In Windows® 7, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.
An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows 7.
Note: | |
For upgrade installations, the built-in Administrator account is kept enabled when there is no other active local Administrator on the computer. However, the built-in Administrator account is disabled by default for new installations and upgrades on domain-joined computers, regardless of whether there are other active local Administrators on the domain-joined computers. |
In audit mode, Windows Setup will implicitly enable the built-in Administrator account as the last action in the auditSystem configuration pass if the built-in Administrator is not already enabled. The first action in the auditUser configuration pass is to disable the built-in Administrator account. This enables you to run programs and applications as an Administrator. When you complete your customizations in audit mode and log off, the built-in Administrator account will be disabled. If you want to leave the built-in Administrator account enabled, you can re-enable it in audit mode.
Enable the Built-in Administrator Account for Windows 7
There are two ways to enable the built-in Administrator account.
- Use the AutoLogon unattended Setup
setting
You can enable the built-in Administrator account during unattended installations by setting theAutoLogon
setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in theAdministratorPassword
setting.
You can create an answer file by using Windows System Image Manager (Windows SIM).
The following sample answer file shows how to enable the Administrator account, specify an Administrator password, and automatically log on to the system.
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <AutoLogon> <Password> <Value>SecurePasswd123</Value> <PlainText>true</PlainText> </Password> <Username>Administrator</Username> <Enabled>true</Enabled> <LogonCount>5</LogonCount> </AutoLogon> <UserAccounts> <AdministratorPassword> <Value>SecurePasswd123</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component>
- Use the Local Users and Groups MMC
console
Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).
- Open the MMC console and select Local Users and
Groups.
- Right-click the Administrator account and select
Properties.
The Administrator Properties window appears.
- On the General tab, clear the Account is Disabled
check box.
- Close the MMC console.
- Open the MMC console and select Local Users and
Groups.
Enable the Built-in Administrator Account for Windows Server 2008
For Windows Server® 2008, the built-in Administrator password must be changed at first logon. This prevents the built-in Administrator account from having a blank password by default.
Both Microsoft-Windows-Shell-Setup
| Autologon
and Microsoft-Windows-Shell-Setup
| UserAccounts
| AdministratorPassword
sections are now needed
for autologon in audit mode to work. Both of these settings should
be added to the auditSystem configuration pass.
The following XML output shows how to set the appropriate values.
<UserAccounts> <AdministratorPassword> <Value>yourBApasswordhere</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> <AutoLogon> <Enabled>true</Enabled> <Username>Administrator</Username> <Password> <Value> yourBApasswordhere </Value> <PlainText>true</PlainText> </Password> </AutoLogon>
Microsoft-Windows-Shell-Setup
| UserAccounts
| AdministratorPassword
can be used in the
oobeSystem configuration pass to prevent having to enter a
password for the built-in Administrator account after you complete
the out-of-box experience.
The following XML output shows how to set the appropriate values.
<UserAccounts> <AdministratorPassword> <Value> yourBApasswordhere</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts>
Disabling the Built-in Administrator Account
Original equipment manufacturers (OEMs) and system builders are required to disable the built-in Administrator account before delivering the computers to customers.
- Run the sysprep /generalize
command
When you run the sysprep /generalize command, the next time the computer starts, the built-in Administrator account will be disabled.
-or-
- Use the net user command
Run the following command to disable the Administrator account.
net user administrator /active:no
Configure the Built-in Administrator Password During System Preparation
In Windows Server 2008, Windows
Server 2008 R2, and Windows Vista® with Service
Pack 1, the default password policy requires the creation of a
complex password for all user accounts. During installation, Setup
prompts you to configure a complex password. Attempting to
configure a non-complex password, either manually or by using a
script, such as the net
command, will fail.
When you run the sysprep /generalize command on Windows Server 2008 and Windows Server 2008 R2, the built-in administrator account password is reset. The Sysprep tool only clears the built-in administrator account’s password for server editions, not for client editions. The next time the computer starts, Setup displays a prompt for a password
You can automate configuration of the password by creating an answer file to use with Sysprep that specifies a value for the Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword unattended Setup setting.
OEMs and system builders are required to retain the default password policy of their computers. However, corporate customers are permitted to change the default password policy.
A corporate customer can configure a non-complex password for the built-in administrator account during an unattended installation by specifying the desired value for Microsoft-Windows-Shell-Setup | UserAccounts | AdministratorPassword.