Microsoft KB Archive/942956

= The changes to the built-in administrator account in Windows Vista =

Article ID: 942956

Article Last Modified on 10/3/2007

-

APPLIES TO


 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Home Basic
 * Windows Vista Home Premium
 * Windows Vista Starter
 * Windows Vista Ultimate

-



INTRODUCTION
This article describes the changes to the built-in administrator account in Windows Vista.



Background
By default, the built-in administrator account is named Administrator. Additionally, the built-in administrator account is assigned the relative ID (RID) 500. In Windows Vista, the default user account type is a standard user. A standard user is a user who has limited account rights and limited Windows permissions. The following sections detail how the built-in administrator account has been changed to better reduce the potential attack surface of the built-in user accounts in Windows Vista.

Note These changes apply only to the built-in administrator account, RID 500.

Behavior when you install Windows Vista as a new installation
By default, the built-in administrator account is disabled in a new installation of Windows Vista. This behavior occurs unless the default behavior is overridden in the Unattend.xml file. For more information about how to use the Unattend.xml file in Windows Vista, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsVista/en/library/129a1712-e3d8-46c1-bc09-a14349dc67db1033.mspx

If you set the  element to true to skip Windows Welcome, you must create a user account, or you must specify an administrator password by using the Microsoft-Windows-Shell-Setup component. If you do neither of these actions, you cannot log on to the computer unless you restart the computer in safe mode.

The following code example shows you how to enable the built-in administrator account by using the  element in the Unattend.xml file. Additionally, the following code example shows you how to use the  element.  true 9999 Administrator  &quot;&quot; true</PlainText> </Password> </AutoLogon> <OOBE> <HideEULAPage>true</HideEULAPage> <ProtectYourPC>3</ProtectYourPC> <SkipMachineOOBE>true</SkipMachineOOBE> <SkipUserOOBE>true</SkipUserOOBE> </OOBE> <UserAccounts> <AdministratorPassword> &quot;&quot;</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> Notes <ul> <li>In the Unattend.xml file, the  element designates the password for the built-in administrator account. This code example shows the  element. We recommend that you create a strong password for the built-in administrator account. For more information about strong passwords, visit the following Microsoft Web site:

http://www.microsoft.com/protect/yourself/password/create.mspx

</li> <li>Regardless of the status of the built-in administrator account before you run the Sysprep.exe /OOBE command, the built-in administrator account is disabled after the installation is complete.</li></ul>

Behavior when you upgrade from Windows XP to Windows Vista
If the built-in administrator account is the only active local administrator account during an upgrade from Windows XP, Windows Vista leaves the built-in administrator account enabled. Additionally, Windows Vista puts the built-in administrator account in Admin Approval Mode. Admin Approval Mode is a component of User Account Control (UAC). UAC requires that an administrator approves any action that requires administrative credentials.

If one or more of the following conditions are true, the built-in administrator account is not an active local administrator account:
 * The built-in administrator account is not found in the local Security Accounts Manager (SAM).
 * The built-in administrator account is not a member of the local Administrators group.
 * The built-in administrator account is disabled.
 * The built-in administrator account is defined in the Deny log on locally policy setting.
 * The built-in administrator account name is explicitly filtered from the Windows logon screen.

The following registry key determines whether a user account name is explicitly filtered from the Windows logon screen.

Note If the built-in administrator account is explicitly defined to appear on the Windows logon screen, Windows Vista enables the built-in administrator account. Additionally, Windows Vista puts the built-in administrator account into Admin Approval Mode. This behavior occurs regardless of the state of the active local administrator account.

Behavior when you start the computer in safe mode
If the built-in administrator account is disabled, you cannot log on to a computer in safe mode by using the built-in administrator account if one of the following conditions is true:
 * The computer is a member of a workgroup.
 * The computer is not joined to a domain.
 * At least one active local administrator account exists.

However, you can log on to the computer by using any active local administrator account instead. Safe mode lets you log on to the computer by using the disabled built-in administrator account for system recovery if one of the following conditions is true:
 * You unintentionally demote the last local administrator account.
 * You unintentionally disable the last local administrator account.
 * You unintentionally delete the last local administrator account.

Before you restart the computer, create a new active local administrator account, or recover an old active local administrator account.

If the built-in administrator account is disabled, you cannot log on to a computer that is joined to a domain in safe mode by using the built-in administrator account. By default, you can log on to the computer as a member of the Domain Admins group to create an active local administrator account if an active local administrator account does not exist. If you have not logged on to the computer as a member of the Domain Admins group before, you must start the computer in &quot;safe mode with networking.&quot; You must do this because the credentials have not been cached. After the computer is disjoined from the domain, the computer reverts to the behavior of a computer that is not joined to a domain.

Note Make sure that you do not forget the user names and the passwords for the other active local administrator accounts. If the built-in administrator account is disabled and if you forget the user names and the passwords for the other active local administrator accounts, you may be unable to make additional administrative changes to the computer. Additionally, you may be unable to log on at all. Home users should take the following precautions to make sure that they do not lose access to the other active local administrator accounts:
 * In Control Panel, use the Forgotten Password Wizard in User Accounts to create a password reset disk for the accounts. Store the password reset disk in a safe location, or store the removable USB device in a safe location.
 * Create password hints for the accounts.
 * Note the user names and the passwords, and then store the user names and the passwords in a safe location.

Keywords: kbinfo kbtshoot kblogin kbpubtypekc kbstartup kbexpertisebeginner KB942956

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.