Enable and Disable the Built-in Administrator Account

Applies To: Windows 7, Windows Server 2008 R2

Note

This content applies to Windows 7. For Windows 8 content, see Windows Deployment with the Windows ADK.

In Windows® 7, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.

An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows 7.

Note

For upgrade installations, the built-in Administrator account is kept enabled when there is no other active local Administrator on the computer. However, the built-in Administrator account is disabled by default for new installations and upgrades on domain-joined computers, regardless of whether there are other active local Administrators on the domain-joined computers.

In audit mode, Windows Setup will implicitly enable the built-in Administrator account as the last action in the auditSystem configuration pass if the built-in Administrator is not already enabled. The first action in the auditUser configuration pass is to disable the built-in Administrator account. This enables you to run programs and applications as an Administrator. When you complete your customizations in audit mode and log off, the built-in Administrator account will be disabled. If you want to leave the built-in Administrator account enabled, you can re-enable it in audit mode.

Enable the Built-in Administrator Account for Windows 7

There are two ways to enable the built-in Administrator account.

  • Use the AutoLogon unattended Setup setting

    You can enable the built-in Administrator account during unattended installations by setting the AutoLogon setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in the AdministratorPassword setting.

    You can create an answer file by using Windows System Image Manager (Windows SIM).

    The following sample answer file shows how to enable the Administrator account, specify an Administrator password, and automatically log on to the system.

   <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <AutoLogon>
         <Password>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </Password>
         <Username>Administrator</Username> 
         <Enabled>true</Enabled> 
         <LogonCount>5</LogonCount> 
      </AutoLogon>
      <UserAccounts>
         <AdministratorPassword>
            <Value>SecurePasswd123</Value> 
            <PlainText>true</PlainText> 
         </AdministratorPassword>
      </UserAccounts>
   </component>
  • Use the Local Users and Groups MMC console

    Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).

    1. Open the MMC console and select Local Users and Groups.

    2. Right-click the Administrator account and select Properties.

      The Administrator Properties window appears.

    3. On the General tab, clear the Account is Disabled check box.

    4. Close the MMC console.

    Administrator access is now enabled.

Enable the Built-in Administrator Account for Windows Server 2008

For Windows Server® 2008, the built-in Administrator password must be changed at first logon. This prevents the built-in Administrator account from having a blank password by default.

Both Microsoft-Windows-Shell-Setup | Autologon and Microsoft-Windows-Shell-Setup | UserAccountsAdministratorPassword sections are now needed for autologon in audit mode to work. Both of these settings should be added to the auditSystem configuration pass.

The following XML output shows how to set the appropriate values.

            <UserAccounts>
                <AdministratorPassword>
                   <Value>yourBApasswordhere</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

         <AutoLogon>
            <Enabled>true</Enabled>
            <Username>Administrator</Username>
             <Password>
              <Value> yourBApasswordhere </Value>
              <PlainText>true</PlainText>
             </Password>
         </AutoLogon>

Microsoft-Windows-Shell-Setup | UserAccountsAdministratorPassword can be used in the oobeSystem configuration pass to prevent having to enter a password for the built-in Administrator account after you complete the out-of-box experience.

The following XML output shows how to set the appropriate values.

            <UserAccounts>
                <AdministratorPassword>
                    <Value> yourBApasswordhere</Value>
                    <PlainText>true</PlainText>
                </AdministratorPassword>
            </UserAccounts>

Disabling the Built-in Administrator Account

Original equipment manufacturers (OEMs) and system builders are required to disable the built-in Administrator account before delivering the computers to customers.

  • Run the sysprep /generalize command

    When you run the sysprep /generalize command, the next time the computer starts, the built-in Administrator account will be disabled.

    -or-

  • Use the net user command

    Run the following command to disable the Administrator account.

    net user administrator /active:no
    

    You can run this command after configuring the computer, before delivering the computer to a customer.

Configure the Built-in Administrator Password During System Preparation

In Windows Server 2008, Windows Server 2008 R2, and Windows Vista® with Service Pack 1, the default password policy requires the creation of a complex password for all user accounts. During installation, Setup prompts you to configure a complex password. Attempting to configure a non-complex password, either manually or by using a script, such as the net command, will fail.

When you run the sysprep /generalize command on Windows Server 2008 and Windows Server 2008 R2, the built-in administrator account password is reset. The Sysprep tool only clears the built-in administrator account’s password for server editions, not for client editions. The next time the computer starts, Setup displays a prompt for a password

You can automate configuration of the password by creating an answer file to use with Sysprep that specifies a value for the Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword unattended Setup setting.

OEMs and system builders are required to retain the default password policy of their computers. However, corporate customers are permitted to change the default password policy.

A corporate customer can configure a non-complex password for the built-in administrator account during an unattended installation by specifying the desired value for Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword.

See Also

Concepts

Phase 3: Preparing and Customizing Your Windows Image