Activate Windows’ hidden, master admin account

The column below was originally published in the May 14, 2015 , Windows Secrets newsletter.

Today, it supplements a new column, scheduled for the March 11, 2019 AskWoody Plus Newsletter, focused on what to do if an error causes you to lose all admin privileges on your own PC. Click on over to read the new column!

(I’m reprinting selected Windows Secrets columns here to help ensure readers can find and access information I’m referencing in new columns; until older Windows Secrets/LangaList columns are moved to their new home at AskWoody.com.)

The original, verbatim, un-updated text follows:

Activate Windows’ hidden, master admin account

By Fred Langa on May 14, 2015 in Top Story

Windows’ user rights can be confusing and frustrating. Whether signed in with an administrator-level user account or evoking the Run as administrator setting, you can still run into insufficient-rights warnings.

But Windows’ built-in, separate Administrator account gives you unfettered access to virtually all parts of your system setup — once you know how to access it.

Many Windows users don’t know this account exists, primarily because it’s usually hidden and inactive by default. Here’s how to enable the “master” administrator account — and use it to streamline heavy-duty system repairs, problem-solving, and maintenance tasks in Win8, Win7, and Vista.

One master account to rule them all

Most operating systems have some sort of special-purpose master account: one that lets you control the OS with virtually no restrictions. This type of account has various names: “superuser,” “root,” “supervisor,” and so forth. Windows calls it Administrator.

Windows’ master account doesn’t simply enhance a standard admin-level user account or serve as an elevated version of the Run as administrator option. Administrator operates much like a normal user account, except it has virtually unlimited permissions.

Once activated, Administrator (or Admin for short) is a separate account, complete with its own private desktop and user files. You can set it up with its own themes, background, and other customizations, and you can install software that’s not shared with non-admin-level users.

The unfettered, full-permission access offered by the Administrator account is ideal when you need access to the deepest parts of Windows — for example, when you’re trying to resolve really thorny system problems. But clearly, that level of control can also be dangerous. There’s no safety net, so a misstep could royally screw up your system.

That’s why Microsoft hides the Admin account by default. It’s not intended for full-time, routine use — the risks are simply too great — but it’s there for knowledgeable users to employ when needed.

A review of Windows’ admin-level access options

As noted, Windows offers three ways to access admin-level permissions and functions. They are, from simplest to most powerful:

  • Run as administrator: This option is typically used to temporarily access limited admin-level rights from within a non-admin-level (standard) account. In some cases, tasks that require administrator-level permissions can be run by simply right-clicking the name of an app or function and selecting the “Run as administrator” option.The process has a couple of speed bumps: a user account control (UAC) prompt must be acknowledged, and you must also enter an admin-level password. This two-step process can cause problems with complex and multi-step admin-level tasks. Also, depending on the account type (standard, guest, or child), some admin-level tasks are simply off-limits.
  • Assign a user account as an administrator: Admin-level user accounts are subject to UAC controls. A warning will pop up whenever a potentially dangerous system change is about to start — for example, when installing new software or making system-level changes that might affect other users. The task won’t proceed until the user explicitly grants permission via a UAC prompt.This one-step speed bump lets most admin-level tasks run to completion. However, some complex, multi-step tasks might fail. This can happen when a task requires several admin-level tools working in series or uses command lines or scripts. The process could stop because only the first tool or task received the necessary permissions.
  • Sign in as Administrator: The master Admin account — the focus of this article — has full permissions and operates with virtually no restrictions. It has none of the restrictions or drawbacks of the first two administrator-access methods.When you’re in the Admin account, you’ll likely never see a UAC prompt — any system-level task you initiate is carried out immediately. Not only is this UAC-free operation convenient, it will also let you complete complex tasks that would otherwise fail. Within an Admin account, you can sequentially run multiple tools and tasks without the problem of repeatedly confirming elevated privileges.

In practice, I’ve found that the Admin account gives the best shot at overcoming otherwise unsolvable Windows-permissions issues. Many tasks that can’t be completed via an admin-level user account or the run-as-administrator option will generally work in the Admin account.

How to reveal and activate the Admin account

There are various ways to enable the Administrator account, but two are probably the simplest: an easy point-and-click process and a quick command-line entry.

(All the following instructions assume you’re starting from an admin-level user account.)

Point and click

This method uses the Local Users and Groups feature (or plugin) in Windows’ Microsoft Management Console (MMC). It’s available on all but the most limited editions of Windows, such as Windows Basic and Windows Home.

Here’s how to enable the Admin account via the MMC:

  • Win8: From the desktop, right-click the Start icon, click Run, and then enter lusrmgr.msc (or open the Search charm and enter lusrmgr.msc there).
  • Win7/Vista: Click Start, enter lusrmgr.msc into the run or search boxes, and then press Enter.
  • In all three versions of Windows, if a UAC prompt appears, click Yes to accept the warning.
  • With the Management Console open, click Users in the left pane.
  • In the center pane, right-click Administrator and then select Properties. The Administrator Properties dialog box will appear.
  • In Administrator Properties, under the General tab, clear (uncheck) the Account is disabled box (Figure 1).

Figure 1. Account is disabled checkbox reveals and enables the master administrator account.

Command line

This method works in every version and edition of Windows that I tried it on — all the way back to Vista Basic!

  • Open an administrator-level (aka elevated privilege) command prompt. In Win8, type Windows key + X and select Command Prompt (Admin). For older Windows versions, enter command prompt into the start menu search box. When it appears in the search results, right-click it and select Run as administrator. (For more on the command prompt, see the MS how-tos for Win8Win7, and Vista.)
  • Type or copy/paste the following command (also shown in Figure 2), which reveals and enables the Administrator account:net user administrator /active:yes

Figure 2. Activating the Administrator account in an admin-level command window
  • Press Enter and then close the command Window.

Accessing the Administrator account

Once you’ve enabled the Administrator account via either of the preceding methods, reboot your system, sign out of your currently open account (or select Windows’ Switch user option) — the Admin-account icon should now appear on your sign-in screen. (For more info, see the MS FAQ item, “How can I switch to a different user account?” for Win8Win7, and Vista.)

Figure 3 shows the Administrator account added to a Win7 sign-in screen. Win8 and Vista look somewhat different, of course, but work the same way. To access Administrator, you simply click its icon, just as you would any admin- or standard-user account.

Administrator icon

Figure 3. Once activated, the master Administrator account appears as a normal sign-in option (Win7 shown).

The first time you access the new Admin account, Windows will take some time to set it up. Again, Administrator has its own desktop, user files, and settings, so Windows needs to create a new user folder (C:\Users\Administrator) with the standard subfolders: Contacts, Desktop, Documents, Downloads, and so forth. Fortunately, the setup is a one-time event; once completed, accessing the Administrator’s account will take no more time than accessing any other account.

Important: When the Administrator account is first set up, there’s no password for it. But this fully privileged account is, obviously, too dangerous to leave unguarded. So once Windows completes the setup process and you have full access, your first task should be to establish a really secure password.

You can use the normal method: click Control Panel/User Accounts/User Accounts and use the appropriate prompts/links that let you add or change a password. You can also change the sign-in picture and so on.

Checking whether the Administrator account works

It’s easy to verify that your new Admin account is fully privileged. Simply put, with a properly working Admin account, you should almost never see a UAC warning.

To test this, simply begin any task that would normally trigger a UAC prompt. For example, the full Management Console normally requires a UAC confirmation to launch from a typical user account. But once you’re in Administrator, simply entering mmc into the Windows search or run box will take you straight to the Management Console — with no intervening UAC speed bump.

Similarly, any command window you open within Administrator automatically includes admin-level rights — no further steps are needed to elevate the command windows’ privileges.

You’re now free to perform virtually any system-level task, with no worries about having the right permission levels and without UAC interference.

Remember: When you’re running as Administrator, you’re working without a figurative safety net — there’ll be no warnings to remind you that you’re about to undertake potentially dangerous actions. So before making any significant system changes with the Admin account, carefully think through any actions you’re about to perform — and always, always, always make sure you have full, current, working backups. (Please don’t send me an email stating that you tried Administrator, severely damaged your system, and have no backup to restore!)

When you’re finished with a task that required the use of the Admin account, sign off (or reboot) and then sign back in to your normal user account. (Another reminder: Many, if not most, standalone Windows users run continuously on an admin-level user account, which can make it easier for malware to take full control of the system. It’s safer to use a standard user account for your day-to-day computing activities.)

How to put Administrator back in the closet

Again, for security’s sake, you should use the Admin account only when you really need it. When you disable and hide the account, its icon will no longer appear on the sign-in screen. Think of it as removing temptation.

Fortunately, the steps for putting Administrator away are nearly identical to those you use to enable it. There are, again, two simple methods; perform either from your regular user account.

Point-and-click: Follow the same steps described above to access the Administrator properties via the MMC. But now, simply tick the Account is disabled box (Figure 4); then click OK and exit the console.

Disable master admin account

Figure 4. One click quickly disables and hides the Administrator account.

Command-line: Open an admin-level command prompt and then type or copy/paste the following command (shown in Figure 5).

   net user administrator /active:no

Disable master admin via command window

Figure 5. Disabling the master Administrator account via a command-line window

Press Enter and close the command window.

Whichever method you use, it’s really just that simple!

Automate the enable/disable-Admin process

If you think you might need to pop in and out of Administrator regularly, you can save yourself some time by automating the command-line method.

In your normal user account, type or copy/paste the enabling command (net user administrator /active:yes) into Notepad. Click File/Save As and navigate to the location where you want to keep the file. In the Save as type drop-down menu, select the All Files option. Give the file an obvious name and assign it a .bat extension instead of .txt.For example, you might call the enabling file EnableAdminAcct.bat (see Figure 6).

Creating batch command

Figure 6. Creating command files makes it easy to enable/disable the Administrator account.

Now click New in Notepad and do the same thing for the matching disabling command (net user administrator /active:no). Once again, click File/Save As, select All Files, give this file an equally obvious name, and assign it a .bat extension (for example, DisableAdminAcct.bat).

When you want to enable or disable the Administrator account, right-click on the appropriate .bat file and select Run as administrator. Accept any UAC warnings that appear; a command window will flash on the screen as the command executes — and then vanish.

Ultimate power requires ultimate caution

You can then reboot, sign off, or use the Switch user command: the Admin account’s icon will be either present or absent on the sign-in screen — depending on whether you ran the enable or disable command.

Once again, the Administrator account is hidden by default for a very good reason: it can be dangerous if misused. In fact, an MS TechNet page suggests that Administrator is aimed at IT-level activities such as operating-system deployment and software auditing.

But with care, caution, and good backups, the master admin-level account can be used for complex repair and maintenance tasks as well as to resolve stubborn permissions problems that “Run as administrator” or an admin-level user account simply can’t handle.

Permalink: https://langa.com/?p=2066

[seperator]

COMMENT / QUESTION on THIS ITEM? See the Comment box at bottom of this page!

NEW QUESTION?
Ask here!

(Want free notification of new content? Click here!)

Comment? Question? Reply...?