Activate Windows’ hidden, master admin account

Topic

New Reply

	TOP STORY Activate Windows’ hidden, master admin account
	By Fred Langa Windows’ user rights can be confusing and frustrating. Whether signed in with an administrator-level user account or evoking the Run as administrator setting, you can still run into insufficient-rights warnings. But Windows’ built-in, separate Administrator account gives you unfettered access to virtually all parts of your system setup — once you know how to access it.

---

The full text of this column is posted at windowssecrets.com/top-story/activate-windows-hidden-master-admin-account (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

I fear they might have disabled the point and click solution in Windows 8.1.

40587-PrtScr-capture

Reply | Quote

I fear they might have disabled the point and click solution in Windows 8.1.

40587-PrtScr-capture

Fred does say it is available on all but the most limited versions of Windows, presumably you are using Home or Basic?

As you can see below it is working fine in my Pro version of 8.1

40588-Screenshot-1

Welcome to the lounge as a new poster!

Reply | Quote

Fred does say it is available on all but the most limited versions of Windows, presumably you are using Home or Basic?

As you can see below it is working fine in my Pro version of 8.1

40588-Screenshot-1

Welcome to the lounge as a new poster!

Ah, yes! I am using the Home version. The wording from Microsoft made me believe it was an 8.1 issue…

Reply | Quote

I did the hack on my Windows VISTA Ultimate so when I read this newsletter I thought great! I can now do the same here. Didn’t work stating snapin may not be used with this version of Win8.1. Made me stop an wonder what version do I have. Only thing I can find is I have Win8.1. Can’t find anything about Home, Basic, Pro etc. PC is a HP with Win installed on purchase. Maybe it would be nice for Fred to have stated up front, “Won’t run on Home or Basic” to prevent a ton of people from trying it.
How about Fred tell us how to determine which Windows I do have?:rolleyes::rolleyes:

Reply | Quote

I did the hack on my Windows VISTA Ultimate so when I read this newsletter I thought great! I can now do the same here. Didn’t work stating snapin may not be used with this version of Win8.1. Made me stop an wonder what version do I have. Only thing I can find is I have Win8.1. Can’t find anything about Home, Basic, Pro etc. PC is a HP with Win installed on purchase. Maybe it would be nice for Fred to have stated up front, “Won’t run on Home or Basic” to prevent a ton of people from trying it.
How about Fred tell us how to determine which Windows I do have?:rolleyes::rolleyes:

Do you want Fred to do everything for you

Here, a Google found this http://windows.microsoft.com/en-gb/windows/which-operating-system

Reply | Quote

I did the hack on my Windows VISTA Ultimate so when I read this newsletter I thought great! I can now do the same here. Didn’t work stating snapin may not be used with this version of Win8.1. Made me stop an wonder what version do I have. Only thing I can find is I have Win8.1. Can’t find anything about Home, Basic, Pro etc. PC is a HP with Win installed on purchase. Maybe it would be nice for Fred to have stated up front, “Won’t run on Home or Basic” to prevent a ton of people from trying it.

He did:

Point and click

This method uses the Local Users and Groups feature (or plugin) in Windows’ Microsoft Management Console (MMC). It’s available on all but the most limited editions of Windows, such as Windows Basic and Windows Home.

If you have Win 8.1 but not Pro you can still use the elevated command prompt method.

Reply | Quote

I fear they might have disabled the point and click solution in Windows 8.1.

40587-PrtScr-capture

I’m getting the same, any work around?

Reply | Quote

Millions of us are still using XP in spite of Gates trying to bankrupt everyone by forcing us to continually upgrade everything. Does this article apply to XP as well?

Reply | Quote

It is also possible to access the administration account settings by right clicking on “Computer” on the desktop, selecting “Manage”, then select “Local Users and Groups”, double click “User” in the right pane and you will see the location accounts including the Administrator account.

Reply | Quote

It is also possible to access the administration account settings by right clicking on “Computer” on the desktop, selecting “Manage”, then select “Local Users and Groups”, double click “User” in the right pane and you will see the location accounts including the Administrator account.

I’m not seeing this with Win 7 Home Premium; what version were you running?

EDIT: removed original additional question about lusrmgr.msc

Reply | Quote

RayT435, What OS are you using? Or maybe, what kind of networking are you using? I can’t follow your trail.

I am running 8.1 Pro and logged in as an administrator for the task. On my desktop there is no “Computer” to manage. Maybe no big deal, I opened Windows Explorer, right clicked “This PC” and selected “Manage” but there is no “Local Users and Groups” in the right pane.

I’d really like to be able to use groups; I like the control granularity between groups, users and filesystem permissions. Is “Local Users and Groups” missing because I’m using Homegroup?

One other thing, slightly off topic but please humor me, are the policies I once found under Control Panel > Administrative Tools > Computer Management anywhere to be found any more? I’m talking about things like, heck, enabling or disabling swapfile deletion at shutdown (for example!) –Thanks

Reply | Quote

A few things to point out when using the built-in Administrator account (RID 500).

– Turning on the Administrator account enables access to hidden file shares (C$, Admin$). This can create a significant security risk.

– Turning on the Administrator account allows remote connection with full admin privileges to all remotable services (remote registry, task scheduler, Windows Firewall configuration, WMI, etc). Again this can create a security risk.

– WinRT apps will not run under Administrator account. If you try to launch a WinRT app, you get the following error message: “xxx can’t be opened using the built-in Administrator account. Sign in with a different account and try again.”

– The Windows Store is not available under the Administrator account. If you try to visit the Windows Store, you get the following error message: “Store can’t be opened using the Built-in Administrator account. Sign in with a different account and try again.”

Reply | Quote

- Turning on the Administrator account enables access to hidden file shares (C$, Admin$). This can create a significant security risk.

– Turning on the Administrator account allows remote connection with full admin privileges to all remotable services (remote registry, task scheduler, Windows Firewall configuration, WMI, etc). Again this can create a security risk.

I’ve been doing both of those for all my system-administrative life in XP and Windows 7 without needing to use the actual Administrator account! My account merely has to have administrator privileges.

BATcher

Plethora means a lot to me.

Reply | Quote

I’ve been doing both of those for all my system-administrative life in XP and Windows 7 without needing to use the actual Administrator account! My account merely has to have administrator privileges.

That is because on your Win 7 box, you had changed the registry setting LocalAccountTokenFilterPolicy. You can go to Action Center -> Change User Account Control settings, and change the slider from Notify me when apps try to make changes to my computer to Never notify me. I think that sets the value to 0. (Or it makes the value moot; I don’t remember offhand.)

However, turning UAC completely off is definitely not recommended.

It is not applicable to XP (it does not have UAC).

Granted, turning off the token filter (while leaving UAC on) can be useful for remote management in an enterprise. IT techs often set it to 0 in Group Policy for remote management. It’s not recommended for home or mobile users, however. Of course security is always a tradeoff of convenience versus protection.

Reply | Quote

On se7en x64, if you’re going to run in the big dog admin accnt. it is recommended that you rename it after enabling. You can rename the guest account at the same time if your making the changes in Local Security Policy. Be aware anytime your in The Admin Account you make it easier for malware hidden in a Root Kit to gain access to areas that otherwise they would not be able to due to lack of admin privileges, not counting the aforementioned caveats.

Reply | Quote

That is because on your Win 7 box, you had changed the registry setting LocalAccountTokenFilterPolicy. You can go to Action Center -> Change User Account Control settings, and change the slider from Notify me when apps try to make changes to my computer to Never notify me. I think that sets the value to 0. (Or it makes the value moot; I don’t remember offhand.)

However, turning UAC completely off is definitely not recommended.

It is not applicable to XP (it does not have UAC).

Granted, turning off the token filter (while leaving UAC on) can be useful for remote management in an enterprise. IT techs often set it to 0 in Group Policy for remote management. It’s not recommended for home or mobile users, however. Of course security is always a tradeoff of convenience versus protection.

You don’t need to for XP. Just log off, hit the 3 finger salute twice and inter Administrator and then it’s password.

Reply | Quote

You don’t need to for XP. Just log off, hit the 3 finger salute twice and inter Administrator and then it’s password.

Only in the Professional edition. In the Home edition, you have to restart in Safe Mode.

Reply | Quote

I’ve been doing both of those for all my system-administrative life in XP and Windows 7 without needing to use the actual Administrator account! My account merely has to have administrator privileges.

As the story notes, running in admin all the time comes with serious risks. If you compute safely, you’ll be all right. But it’s not the surest way to protect from intrusions and unexpected trouble.

Reply | Quote

When I open lusrmgr.msc the window that opens only shows “Local Users and Groups (Local)” in the left pane and a warning in the middle pane that says “This computer is running Windows 7 Home Premium. This snapin may not be used with this version of Windows. To manage user accounts for this computer, use the User Accounts tool in the Control Panel.”

When going there I see no option to enable the Admin account (only to add Admin to other user accounts). You mentioned that this should work for all versions of Win 7. What is the problem?

Reply | Quote

You mentioned that this should work for all versions of Win 7. What is the problem?

It didn’t say all versions. It said except Basic/Home editions. You can use the command line alternative which the article did say applies to all versions/editions.

Reply | Quote

Thank you for your reply. I saw “all” and then missed the word “but” in versions it worked with – my mistake. And when I tried the command line prompt, I missed the part about running as Admin, so that failed for me then. I’m sorry I missed both of these – which were correct in the article. By running command line prompt as admin, it worked! Thank you for your help and sorry I didn’t read both those incorrectly.

Reply | Quote

I have a Win7PRO 64bit and when I try to uncheck the “disable Administrator” box and apply or “OK,” I get an error message that the password “does not meet policy password requirements.” My password for my account is “symbol####XXXxxxxxx” which is pretty good. Why am I getting this and how can I make the admin account work?
Thanks
steve rose

Reply | Quote

The admin a/c opens and shows -preparing your desktop- next message -location not available c:windowssystem32 configsystem profiledesktop – and there we stop . What is my next option please ? OS is Win 7 H.P. Michael

Reply | Quote

The admin a/c opens and shows -preparing your desktop- next message -location not available c:windowssystem32 configsystem profiledesktop – and there we stop . What is my next option please ? OS is Win 7 H.P. Michael

This post suggests that the answer is to just recreate that folder: Fix: “C:WindowsSystem32ConfigSystemProfileDesktop” refers to a location that is unavailable.

Reply | Quote

Will this help my situation?

I have a folder of files, but can’t move them from the folder to a different folder nor can I delete them (I really don’t need them anymore).
Keeps telling me I don’t have permission to take that action (move or delete).
I’ve tried going into the permissions of the folder and changing it, but it keeps telling me I don’t have permission!

Thanks,

Reply | Quote

…can’t move them from the folder to a different folder nor can I delete them…don’t have permission to take that action…

What happens if you boot into Safe Mode and attempt to move that folder?

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

I have a Win7PRO 64bit and when I try to uncheck the “disable Administrator” box and apply or “OK,” I get an error message that the password “does not meet policy password requirements.” My password for my account is “symbol####XXXxxxxxx” which is pretty good. Why am I getting this and how can I make the admin account work?
Thanks
steve rose

Seems steve’s comment ran afoul of the ‘last comment at the bottom of the page’, meaning low visibility, no replies. I also encountered in this on my Win7Pro 64-bit. This error occurs whether using the command line or the lusrmgr.msc app.

Reply | Quote

I have Win 7 Ultimate with one assigned admin account, one personal account and one guest account.

I am unable to reach admin-level access as suggested…

When using the Admin Command Prompt option, I’m stopped by: System 5 error has occurred. Access is denied

Using the Start > Lusrmgr.msc option, I find the admin account. But when trying to disable the account, the message is Access is denied.

How can I work around that? What’s happening here, anyone know?

Among other things, I’m unable to reassign the admin rights, and I can’t rename that admin account.

??

Reply | Quote

When using the Admin Command Prompt option, I’m stopped by: System 5 error has occurred. Access is denied

I think that means you didn’t run command prompt as administrator: System error 5 has occurred.

Using the Start > Lusrmgr.msc option, I find the admin account. But when trying to disable the account, the message is Access is denied.

Disable? The instructions were to enable (by unchecking disabled).

Reply | Quote

It didn’t say all versions. It said except Basic/Home editions. You can use the command line alternative which the article did say applies to all versions/editions.

The Command Prompt did not not work on my Windows 7 Home Premium after I received the same message that the snapin would not work with this version. In the article he noted only that it worked on every version and edition he tried it on, not on all versions. This version is at least one exception.

Reply | Quote

The Command Prompt did not not work on my Windows 7 Home Premium after I received the same message that the snapin would not work with this version. In the article he noted only that it worked on every version and edition he tried it on, not on all versions. This version is at least one exception.

It should work in Windows 7 Home Premium: How to enable or disable user account in windows 7 Home Premium

Was it an Administrator Command Prompt?

What error response did you get?

Reply | Quote

It should work in Windows 7 Home Premium: How to enable or disable user account in windows 7 Home Premium

Was it an Administrator Command Prompt?

What error response did you get?

I followed the info to run as administrator per the article you sent, did the cmd prompt and changed the user to active administrator, then ran the command lusrmgr.msc and got the message in the attachment stating that this snapin may not be used with this Windows version, and to use the Control Panel User Accounts Tool to make changes.
Both of these reponses should be shown in the attachments…

Reply | Quote

I followed the info to run as administrator per the article you sent, did the cmd prompt and changed the user to active administrator, then ran the command lusrmgr.msc and got the message in the attachment stating that this snapin may not be used with this Windows version, and to use the Control Panel User Accounts Tool to make changes.
Both of these reponses should be shown in the attachments…

They were alternatives in Fred’s article:
How to reveal and activate the Admin account
There are various ways to enable the Administrator account, but two are probably the simplest: an easy point-and-click process and a quick command-line entry.

You don’t need them both. The command prompt worked for you to activate the administrator account, so you don’t need lusrmgr.msc (and can’t use it on a Home edition).

Move on to the next three or four sections in Fred’s article:
Accessing the Administrator account
Checking whether the Administrator account works
How to put Administrator back in the closet
(Automate the enable/disable-Admin process)

Reply | Quote

It didn’t say all versions. It said except Basic/Home editions. You can use the command line alternative which the article did say applies to all versions/editions.

I figured that out too. I have one system using Win 7 Home Premium and one using Win 7 Pro. I found that I could only use the elevated command prompt to access the hidden administrator account. I had to use it because there are files .msi from the system creator, HP, that I cannot run on the Home Premium system because there is no “run as administrator” option and the install fails because even though I say yes to the UAC prompt, the install tries to modify a registry key and fails. This is a program HP uses to download things like bios and firmware updates so it is important. There’s another workaround but that is putzy and doesn’t always work either. So I created the hidden admin account in an elevated prompt window, rebooted, went into the new account and then had to hunt for the .msi file as my “normal” downloads folder appeared empty, found it and ran it successfully, then just switched users back to my normal account. And was able to get the things I needed from HP. So there is a use for it, and a way to do it even with Home Premium, but as others have pointed out, it can be dangerous so do what you have to do in it and then move back to your other account. :^)

Reply | Quote

. I had to use it because there are files .msi from the system creator, HP, that I cannot run on the Home Premium system because there is no “run as administrator” option and the install fails because even though I say yes to the UAC prompt, the install tries to modify a registry key and fails.

For this you could try running W Explorer w/ run as and running the MSI file from explorer by double clicking.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

For this you could try running W Explorer w/ run as and running the MSI file from explorer by double clicking.

For some reason there is no run as option with those files, only run or install, from Explorer unless I am in the hidden administrator account, then that works fine. So it was a good thing to see Fred’s article when I did. :^)

Reply | Quote

For some reason there is no run as option with those files, only run or install, from Explorer unless I am in the hidden administrator account, then that works fine. So it was a good thing to see Fred’s article when I did. :^)

Using RUNAS to start explorer puts you in ADMIN context for most if not all programs started from THAT explorer window.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Well, one thing the super admin can’t do is delete .cpanel that was included in a backup of my website. It shows as 0bytes in explorer, so deleting it has more to do with organization size.

Reply | Quote

I would add the real “Super User” / “root” of windows is the “System” account…. not Administrator as its got most privs but not the whole kingdom….

using psexec.exe ( PsTools ) one can become the King… psexec -s -i -d cmd.exe -> will open a command prompt with SYSTEM creds.. but be warned you can quickly destroy as well.

Reply | Quote

In this and other articles, Fred always says to use the .bat extension for command files. In the past I have had some problems using this for reasons I could never figure out but using the .cmd extension has never failed in any way. Does anyone have an explanation? Fred maybe?

Thanks,
Bob

Reply | Quote

In this and other articles, Fred always says to use the .bat extension for command files. In the past I have had some problems using this for reasons I could never figure out but using the .cmd extension has never failed in any way. Does anyone have an explanation? Fred maybe?

Thanks,
Bob

I must admit I’m a long-time reader and I missed this particular advice from Fred. However I can comment because I’m also a long-time user and creator of advanced batch files.

Personally, I’ve used both .bat and .cmd extensions without problems. I’m not sure exactly why Fred would prefer use of the .bat because functionally, I’ve found them to be the same. As in, exactly the same.

However the batch programming language is much more advanced than the tool I used back in the DOS days. Batch had multiple infuriating limitations then, ones which could only be addressed by either adding 3rd party programs, or switching to another language entirely. Most of those limitations are gone or greatly reduced now. I’ve also discovered that the power of Active Directory is available to batch which raises the whole game to a new level.

As an acknowledgement of the change in circumstances, I’ve mostly switched to .cmd now. Batch kind of got a bad reputation for those limitations back in the day. It’s that bad reputation that caused my preference to switch.

A lot of people would recommend switching to PowerShell, particularly with the addition of WMI. Or switch to Python, or C#, or Java, or… well the choices can quickly get overwhelming. My experience is that different tools appeal to different people and different circumstances. As long as you can get the job done and do a good job at that, pick whatever tool fits.

Reply | Quote

pick whatever tool fits.

:clapping:

Reply | Quote

I got the error mentioned above in Win 8.1 Home Prem.
So I followed Fred’s second way and used the command line. That worked fine. And I created the batch files after to turn it off and on. That worked fine too.

Good suggestion, RayT but Manage doesn’t work in Home versions either. The User section is missing.

As Fred said – you DON’T want to leave this account on normally. Gideon mentioned some further reasons above.

I would not rename this account. You don’t want to leave it live when unused nor cause problems when you do need it later. This is something to try and then turn off again.

Reply | Quote

I didn’t think Windows 7 Home Premium qualified as a “… Windows Basic and Windows Home.” edition. I’ve been fooled by the word Premium. In truth the snapin lusrmgr.msc is limited to high end OS use only. Bummer!

Reply | Quote

I have the sinking feeling this is not 8.1 Pro.

I got the “not on this version of Windows” error a couple of other people mentioned. I’m not afraid of a command prompt, so no big deal.

BUT, when I find my OS in either PC Settings or Control PanelAll Control Panel ItemsSystem it only says “Windows 8.1” but in the second method it helpfully offers to sell me “more features with a new edition of Windows.” For only $99.99 I can buy the “Windows 8.1 Pro Pack” not what I want to see.

Background: I bought this laptop as a floor display just over a year ago. I’d swear it said, at the time, Windows 8 Pro.

Another nail in the coffin is when I use the Dell service code to see the configuration it mentions “OPERATING SYSTEM, W8H64” in a couple of places, that “H” sure doesn’t look like a “P”.

So how does the Professional system establish that it is Professional, not Home? And how can someone tell the difference between Home and Home Premium?

FWIW: From the command prompt “ver” returns: Microsoft Windows [Version 6.3.9600]

Reply | Quote

Thanks, and the comparison link makes me really want professional for the mgt tools.

What does it read when you do steps 1-4 on an 8.1 system running Professional?

Mine simply says “Windows 8.1” (and offers to sell me an upgrade) and yeah, 64bit, 6GB RAM etc.

Without something to compare it to I can’t shake that last 1% of doubt!

Reply | Quote

Really helpful Fred, thank you.

And very timely! I had just put together a new computer for a client whose old machine was dying with HD errors. Temporarily hooking up the failing HD to the new computer and with the use of “Master Admin” I was able to access important files that otherwise would have been restricted. And yes, it was “back in the closet” after the privileged tasks were completed.

Thanks,
Bill

Reply | Quote

Fred

No cloud-storage provider can guarantee 100 percent “uptime,” and the numbers they do quote can be a bit deceiving. For example, an advertised uptime of “99 percent” sounds great — until you do the math. Given 8760 hours in a typical year, a cloud service could be down for 87.6 hours — more than two work weeks! — and still meet the 99 percent-uptime promise.

Sooomebody DID NOT do the math!:-_-:

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Sooomebody DID NOT do the math!:-_-:

Please explain.

Reply | Quote

87.6 hours — more than two work weeks! —

Somebody did not do the reading, ME!
I missed the work in the sentence :blush::flee:

I was thinking 7*24*2=336

But the point about reliability is well taken, if my cable co could give me say four 9s (99.99%) reliability I would be in awe.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I am using a version of win 8.1 that does not allow the MMC plugin to work, so I tried the CMD approach. I get a response that the command was successful but, when I log out or restart, I only see one user – my original one with admin privileges. If I look in Control Panel Make changes to another account – I can see the Administrator account and even create a password for it.
I still only see one account on restart and the password does not stick because, if I go to Control Panel again, I can set a new password on the Administrator account without having to provide the previous one.
Any suggestion as to what I am missing would be welcome.
Is it that it is just not possible to use the Administrator account on the lower version of win 8.1?
Should I be using a local sign in rather than a Microsoft one for the original account when I try to activate the hidden Administrator account?

Reply | Quote