In this week's TR Dojo episode, I show you how to unlock the hidden Administrator account on Windows 7 and Vista with the Computer Management console and Net User command.
While it's generally not a good idea to use a true admin/root account for day-to-day computing, there are times when it makes things easier. Do you ever log in as the local admin? Take the poll in the post above and let me know.
Post and poll:
http://www.techrepublic.com/blog/itdojo/video-enable-the-hidden-administrator-account-in-windows-7-and-vista/2423
Discussion on:
View:
Show:
I use su or doasroot to handle admin tasks.
even when starting an lfs build, I don't login as root to do it. I use su.
[ and to start an lfs build there are a number of things you need root access to set up the system for the build ]
even when starting an lfs build, I don't login as root to do it. I use su.
[ and to start an lfs build there are a number of things you need root access to set up the system for the build ]
As always, you have put together another cool presentation. Even though I already knew the steps to activate admin, I did not know the net user command.
I like the addition of the bloopers at the end! Nice touch!!!
JD Stewart, M.Ed.
I like the addition of the bloopers at the end! Nice touch!!!
JD Stewart, M.Ed.
The addition of them? Bill's been doin' that (having bloopers on the end) for more than 4 years.. and every year comes out with a "Best Of" Bloopers edition.. Always fun & funny!
Favorite this time? ... Is that what orchestra folk yell when cutting down trees? CYMBERS!!
Favorite this time? ... Is that what orchestra folk yell when cutting down trees? CYMBERS!!
You say "For those who prefer text to video, you can click the Transcript link that appears below the video player window" but I can't see it, and the article by Shultz deals only with W7
When you mouse over the player window, a set of controls should appear at the bottom--pause, volume, etc. There should also be a menu button (I believe it's on the right). Clicking this button should get you a few options--including the ability to view the transcript.
I wanted to save the video for future reference so I clicked on the "download" button, selected HD format and clicked the second "download" button. It open a page at BNET (whatever that is) and there is no sign of this video anywhere that I could find on that site. What gives with that?
I'll find out why the download video button isn't working and post an answer. I'm traveling today, so it may Monday.
What about the Administrator account on Vista Home Premium ?
How do I activate it ?
Thanks a lot.
How do I activate it ?
Thanks a lot.
I believe that is how I DISABLE all of my Home users in Vista/Win7. In XP, I try Ctrl-Alt-Del twice to try to get the log box to appear; if that doesn't work, I reboot into safe mode and wallah!
I always give the hidden Administrator an impossible to crack password, and then disable it using the command line in Home editions. Their will be no account controls in the admin tools on those versions, of course. I either record this password in my records, or put a post-it inside the system unit, so they can't lose it.
This has kept many of my clients from getting cracked by malware on XP installations. I figure it can't hurt on Vista/Win7 either. So far I've never had to re-enable it and log in to do anything for the client.
I always give the hidden Administrator an impossible to crack password, and then disable it using the command line in Home editions. Their will be no account controls in the admin tools on those versions, of course. I either record this password in my records, or put a post-it inside the system unit, so they can't lose it.
This has kept many of my clients from getting cracked by malware on XP installations. I figure it can't hurt on Vista/Win7 either. So far I've never had to re-enable it and log in to do anything for the client.
impossible password to crack? That's impossible...it's just a matter of time. Disabling the "not hidden" admin account has no effect on whether or not malware gets on your computer.
I've had the hidden account pwned many times on client machines, and even my first W2K PC back in 2001! Of course that one isn't hidden, but none the less, I wasn't familiar with the new security standards at the time.
I stand on my record, in that none of my clients, that listens to me, has been compromised in all the years that I have supported them. I use all the blended defenses, including the Microsoft built-in features.
I may be wrong about the cmd line syntax, but there is one, because I always google it before doing the action, and I always find it. Sure you can crack any password, but how much is it going to cost the cracker in time and money! Something like this one:
Ffkt$kl8+2b??k;Wqh6^mMnz~_-*?
How many years is it going to take to crack that one - not including encryption?
I stand on my record, in that none of my clients, that listens to me, has been compromised in all the years that I have supported them. I use all the blended defenses, including the Microsoft built-in features.
I may be wrong about the cmd line syntax, but there is one, because I always google it before doing the action, and I always find it. Sure you can crack any password, but how much is it going to cost the cracker in time and money! Something like this one:
Ffkt$kl8+2b??k;Wqh6^mMnz~_-*?
How many years is it going to take to crack that one - not including encryption?
Sorry... netuser didn't work in Vista Home Premuim... al least not with the same sintax that TR Dojo gave.
I have to google the command line syntax everytime I do it. But the fact is the command line works for this mission. I was working with HP on one of my clients machines once, and they couldn't understand how come the hidden Administrator would not show up on the machine, and I had to explain over and over again that I had disabled it; and I couldn't remember how. After the problem was escalated to a higher lever of support; the new tech knew what I was talking about and recovered the account so the password could be used. I do this all the time - how could I be mistaken, other than in syntax?
http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/
You know what they always say about Windows don't you? It will always "." and "/" you right in the ":" - HA!
http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/
You know what they always say about Windows don't you? It will always "." and "/" you right in the ":" - HA!
Help me understand the difference between W7 Home premium and Home Edition. W7 is so restrictive, part of the improvement of security brought some paralysis on the system.
The "Hidden" Admin account is not hidden. Don't make it sound like it is something special MS did to intrigue us or that you have to make some kind of registry hack while burning incense and chanting ritual . The "builtin" admin account has been disabled by default since Windows XP at least an OEM install of the OS from Dell makes you create an Admin account when you first configure the machine or on subsequent installs later. After the install you have to follow these exact same steps to activate the builtin admin account. If you are an IT person with 6 months of experience installing Windows and didn't know how to do this basic task you are behind the power curve.
You need to ensure you have the latest verson of Flash Player installed and that you're not blocking scripts from techrepublic.com, zdnet.com, bnet.com, cnet.com, or com.com. We have a shared video platform, and blocking any of those sites will prevent techrepublic videos from playing.
Still the same for me too, only options are sound level, full-screen, and "other videos" -
Either you see the link or go to Greg's article. What is so difficult to understand about that?
The password is still stored ... the account inactive, will attempt login, and get dumpped back once windows realizes the account is disabled.
That's if you're using the older style login not the "login screen" where you have buttons for users. You'd authenticate to windows, and then it'd dump you... in days of old.. it might take a few seconds, and you might get resource listings ... but that was addressed in future versions to curtail what leaks for inactive accounts.
If memory serves there was some arguement about not dumping a user based on the name, because then you'd be able to mount a dictionary attack looking for valid user names .. ie.. administrator locked or invalid.. not dumping on just getting that "User" but waiting to deny after getting both user and password.
I think there was also some tiff about having different error messages which again leaked that the account was valid rather than invalid.
From the security standpoint, you don't want to give out *any* information unless both the user and password parts are valid.
That's if you're using the older style login not the "login screen" where you have buttons for users. You'd authenticate to windows, and then it'd dump you... in days of old.. it might take a few seconds, and you might get resource listings ... but that was addressed in future versions to curtail what leaks for inactive accounts.
If memory serves there was some arguement about not dumping a user based on the name, because then you'd be able to mount a dictionary attack looking for valid user names .. ie.. administrator locked or invalid.. not dumping on just getting that "User" but waiting to deny after getting both user and password.
I think there was also some tiff about having different error messages which again leaked that the account was valid rather than invalid.
From the security standpoint, you don't want to give out *any* information unless both the user and password parts are valid.
On the rare occasion that I do supersede the administrator account, I only use it for as long as absolutely necessary - and of course I maintain a series of incredibly secure passwords for the account. I would never use the Administrator account as the day-to-day 'user' account.
(The question kind of forced an Aristotelian answer.)
(The question kind of forced an Aristotelian answer.)
You can also activate the hidden Admin account via the Local Policy Editor (equivelent to XP's Group Policy Editor)...
Open the Policy Editor (via Administrative Tool) Navigate to Local Policies > Security Options > "Accounts: Administrator account status"... open the properties for the policy entry and enable. You then need to log into said account to set password. Benefit to this way is that when ur PC hits a jam and you need the Admin account, no need to wait around while Windows builds the desktop configuration
Open the Policy Editor (via Administrative Tool) Navigate to Local Policies > Security Options > "Accounts: Administrator account status"... open the properties for the policy entry and enable. You then need to log into said account to set password. Benefit to this way is that when ur PC hits a jam and you need the Admin account, no need to wait around while Windows builds the desktop configuration
There isn't a Group or Local policy editor option in Vista Home ... and suspect the Win7 home is the same.. which means the command line for this would be the only way to enable the account easily.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
