Default Administrator account accessable in Ultimate ,not in home

Discussion in 'Windows Vista Administration' started by Craig L Davies, Jul 2, 2007.

  1. I was wondering why Vista Ultimate will allow one to go into the system tools
    and select the Local users and groups tab, and can enable or disable the
    default administrator, however, in the Vista Home premium, under system
    tools, the local users and group tab does not contain the ability to disable
    or enable the default administrator. Why does the Vista Home Premium Edition
    require one to set up this secondary administrator account, and where can the
    default administrator be located to manage in Home Premium?
     
    Craig L Davies, Jul 2, 2007
    #1
    1. Advertisements

  2. Craig

    The built-in administrator account is hidden, by default on all versions of
    Vista. This account is there for emergencies such as if no other
    administrator account is available, you can boot to safe mode and this
    account will be available for you to log on and make any changes that are
    needed to recover, such as creating another administrator account, changing
    a password on another account or other recovery procedures. You should not
    use this account for day to day work on the system. There is nothing that
    you can do with this account that you cannot do with a normal administrator
    account.

    Several of the MSC snap-ins are not available in the Home versions of Vista,
    such as GPEdit.msc, SecPol.msc, Local Users and Groups, etc.

    Most of the procedures that these tools provide, can still be implemented in
    the Home versions by editing registry settings.

    If you do require this account to be used, you can enable it with the
    following command.

    Click Start and type: cmd.exe Right click cmd.exe in the results and
    select the Run As Administrator option. In the command window, type the
    following.

    net user administrator /active:yes

    Press ENTER.

    This account does not have a password associated with it, by default, so you
    should immediately go to Control Panel/User Accounts and set a strong
    password on the account.

    The next time you restart the system this account will appear on the Welcome
    screen.

    To return this account to it's hidden state, perform the same procedure
    except replace the Yes for No in the command.

    net user administrator /active:no
     
    Ronnie Vernon MVP, Jul 2, 2007
    #2
    1. Advertisements

  3. Isn't that a security risk when you boot in safe mode, since there is no
    password associated to the default Administrator Account?

    Martin.
     
    Martin Pelletier, Jul 6, 2007
    #3

  4. Only if the computer owner is so utterly foolish as to have not set a
    strong password on the built-in Administrator account the first time he
    booted the computer.


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. -Benjamin Franklin

    Many people would rather die than think; in fact, most do. -Bertrand Russell
     
    Bruce Chambers, Jul 6, 2007
    #4
  5. Martin

    Yes, it definitely is a security risk. If you enable the built-in admin
    account, you should complete the work you need to use it for and then
    disable it again. If you are going to leave it enabled, then you need to
    create a strong password for the account.

    Normally this is not a problem, since the owner of the system must
    intentionally enable this account.
     
    Ronnie Vernon MVP, Jul 6, 2007
    #5
  6. Craig L Davies

    gullette Guest

    I believe the question was (at least mine is): If there is no password
    associated with the built-in admin account (which is presently hidden), AND
    if I've never unhidden it (not knowing about this) AND if some unauthorized
    person starts up my computer in safe mode, doesn't that give that person full
    access to the computer?

    Why would it be set up like that? Most people are not going to realize this
    (I didn't) - it has taken me 3 days to find this post (very helpful - finally
    - thank you Ronnie Vernon) just to figure out how I can even find the
    administrator account in Vista Home Premium.

    Bruce Chambers had written: "Only if the computer owner is so utterly
    foolish as to have not set a strong password on the built-in Administrator
    account the first time he booted the computer", but I never have SEEN or been
    able to find a non-registry way to FIND the built-in Administrator account,
    nor are there any references to it anywhere.

    I will certainly "unhide" it via the registry and will apply a strong
    password. I'm assuming the password will still be associated, though hidden.
     
    gullette, Aug 8, 2007
    #6
  7. Gullette

    You don't need to use the registry to make the built-in Administrator
    account visible, temporarily.

    Go to Start and type: cmd.exe In the results, right click CMD.EXE
    and select the Run As Administrator option.

    In the command dialog, type the following command.

    net user administrator /active:yes

    Press Enter.

    (Leave the command window open)

    This will reveal the built-in Administrator account in Control Panel / User
    Accounts. You can then create the strong password for the account.

    When you are finished, go back to the administrator command prompt and enter
    this command.

    net user administrator /active:yes

    Press Enter.

    The account will be hidden again.
     
    Ronnie Vernon MVP, Aug 8, 2007
    #7
  8. Craig L Davies

    gullette Guest

    Thank you so much. Is it recommended to assign a password to this default
    account? I notice in a lot of the other post replies that it seems to be the
    intent to have it not use a password. That seems like the ultimate security
    breach to me and so I'm happy to go unhide it, apply a strong password, and
    then hide it back AS LONG AS IT WON'T CAUSE ME OTHER PROBLEMS LATER for
    having assigned the password.

    And a bit off the topic, I've been reading many of these administration
    posts for the last several hours and yours are certainly among the most
    helpful responses without a hint of condescension - some of the others really
    make me cringe. You could full well be making fun of us offline, and who
    could blame you at times, but you always present your assistance in a most
    useful and professional manner and I just feel you deserve some
    acknowledgement of that! KUDOS TO YOU RONNIE VERNON!
     
    gullette, Aug 8, 2007
    #8
  9. Gullette

    Even though it is more difficult to access the built-in admin account, you
    should definitely assign a password to this account. Make sure you write the
    password down somewhere where it is safe, since you may not need to access
    this account for a long time.

    The built-in admin account will not show up in safe mode unless there are no
    other admin accounts on the computer. Even if there is another admin account
    that has been hidden, the built-in account will not show up in safe mode.

    Thank you for the kind words, they are really appreciated.
     
    Ronnie Vernon MVP, Aug 9, 2007
    #9
  10. Craig L Davies

    Mark Bourne Guest

    For someone to start the computer in safe mode, they need to have
    physical access to it. If they have physical access to the computer,
    they can do almost anything they like with it anyway, regardless of what
    passwords you have set. Eg. they could boot off a CD and access data on
    your hard disk, or take the hard disk out and put it in another computer
    as a slave disk. In these cases, the only passwords which would matter
    are the ones set on *their* OS, not yours. That is, unless you have set
    up a hard disk password which needs to be entered before the computer
    will even boot (a BIOS password will not help, as someone could still
    remove the disk). If malicious people are able to get physical access to
    your computer, you need to improve its physical security.

    As I understand it, accounts with a blank password can not be used to
    log into a Vista machine remotely, so even if someone did manage to
    remotely start your computer in safe mode, they wouldn't be able to
    remotely log in using the built-in admin account anyway if there's no
    password set on it. I've seen some people say that it is better to leave
    the password blank on the built-in admin account, because then it is
    more secure against remote attacks (viruses / cracking) than if a weak
    password is set or the password is somehow guessed.
     
    Mark Bourne, Sep 10, 2007
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.