’s a pain when supporting users remotely. I use the same very strong password for the administrator for each client for all their PC’s. I know that the Administrator account is always clean. Yes, I do know it the PC in AD, I wouldn’t have to worry about this

Sometimes running “peer to peer” makes total sense for small networks

I just wanted to get some experienced feedback from other tech’s that support Windows 7 PC’s
Andreas GieryicComputer Networking, OwnerAsked:
Who is Participating?
Frosty555Connect With a Mentor Commented:
The administrator account is disabled by default. And rightly so. There are several reasons, but if you are familiar with Linux it is the same argument as to why you should never use the "root" user directly. Administrator = root user.  An User who is a member of the Administrators group on the system is comparable to a Linux user with Sudo privileges.

In Windows XP, a virus could "infect your whole computer instantly", because every process that ever runs on the system was granted full blown administrator rights to the whole computer. Every process, no matter how small or insignificant, was given a free golden pass to the whole computer. This is way too dangerous and is a recipe for disaster, it's the reason why XP is so vulnerable to virus attack - programs can maliciously or accidentally modify the system and break it.

Windows Vista and 7 introduced a whole new paradigm shift for security - the concept that you CAN'T TRUST even the local running processes on the computer. Not even in a home environment. You have to treat every running process as hostile until explicitly okay'd by the user. For this reason most processes in Windows run with limited user privileges, EVEN IF the logged in user is a member of the Administrators group. This way most processes can't edit system files, touch certain settings or registry entries, or do anything that could be really damaging. 99% of the time there is no reason for a processes on the computer to need that kind of access anyways so it's not a problem.

When a process really needs to do something that requires Administrator rights (e.g. a Setup.exe that installs a program, Control Panel, etc), it must elevate itself to the Administrator level. Only users who are members of the Administrator group may do this. This is very similar to how "sudo" works in Linux.

When a process requests elevation, it causes Windows to pop up the "UAC" box and prompt the user if they're sure they want to "let this program make changes to your computer". You've probably been annoyed by this in Windows Vista. They toned it down a bit in Windows 7, but this is the true purpose of the UAC popups.

Now, the built-in "Administrator" account (NOT the domain administrator in an Active Directory environment, just the local built-in Administrator account) is not inhibited by such restrictions. My understanding is it runs elevated all the time. This makes Windows Vista/7 vulnerable to attack and is a major security risk, it's okay for the rare situation when you need it, but it is just too dangerous for day-to-day use. For this reason the Administrator account is disabled by default and you're NOT supposed to re-enable it.

Some programs (particularly old XP programs) don't know how to "elevate" to Administrator level because they were written before Microsoft invented that technology. For these programs you can elevate manually by right clicking and going to "Run As Administrator", to launch a process with automatically elevated rights.

The uninstaller for your "awful TrendMicro AV" probably didn't elevate automatically. If you right clicked and "Run As Administrator" it probably would have worked fine. Technically there is no difference between "Run As Administrator" and actually logging in as Administrator.

The command prompt works the same way. In Windows Vista you may have been annoyed by Vista's "broken command prompt" where certain commands caused the error "This command requires elevation", a cryptic error that most people didn't understand. In reality this was Windows telling you that the cmd.exe process was not running with elevated privileges. You need to run it using the "Run As Administrator" menu item first.

So that's the more detailed explaination about why the built-in Administrator account is a "security risk". I hope this clears things up for you. Now, you are more than welcome to enable the Administrator account manually if you really want, but it is at your own risk and Microsoft makes it a bit difficult to do for just that reason.
Thomas GrassiSystems AdministratorCommented:
in windows 7 you must activate the administrator account

Open a command prompt run as adminstrator

net user administrator /active:yes

You now have a administrator logon with no password.

In control panel manage users add password
Andreas GieryicComputer Networking, OwnerAuthor Commented:
I'm not sure if you understood my question. Using your command is the same as "enabling" the administrator account. I'm familiar with that. If I cant logon as the User, then I cant go to a command prompt to enable the administrator. That brings me back to logging on in safe mode or using a "password" tool
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

There's a couple other good reasons why the Administrator account disabled by default:

1) There is no longer confusion between the built-in administrator account, and the domain administrator account.

2) It patches the vulnerability where you could easily circumvent a user's account password by logging in as Administrator with no password.

#2 is a big one. It is a huge glaring security hole having an Administrator account with no password enabled by default. Your average home user doesn't know about it, and when they put a password on their account they expect their computer is secure.

But in pre-Vista versions of Windows this isn't so - all you have to do is sit physically at the computer and log in as Administrator and bang! You've bypassed the user's security!

Previous versions of Windows have assumed that only authorized users could have physical access to the machine (thus an Administrator user with no password was not considered valid authentication for network resources like shared folders or remote desktop), but as time has gone on this has been demonstrated to be insufficient and somebody at Microsoft made an executive decision.

Now it is true - if the user gets locked out of their own account (user forgets their password, corrupted profile etc.) you're a bit screwed - you have to use a password reset tool of some kind or yank the hard drive to get back in. That's annoying, but honestly how often does that really happen?
Thomas GrassiConnect With a Mentor Systems AdministratorCommented:
Do you want to create the Local administrator account but not see it on the logon screen?

then just do this

¦ Start the Registry Editor
¦ Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \
¦ Right-click an empty space in the right pane and select New > DWORD Value
¦ Name the new value exactly as the Username
¦ Leave the Value data as 0
¦ If you want to enable this user again on the Welcome Screen, either double-click the Username value, and change the Value data to 1, or delete the Username
¦ Close the registry editor
Andreas GieryicComputer Networking, OwnerAuthor Commented:
Frosty555 - Great feedback!!! Your one mentioning "run as an administrator" I'm very familiar with when installing - but trying to uninstall is another issue when you need administrative rights to do so. Most uninstallers don’t have the issue I ran into with TrendMicro.

As I'm reading your comment, it appears its still safer and secure to leave the local administrator account disabled vs. leaving it enabled with a very tight password.

Jeorge, links helped me confirm that the Adminstrator's account is alway enabled in "safe-mode". Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.