In Windows Vista we made numerous changes to our user account model. Standard users are now the default user type for new accounts created after initial setup. The Power Users group is effectively deprecated. In addition, we’ve made it much easier to run as a standard user and even administrators run with limited Windows privileges and user rights by default. But people often ask us, “What about the built-in administrator account? Isn’t it a security risk to have an administrator account with no password?” Yes, in some cases this administrator account could be used to circumvent other security mechanisms. For example, parental controls could not be effective if the child could simply login with the built-in administrator account and do whatever they want, including disabling the Parental Controls.
In Windows Vista RC1 we will have completed a series of changes to disable the built in administrator account under most circumstances. These changes apply to the default administrator account named Administrator, which is created during setup.
- The built-in administrator account is disabled by default in Windows Vista on new installations.
- If Windows Vista determines during an upgrade from Windows XP that the built-in Administrator is the only active local administrator account, Windows Vista leaves the account enabled and places the account in Admin Approval Mode. The built-in administrator account, by default, cannot log on to the computer in safe mode. Please see the following sections for more information.
- On non-domain joined computers, when there is at least one enabled local administrator account, safe mode will not allow logon with the disabled built-in administrator account. Instead, any local administrator account can be used to logon. If the last local administrator account is inadvertently demoted, disabled or deleted, safe mode will allow the disabled built-in administrator account to logon for disaster recovery.
- On domain joined computers, the disabled built-in administrator account cannot logon in safe mode. By default a user account that is a member of the Domain Admins group can log on to the computer to create a local administrator if none exists. If the domain administrative account had never logged on before, then the computer must be started in Safe Mode with Networking since the credentials will not have been cached. Once the machine is disjoined, it will revert back to the non-domain joined behavior depicted previously.
Be aware that disabling the built-in administrator account means that it is important that you do not forgot the user name and passwords for the other administrator accounts on that PC. If you do, you may end up a in a situation where you are unable to make further admin changes to your PC—or even event not be able to login at all. To make sure that happens we recommend the follow tips for home users:
- Use the Forgotten Password wizard via the User Accounts Control Panel to create a password reset disk for your account. Store this disk or removable USB device in a safe place.
- Create a password hint for your account.
- Write down your username and password and store it in a safe location.
Note: as we move closer to RTM we will be posting another related blog to address the built-in administrator management in the enterprise.
Darren Canavor, Program Manager, Windows Security Core