Enable real Administrator & set password so I can install drivers/software?

[Thomas H]

Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited user
account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I created
another account for myself as a standard user. The machine now has three
accounts- the disabled "real" Administrator, my Administrator-group account,
and my standard-user account.

Should I enable the real Administrator account, set a password for it, and
install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left disabled
without a password?

Thanks!

 

[Rafael R. [Live Butterfly]]

You won't need that account. By default, Vista will attempt to elevate
(and inform you via UAC) when installing applications.

- Rafael

 

[Thomas H]

I'm sorry for the confusion; I do understand UAC. I plan, no matter what,
to use a Limited User Account (LUA, not in the Administrators group) for my
daily computer use.

My question is mainly about whether or not I should enable the real
Administrator account and set a strong password for it, or if I should leave
the real Administrator account disabled?

Thanks!

 

[Alun Harford]

Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited user
account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I created
another account for myself as a standard user. The machine now has three
accounts- the disabled "real" Administrator, my Administrator-group account,
and my standard-user account.

Should I enable the real Administrator account, set a password for it, and
install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left disabled
without a password?

In Vista, the Administrator account is enabled if:
a) There are no other administrator accounts on the machine, and
b) You're logging in in safe mode.

This is so that if you delete all the administrator accounts, you can
recover the machine without wiping everything.

Note that you probably don't want to use two accounts - UAC solves those
security issues in a much more elegant way.

Alun Harford

 

[Keith Patrick]

Keep a backup account. Safe Mode is supposed to re-enable the buit-in admin
account in a bind, but it's got a bug where if you've got a non-welcome
screen (and hence unaccessible) admin account - such as a Media Center
Extender account - Safe Mode will not re-enable the built-in admin, and you
will be locked out.

 

[Guest]

Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in Administrator
(note the capitalization) account is for disaster recovery purposes only.

If your computer is NOT physically secured (such as a laptop or a business
computer) then you should absolutely set a password on the Administrator
account; and write that password down on something secure that you store away
in a safe place. A great option is to pick a relatively long (20-25
characters) phrase as the password, write it on a piece of paper, and put it
in a safe.

In prior versions of Windows there were special powers granted to the
Administrator that "regular" administrators did not have. With only two
exceptions that I am aware of, that is no longer the case. The two exceptions
are:
1. The Administrator account is not subject to User Account Control. All
other administrators, except for the Administrator account on a domain, if
any, are.
2. If there are no other local administrators on the computer, then the
Administrator account can log on to the recovery console even if it is
disabled. A user that is a member of the Administrators group cannot do that
if it is disabled.

I am not aware of any other special powers granted to Administrator that
other members of the Administratrors group do not have.

 

[Thomas H]

Jesper, thanks! I probably should've mentioned that I'm well-versed in
2k/XP/2k3 workstation+server+domain security. I'm just not sure what
the proper procedures are for Vista, especially one that isn't joined to a
domain- and I don't want to do something "old school" that ruins a new
feature. I was shocked to see the local Admin account disabled and figured
there must be a special "tech" reason behind it. (I've already enabled
"hide last user name" in local security policy to get rid of the cute
Welcome screen.)

The physical-theft concern is something I never would've considered-
thanks!! So you're saying it's OK to enable the Administrator account, log
onto it, set a password for it, and then disable it again? (I don't like to
force a password reset from another account if I don't have to.) It won't
defeat any feature of Vista that expected a blank password (such as crash
recovery)?

Thanks,

-T

 

[Thomas H]

Keith, wow, thanks, I didn't see that one on the 'net!! Looks like I'll
definately keep that second account (in the Administrator-group) around.
Maybe I'll even make a third; couldn't hurt!

Thanks!!

-T

 

[Guest]

I was shocked to see the local Admin account disabled and figured

there must be a special "tech" reason behind it.

Not really. There were really two main reasons it was disabled. First, far
too many people used that account on a daily basis, endangering themselves
when they were surfing the web by using an administrative account. This
contravened the principle of least privilege; and, as that account is exempt
from UAC, using it nullifies the benefits of UAC. Second, using a single
administrative account for all administrators violates the security principle
of accountability. It is not particularly hard to do so anyway as an
administrator, but why make it easier for people to avoid being tracked.
That's really all there was too it. The most important reason is that
Microsoft is finally trying hard to get people to run as a non-admin most of
the time.

The physical-theft concern is something I never would've considered-
thanks!!

You're welcome. It is important. I actually recommend to people in large
server farms to consider leaving the local Administrator password blank. I
figure those servers are locked up in racks and nobody can get physical
access to them. An account with a blank password cannot be used remotely
since XP, so leaving it blank may actually be far better than setting a weak
or crackable password on it. I know I would have been foiled, at least
temporarily, on more than one pen-test had the local admin account password
been blank.

So you're saying it's OK to enable the Administrator account, log
onto it, set a password for it, and then disable it again? (I don't like to
force a password reset from another account if I don't have to.) It won't
defeat any feature of Vista that expected a blank password (such as crash
recovery)?

Personally, I would just as soon reset it. That way you don't need to enable
the account at all. It's up to you though. You can also use a tool such as
passgen to manage that password:
http://www.protectyourwindowsnetwork.com/tools.htm

 

[Keith Patrick]

To my knowledge, I'm the only one who has been hit by this one (I had to
send my SAM file in to Microsoft to fix!). A few folks have gotten burned on
the disabled built-in admin, but those people were able to use Safe Mode to
get in. I had unfortunately just set up my Xbox 360 MCE stuff the day
before.

 

[CZ]

Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in Administrator
(note the capitalization) account is for disaster recovery purposes only.

Jesper:

I usually recommend having two Admin gp user accts enabled in case one gets
locked out as happened to me recently (I usually set Acct Lockout Threshold
policy to 10 invalid attempts).

Also, I rename both Admin and Guest user accts.

 

[Guest]

I need to amend my previous post. Susan Bradley (Microsoft SBS MVP
http://msmvps.com/blogs/bradley) and Amy Babinchak (Microsoft ISA MVP
http://isainsbs.blogspot.com/) conspired to remind me of something this
morning. While the two scenarios I listed are the only ones in the OS (at
least they should be) where the Administrator account is treated differently
from any other administrator, there are other situations where the built-in
Administrator account is needed to perform some task.

Poorly written software sometimes does access checks based on the account
rather than based on group membership. Probably the most egregious example of
that is Microsoft's own Small Business Server (SBS) 2003, which basically
cannot be effectively administered from any other administrative account than
the built-in Administrator account. Amy related a story about a piece of
Belkin software that did the same, which Susan wrote up:
http://msmvps.com/blogs/bradley/archive/2007/04/04/the-need-for-administrative-rights.aspx

Do not take this to mean that you should re-enable the Administrator account
and use it on a regular basis. Rather, if software requires use of the
Administrator account take it as an indication that the software is broken
and needs to be fixed. If the vendor refuses to provide a version that works
properly, and there is no other vendor providing this functionality in a
properly working piece of software, then you should use the built-in
Administrator account to get it to work; but you would be well advised not to
make a habit of it.

 

[Guest]

Jesper, thanks for all your help on this! I reset the password for the
Administrator last night, and did all my driver and software installs using
the Administrator-group account. I didn't get any strange errors during the
driver installations, and all the software is working great. I may even try
to force a BSOD just so I can see how the safe mode/recovery option works
with the Administrator account.

I'm looking forward to the release of your Vista book! In the meantime,
I'll be visiting the hardware store to figure out how I can securely bolt my
computer to the floor and walls without it looking too rack-like! (laughs)

 

[Guest]

I may even try

to force a BSOD just so I can see how the safe mode/recovery option works
with the Administrator account.

You don't need to go to that length to try it. Just boot from your Vista DVD
and select "repair". That gives you an option to open a recovery console.

I'm looking forward to the release of your Vista book! In the meantime,
I'll be visiting the hardware store to figure out how I can securely bolt my
computer to the floor and walls without it looking too rack-like! (laughs)

You know you will have to take a picture of your creation and post it right!