Default Administrator account accessable in Ultimate ,not in home

I was wondering why Vista Ultimate will allow one to go into the system tools
and select the Local users and groups tab, and can enable or disable the
default administrator, however, in the Vista Home premium, under system
tools, the local users and group tab does not contain the ability to disable
or enable the default administrator. Why does the Vista Home Premium Edition
require one to set up this secondary administrator account, and where can the
default administrator be located to manage in Home Premium?

 

Craig

The built-in administrator account is hidden, by default on all versions of
Vista. This account is there for emergencies such as if no other
administrator account is available, you can boot to safe mode and this
account will be available for you to log on and make any changes that are
needed to recover, such as creating another administrator account, changing
a password on another account or other recovery procedures. You should not
use this account for day to day work on the system. There is nothing that
you can do with this account that you cannot do with a normal administrator
account.

Several of the MSC snap-ins are not available in the Home versions of Vista,
such as GPEdit.msc, SecPol.msc, Local Users and Groups, etc.

Most of the procedures that these tools provide, can still be implemented in
the Home versions by editing registry settings.

If you do require this account to be used, you can enable it with the
following command.

Click Start and type: cmd.exe Right click cmd.exe in the results and
select the Run As Administrator option. In the command window, type the
following.

net user administrator /active:yes

Press ENTER.

This account does not have a password associated with it, by default, so you
should immediately go to Control Panel/User Accounts and set a strong
password on the account.

The next time you restart the system this account will appear on the Welcome
screen.

To return this account to it's hidden state, perform the same procedure
except replace the Yes for No in the command.

net user administrator /active:no

 

Isn't that a security risk when you boot in safe mode, since there is no
password associated to the default Administrator Account?

Martin.

 

Only if the computer owner is so utterly foolish as to have not set a
strong password on the built-in Administrator account the first time he
booted the computer.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

Martin

Yes, it definitely is a security risk. If you enable the built-in admin
account, you should complete the work you need to use it for and then
disable it again. If you are going to leave it enabled, then you need to
create a strong password for the account.

Normally this is not a problem, since the owner of the system must
intentionally enable this account.

 

I believe the question was (at least mine is): If there is no password
associated with the built-in admin account (which is presently hidden), AND
if I've never unhidden it (not knowing about this) AND if some unauthorized
person starts up my computer in safe mode, doesn't that give that person full
access to the computer?

Why would it be set up like that? Most people are not going to realize this
(I didn't) - it has taken me 3 days to find this post (very helpful - finally
- thank you Ronnie Vernon) just to figure out how I can even find the
administrator account in Vista Home Premium.

Bruce Chambers had written: "Only if the computer owner is so utterly
foolish as to have not set a strong password on the built-in Administrator
account the first time he booted the computer", but I never have SEEN or been
able to find a non-registry way to FIND the built-in Administrator account,
nor are there any references to it anywhere.

I will certainly "unhide" it via the registry and will apply a strong
password. I'm assuming the password will still be associated, though hidden.

 

Gullette

You don't need to use the registry to make the built-in Administrator
account visible, temporarily.

Go to Start and type: cmd.exe In the results, right click CMD.EXE
and select the Run As Administrator option.

In the command dialog, type the following command.

net user administrator /active:yes

Press Enter.

(Leave the command window open)

This will reveal the built-in Administrator account in Control Panel / User
Accounts. You can then create the strong password for the account.

When you are finished, go back to the administrator command prompt and enter
this command.

net user administrator /active:yes

Press Enter.

The account will be hidden again.

 

Thank you so much. Is it recommended to assign a password to this default
account? I notice in a lot of the other post replies that it seems to be the
intent to have it not use a password. That seems like the ultimate security
breach to me and so I'm happy to go unhide it, apply a strong password, and
then hide it back AS LONG AS IT WON'T CAUSE ME OTHER PROBLEMS LATER for
having assigned the password.

And a bit off the topic, I've been reading many of these administration
posts for the last several hours and yours are certainly among the most
helpful responses without a hint of condescension - some of the others really
make me cringe. You could full well be making fun of us offline, and who
could blame you at times, but you always present your assistance in a most
useful and professional manner and I just feel you deserve some
acknowledgement of that! KUDOS TO YOU RONNIE VERNON!

 

Gullette

Even though it is more difficult to access the built-in admin account, you
should definitely assign a password to this account. Make sure you write the
password down somewhere where it is safe, since you may not need to access
this account for a long time.

The built-in admin account will not show up in safe mode unless there are no
other admin accounts on the computer. Even if there is another admin account
that has been hidden, the built-in account will not show up in safe mode.

Thank you for the kind words, they are really appreciated.

 

For someone to start the computer in safe mode, they need to have
physical access to it. If they have physical access to the computer,
they can do almost anything they like with it anyway, regardless of what
passwords you have set. Eg. they could boot off a CD and access data on
your hard disk, or take the hard disk out and put it in another computer
as a slave disk. In these cases, the only passwords which would matter
are the ones set on *their* OS, not yours. That is, unless you have set
up a hard disk password which needs to be entered before the computer
will even boot (a BIOS password will not help, as someone could still
remove the disk). If malicious people are able to get physical access to
your computer, you need to improve its physical security.

As I understand it, accounts with a blank password can not be used to
log into a Vista machine remotely, so even if someone did manage to
remotely start your computer in safe mode, they wouldn't be able to
remotely log in using the built-in admin account anyway if there's no
password set on it. I've seen some people say that it is better to leave
the password blank on the built-in admin account, because then it is
more secure against remote attacks (viruses / cracking) than if a weak
password is set or the password is somehow guessed.