Solved

Administrator account in Windows 7 Professional

Posted on 2013-01-03
7
928 Views
Last Modified: 2016-11-23
This may be a simple question and I may be reading into this too much

I have several brand new Dell PC's running Window 7 Professional that I support running as a standalone PC or on a "peer to peer" network attached connected to a Windows Server 2003 or Windows Server 2008. (If in Active Directory, I wouldn’t be posting this)

My Question:
In Windows XP, the local Administrator account is always "Enabled" by default.
In Windows 7, Pro, it's "Disabled" by default. Why is that?

I've run into situations where the I needed the Administrator account but couldn’t logon because it was disabled. Some programs like the "awful TrendMicro AV program" that glues itself to the O/S makes it difficult to uninstall at times. Sometimes it’s not an option to NOT include it when ordering a new Dell computer. Even though the account I created is an Administrator equivalent, the program, on  a few occasions, wanted me to log on as the administrator. So I logged on as the user, enabled the Administrator account, logged on as the administrator and was able to delete the TrendMicro AV program

Anyway, in other circumstances, I had an issue where the user logon profile was corrupted and needed to log on as the Administrator. I had to boot the PC with a Linux tool to enable the Administrator account and I was able to logon as the Administrator

If I leave the Administrator account enabled with a secure password, then obviously the Administrator account shows up on the Logon screen (unlike XP). I’m sure there is a setting to disable seeing the administrator account on the desktop.

As an IT support person, I know it’s a “security thing” but it’s a pain when supporting users remotely. I use the same very strong password for the administrator for each client for all their PC’s. I know that the Administrator account is always clean. Yes, I do know it the PC in AD, I wouldn’t have to worry about this

Sometimes running “peer to peer” makes total sense for small networks

I just wanted to get some experienced feedback from other tech’s that support Windows 7 PC’s
Thanks!
0
Comment
Question by:agieryic
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38742514
in windows 7 you must activate the administrator account

Open a command prompt run as adminstrator

net user administrator /active:yes


You now have a administrator logon with no password.

In control panel manage users add password
0
 
LVL 1

Author Comment

by:agieryic
ID: 38742543
I'm not sure if you understood my question. Using your command is the same as "enabling" the administrator account. I'm familiar with that. If I cant logon as the User, then I cant go to a command prompt to enable the administrator. That brings me back to logging on in safe mode or using a "password" tool
0
 
LVL 31

Accepted Solution

by:
Frosty555 earned 350 total points
ID: 38742613
The administrator account is disabled by default. And rightly so. There are several reasons, but if you are familiar with Linux it is the same argument as to why you should never use the "root" user directly. Administrator = root user.  An User who is a member of the Administrators group on the system is comparable to a Linux user with Sudo privileges.

In Windows XP, a virus could "infect your whole computer instantly", because every process that ever runs on the system was granted full blown administrator rights to the whole computer. Every process, no matter how small or insignificant, was given a free golden pass to the whole computer. This is way too dangerous and is a recipe for disaster, it's the reason why XP is so vulnerable to virus attack - programs can maliciously or accidentally modify the system and break it.

Windows Vista and 7 introduced a whole new paradigm shift for security - the concept that you CAN'T TRUST even the local running processes on the computer. Not even in a home environment. You have to treat every running process as hostile until explicitly okay'd by the user. For this reason most processes in Windows run with limited user privileges, EVEN IF the logged in user is a member of the Administrators group. This way most processes can't edit system files, touch certain settings or registry entries, or do anything that could be really damaging. 99% of the time there is no reason for a processes on the computer to need that kind of access anyways so it's not a problem.

When a process really needs to do something that requires Administrator rights (e.g. a Setup.exe that installs a program, Control Panel, etc), it must elevate itself to the Administrator level. Only users who are members of the Administrator group may do this. This is very similar to how "sudo" works in Linux.

When a process requests elevation, it causes Windows to pop up the "UAC" box and prompt the user if they're sure they want to "let this program make changes to your computer". You've probably been annoyed by this in Windows Vista. They toned it down a bit in Windows 7, but this is the true purpose of the UAC popups.

Now, the built-in "Administrator" account (NOT the domain administrator in an Active Directory environment, just the local built-in Administrator account) is not inhibited by such restrictions. My understanding is it runs elevated all the time. This makes Windows Vista/7 vulnerable to attack and is a major security risk, it's okay for the rare situation when you need it, but it is just too dangerous for day-to-day use. For this reason the Administrator account is disabled by default and you're NOT supposed to re-enable it.

Some programs (particularly old XP programs) don't know how to "elevate" to Administrator level because they were written before Microsoft invented that technology. For these programs you can elevate manually by right clicking and going to "Run As Administrator", to launch a process with automatically elevated rights.

The uninstaller for your "awful TrendMicro AV" probably didn't elevate automatically. If you right clicked and "Run As Administrator" it probably would have worked fine. Technically there is no difference between "Run As Administrator" and actually logging in as Administrator.

The command prompt works the same way. In Windows Vista you may have been annoyed by Vista's "broken command prompt" where certain commands caused the error "This command requires elevation", a cryptic error that most people didn't understand. In reality this was Windows telling you that the cmd.exe process was not running with elevated privileges. You need to run it using the "Run As Administrator" menu item first.

So that's the more detailed explaination about why the built-in Administrator account is a "security risk". I hope this clears things up for you. Now, you are more than welcome to enable the Administrator account manually if you really want, but it is at your own risk and Microsoft makes it a bit difficult to do for just that reason.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 31

Expert Comment

by:Frosty555
ID: 38742633
There's a couple other good reasons why the Administrator account disabled by default:

1) There is no longer confusion between the built-in administrator account, and the domain administrator account.

2) It patches the vulnerability where you could easily circumvent a user's account password by logging in as Administrator with no password.

#2 is a big one. It is a huge glaring security hole having an Administrator account with no password enabled by default. Your average home user doesn't know about it, and when they put a password on their account they expect their computer is secure.

But in pre-Vista versions of Windows this isn't so - all you have to do is sit physically at the computer and log in as Administrator and bang! You've bypassed the user's security!

Previous versions of Windows have assumed that only authorized users could have physical access to the machine (thus an Administrator user with no password was not considered valid authentication for network resources like shared folders or remote desktop), but as time has gone on this has been demonstrated to be insufficient and somebody at Microsoft made an executive decision.

Now it is true - if the user gets locked out of their own account (user forgets their password, corrupted profile etc.) you're a bit screwed - you have to use a password reset tool of some kind or yank the hard drive to get back in. That's annoying, but honestly how often does that really happen?
0
 
LVL 3

Assisted Solution

by:jeorge
jeorge earned 100 total points
ID: 38743576
0
 
LVL 23

Assisted Solution

by:Thomas Grassi
Thomas Grassi earned 50 total points
ID: 38743676
Do you want to create the Local administrator account but not see it on the logon screen?

then just do this

¦ Start the Registry Editor
¦ Go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \
¦ Right-click an empty space in the right pane and select New > DWORD Value
¦ Name the new value exactly as the Username
¦ Leave the Value data as 0
¦ If you want to enable this user again on the Welcome Screen, either double-click the Username value, and change the Value data to 1, or delete the Username
¦ Close the registry editor
0
 
LVL 1

Author Comment

by:agieryic
ID: 38744444
Frosty555 - Great feedback!!! Your one mentioning "run as an administrator" I'm very familiar with when installing - but trying to uninstall is another issue when you need administrative rights to do so. Most uninstallers don’t have the issue I ran into with TrendMicro.

As I'm reading your comment, it appears its still safer and secure to leave the local administrator account disabled vs. leaving it enabled with a very tight password.


Jeorge, links helped me confirm that the Adminstrator's account is alway enabled in "safe-mode". Thanks!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now