Built-in administrator verses a user made administrator

What is the difference between the windows built-in administrator and a user that is an administrator?
Lawrence AverySystem DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
Nothing really, aside from the name.
0
JohnBusiness Consultant (Owner)Commented:
There is quite a bit of difference.

The built-in account is disabled and should stay disabled.

Any other account made member of the admin group will function properly as an administrator but, of course, will have a different name.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NinjaStyle82Systems AdministratorCommented:
They are functionally identical. Yes it is disabled by default in Windows 7 and up. I don't really see value in using a different account name for the local admin.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

TemodyPickalbatros, IT ManagerCommented:
In the Windows operating system (OS), the built-in administrator account is the first account created when the operating system is installed.

The built-in administrator account was originally intended to facilitate setup and disaster recovery, but because the account was always called "administrator," it had the same user name on all computers and was often given a consistent password throughout the enterprise.  Beginning with Windows 7, the administrator account is disabled by default so only local accounts specifically created with administrator privileges -- or domain accounts that are members of the domain administrator's group -- can log on as administrator.
so at the end It's the same
0
JohnBusiness Consultant (Owner)Commented:
You cannot have two accounts named "administrator" (never worked). And the administrator account should remain disabled for security reasons. Long article about that when Vista / Windows 7 were new.
0
NinjaStyle82Systems AdministratorCommented:
"Security reasons" is a joke, any local admin account is not secure if your drive is not encrypted.
0
JohnBusiness Consultant (Owner)Commented:
No it is NOT a joke. You apparently have not read up on it.

People had viruses that logged in as administrator and largely got in. Now that account is closed.

You CANNOT walk into an admin account named janefinch because you do not even know it exists. Even it you did, you would have to get by the password.

And of course, UAC is enabled.
0
NinjaStyle82Systems AdministratorCommented:
That's because in the old XP days people often had blank passwords on the administrator account. Also, if the malware was not completely stupid there are a million ways it could find the account name for the administrator. (net user?)(C:\Users, see which is the oldest folder?)
0
NinjaStyle82Systems AdministratorCommented:
Furthermore, like you said, UAC is an additional layer of protection from the XP days.
0
JohnBusiness Consultant (Owner)Commented:
I do not think you understand. My user folder is NOT my username. It can be but does not have to be.

My guess is you forgot about security.
0
NinjaStyle82Systems AdministratorCommented:
I'm sure you're an "Expert" on this topic. It's amazing, the arrogance on this site.
0
JohnBusiness Consultant (Owner)Commented:
My statements are factual not arrogant. People should leave the administrator account disabled which is where I started from.
0
NinjaStyle82Systems AdministratorCommented:
I'm finished with this conversation.
0
TemodyPickalbatros, IT ManagerCommented:
i think John Hurst talking as expert
so when he talk about security reason the experts know what's that mean
Thanks for Advice @John Hurst
0
NinjaStyle82Systems AdministratorCommented:
ANY administrator account is a security vulnerability, the built in account or any other local administrator is equally risky. If John could back up with a reason WHY the built in account is any more risky than another administrator account, i would love to hear it.
0
JohnBusiness Consultant (Owner)Commented:
It is really easy:  XP Administrator accounts often had blank passwords as you point out. These were easy targets.

Now, a username you do not know with a very strong password is a VERY different case. Much more difficult to hack. Let me turn this around: Give us list of all the unknown accounts you hacked into that had strong passwords.

By the way, you need strong passwords for even Standard accounts.

It is easy to secure a Windows machine and the word "administrator" does not really play into it.

I have had a Windows desktop machine online 24 hours a day for over a decade. Never hacked. Lot of would be assailants knocked at the door of the router but never got in.

Not really very hard.
0
TemodyPickalbatros, IT ManagerCommented:
As a security best practice, it is recommended that you rename the Administrator account on all computers in the Windows
https://technet.microsoft.com/en-us/library/cc747353(v=ws.10).aspx
0
NinjaStyle82Systems AdministratorCommented:
That's an outdated article. Try again
0
TemodyPickalbatros, IT ManagerCommented:
We are talking about the base is it !
0
NinjaStyle82Systems AdministratorCommented:
?... Thats for SBS 2003.
0
TemodyPickalbatros, IT ManagerCommented:
If you read the article to the end you will know
0
JohnBusiness Consultant (Owner)Commented:
The question was the difference between built-in and user-made "administrator" account. They ARE different because they have different names, one is disabled and one is not. Functionally they work the same way.

The rest of the security stuff is close to irrelevant here. It is easy (trivial) to secure a computer so it cannot (to the 99% level) be hacked into.

With that, I have clicked on Unmonitor and will not be back.
0
NinjaStyle82Systems AdministratorCommented:
After doing a lot of research on the topic, here are the facts:

The local administrator account is more of a security vulnerability for this reason, and it has nothing to do with the name. The vulnerability is that the built in administrator always uses the same SID, 500. This means that renaming the administrator account has no real benefit as an account can be authenticated against via the SID, and the name is irrelevant. The other caveat to this account is that it cannot be locked out, which means a brute force attack against this account is possible.

With that said here are other facts. The password hash of any windows account can be attained through trivial means, and the hash can be brute forced as well, which will not trigger an account lockout.
If someone has physical access to a un-encrypted Windows PC, the password can be reset offline, which trivializes even a strong password.

TLDR;
So yes i concede, the built in administrator account is different in that is has a known SID, and cannot be locked out. However, there are many other means to compromising a windows password, and though the authentications in a brute force against a built in administrator can be performed directly against the system, there are other trivial means for brute forcing any account on a windows PC via the hash.
0
TemodyPickalbatros, IT ManagerCommented:
Just finished

No grudge
0
NinjaStyle82Systems AdministratorCommented:
I'm the only only one who actually answered this question accurately, but whatever.
0
Lawrence AverySystem DeveloperAuthor Commented:
I guess the problem is how would I know that?  Not to be sarcastic.
0
NinjaStyle82Systems AdministratorCommented:
Quite simply by reading the answers provided for your question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.