Andreas Gieryic
asked on
Administrator account in Windows 7 Professional
This may be a simple question and I may be reading into this too much
I have several brand new Dell PC's running Window 7 Professional that I support running as a standalone PC or on a "peer to peer" network attached connected to a Windows Server 2003 or Windows Server 2008. (If in Active Directory, I wouldn’t be posting this)
My Question:
In Windows XP, the local Administrator account is always "Enabled" by default.
In Windows 7, Pro, it's "Disabled" by default. Why is that?
I've run into situations where the I needed the Administrator account but couldn’t logon because it was disabled. Some programs like the "awful TrendMicro AV program" that glues itself to the O/S makes it difficult to uninstall at times. Sometimes it’s not an option to NOT include it when ordering a new Dell computer. Even though the account I created is an Administrator equivalent, the program, on a few occasions, wanted me to log on as the administrator. So I logged on as the user, enabled the Administrator account, logged on as the administrator and was able to delete the TrendMicro AV program
Anyway, in other circumstances, I had an issue where the user logon profile was corrupted and needed to log on as the Administrator. I had to boot the PC with a Linux tool to enable the Administrator account and I was able to logon as the Administrator
If I leave the Administrator account enabled with a secure password, then obviously the Administrator account shows up on the Logon screen (unlike XP). I’m sure there is a setting to disable seeing the administrator account on the desktop.
As an IT support person, I know it’s a “security thing” but it’s a pain when supporting users remotely. I use the same very strong password for the administrator for each client for all their PC’s. I know that the Administrator account is always clean. Yes, I do know it the PC in AD, I wouldn’t have to worry about this
Sometimes running “peer to peer” makes total sense for small networks
I just wanted to get some experienced feedback from other tech’s that support Windows 7 PC’s
Thanks!
I have several brand new Dell PC's running Window 7 Professional that I support running as a standalone PC or on a "peer to peer" network attached connected to a Windows Server 2003 or Windows Server 2008. (If in Active Directory, I wouldn’t be posting this)
My Question:
In Windows XP, the local Administrator account is always "Enabled" by default.
In Windows 7, Pro, it's "Disabled" by default. Why is that?
I've run into situations where the I needed the Administrator account but couldn’t logon because it was disabled. Some programs like the "awful TrendMicro AV program" that glues itself to the O/S makes it difficult to uninstall at times. Sometimes it’s not an option to NOT include it when ordering a new Dell computer. Even though the account I created is an Administrator equivalent, the program, on a few occasions, wanted me to log on as the administrator. So I logged on as the user, enabled the Administrator account, logged on as the administrator and was able to delete the TrendMicro AV program
Anyway, in other circumstances, I had an issue where the user logon profile was corrupted and needed to log on as the Administrator. I had to boot the PC with a Linux tool to enable the Administrator account and I was able to logon as the Administrator
If I leave the Administrator account enabled with a secure password, then obviously the Administrator account shows up on the Logon screen (unlike XP). I’m sure there is a setting to disable seeing the administrator account on the desktop.
As an IT support person, I know it’s a “security thing” but it’s a pain when supporting users remotely. I use the same very strong password for the administrator for each client for all their PC’s. I know that the Administrator account is always clean. Yes, I do know it the PC in AD, I wouldn’t have to worry about this
Sometimes running “peer to peer” makes total sense for small networks
I just wanted to get some experienced feedback from other tech’s that support Windows 7 PC’s
Thanks!
ASKER
I'm not sure if you understood my question. Using your command is the same as "enabling" the administrator account. I'm familiar with that. If I cant logon as the User, then I cant go to a command prompt to enable the administrator. That brings me back to logging on in safe mode or using a "password" tool
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There's a couple other good reasons why the Administrator account disabled by default:
1) There is no longer confusion between the built-in administrator account, and the domain administrator account.
2) It patches the vulnerability where you could easily circumvent a user's account password by logging in as Administrator with no password.
#2 is a big one. It is a huge glaring security hole having an Administrator account with no password enabled by default. Your average home user doesn't know about it, and when they put a password on their account they expect their computer is secure.
But in pre-Vista versions of Windows this isn't so - all you have to do is sit physically at the computer and log in as Administrator and bang! You've bypassed the user's security!
Previous versions of Windows have assumed that only authorized users could have physical access to the machine (thus an Administrator user with no password was not considered valid authentication for network resources like shared folders or remote desktop), but as time has gone on this has been demonstrated to be insufficient and somebody at Microsoft made an executive decision.
Now it is true - if the user gets locked out of their own account (user forgets their password, corrupted profile etc.) you're a bit screwed - you have to use a password reset tool of some kind or yank the hard drive to get back in. That's annoying, but honestly how often does that really happen?
1) There is no longer confusion between the built-in administrator account, and the domain administrator account.
2) It patches the vulnerability where you could easily circumvent a user's account password by logging in as Administrator with no password.
#2 is a big one. It is a huge glaring security hole having an Administrator account with no password enabled by default. Your average home user doesn't know about it, and when they put a password on their account they expect their computer is secure.
But in pre-Vista versions of Windows this isn't so - all you have to do is sit physically at the computer and log in as Administrator and bang! You've bypassed the user's security!
Previous versions of Windows have assumed that only authorized users could have physical access to the machine (thus an Administrator user with no password was not considered valid authentication for network resources like shared folders or remote desktop), but as time has gone on this has been demonstrated to be insufficient and somebody at Microsoft made an executive decision.
Now it is true - if the user gets locked out of their own account (user forgets their password, corrupted profile etc.) you're a bit screwed - you have to use a password reset tool of some kind or yank the hard drive to get back in. That's annoying, but honestly how often does that really happen?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Frosty555 - Great feedback!!! Your one mentioning "run as an administrator" I'm very familiar with when installing - but trying to uninstall is another issue when you need administrative rights to do so. Most uninstallers don’t have the issue I ran into with TrendMicro.
As I'm reading your comment, it appears its still safer and secure to leave the local administrator account disabled vs. leaving it enabled with a very tight password.
Jeorge, links helped me confirm that the Adminstrator's account is alway enabled in "safe-mode". Thanks!
As I'm reading your comment, it appears its still safer and secure to leave the local administrator account disabled vs. leaving it enabled with a very tight password.
Jeorge, links helped me confirm that the Adminstrator's account is alway enabled in "safe-mode". Thanks!
Open a command prompt run as adminstrator
net user administrator /active:yes
You now have a administrator logon with no password.
In control panel manage users add password