Thursday, February 22, 2007

Windows Vista : Built in administrator account disabled - Feature or Bug

Yes WOW is now.
So here comes the Windows Vista with its enhanced UI features and tighten security.
Its beautiful its awesome to use. Vista search rocks so does the office 2007 .
IE7 is great. I dont usually use firefox now (though I use flock sometimes) 90% of the time I use IE now. Media player and media center are better than ever. Windows mail is same as before not much improved except that UI is nicer and junk mail filter. Outlook is very very improved btw.
Anyways everybody is singing these words now a days so I need not talk about this any more.

Though I like all above features still I'm furious about the so called security enhancements. Particularly about the Disabled default administrator account.
On my Vista Ulmtimate I had 2 admin account. One obviously that default admin and one of my own restricted admin. Everything was going great without any problem till the day I thought of using much hyped vista standard accounts so I demoted my account to standard user. Every thing was ok till I realized I did the biggest mistake of my OS life time. I didn't have a admin account now because that precious built in admin is disabled now. Even in safe mode I can't access that account..
I dont blame myself for the silly mistake 'coz I used to recover easily from similiar problem in XP.

LOL in my linux unix days I always had some backdoor to recover from the injury but now I'm totally scrwed up. I dont wanna reinstall my whole system. Its a big trouble for me at the moment.

Vista team did a great work over this whole new operating system. Kudos to them, but they forgot to take care of this edge case scenario which is not really an edge case..

Looking forward for the solution of this problem soon

Referred links:
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx
http://blogs.msdn.com/uac/archive/2006/08/27/727741.aspx

Author : Smoke'N Ashes // 12:11 PM
Category:

3 comments:

Anonymous said...

Shouldn't it be possible to just enable the built-in administrator account via Control Panel - Administrative Tools - Computer Management - System Tools - Local Users and Groups - Users - double-click "Administrator" - Uncheck "Account is disabled"

Anonymous said...

not in home premium. id post a screenie but i doubt this board will let me. anyway, computer management(in at least home premium) doesnt even give you the option for Lusers and groups. =/ cant even get to it with the mmc. which means the only way to enable the account(from everything ive seen) is to reinstall using the unattended install process and adding some code to the answer file.

[i][b]Enable and Disable the Built-in Administrator Account
In Windows Vista, the built-in administrator account is disabled by default. In previous versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.

An Administrator account with a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations and upgrades of Windows Vista.

Note:
For upgrade installations, the built-in Administrator account is kept enabled when there is no other active local Administrator on the computer. However, the built-in Administrator account is disabled by default for new installations and upgrades on domain-joined computers, regardless of whether there are other active local Administrators on the domain-joined computers.


In audit mode, Windows Setup will implicitly enable the built-in Administrator account as the last action in the auditSystem configuration pass if the built-in Administrator is not already enabled. The first action in the auditUser configuration pass is to disable the built-in Administrator account. This enables you to run programs and applications as an Administrator. When you complete your customizations in audit mode and log out, the built-in Administrator account will be disabled. Unless you want to explicitly leave built-in Administrator account enabled, there’s no need to re-enable the built-in Administrator account in audit mode.

Enable the Built-in Administrator Account
There are two ways to enable the built-in Administrator account.

• Use the AutoLogon unattended Setup setting

You can enable the built-in Administrator account during unattended installations by setting the AutoLogon setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in the AdministratorPassword setting.

You can create an answer file by using Windows System Image Manager (Windows SIM).

The following sample answer file. shows how to enable the Administrator account, specify an Administrator password, and automatically log onto the system.

-OR-

• Use the Local Users and Groups MMC console

Change the properties of the Administrator account by using the Local Users and Groups MMC console.

1.
Open the MMC console and select Local Users and Groups.

2.
Right-click the Administrator account and select Properties. The Administrator Properties window appears.

3.
On the General tab, clear the Account is Disabled box.

4.
Close the MMC console.


Administrator access is now enabled.


Disabling the Built-in Administrator Account
Original equipment manufacturers (OEMs) and system builders are required to disable the built-in Administrator account before delivering the computers to customers.

• Run the sysprep /generalize command

When you run the sysprep /generalize command, all account information is removed from the computer, including the built-in Administrator.

The next time the computer starts, the built-in Administrator account will be disabled.

-OR-

• Use the net user command

Run the following command to disable the Administrator account.

net user administrator /active:no
You can run this command after configuring the computer, before delivering the computer to a customer.[/i][/b]

irritating i tells ya =(

heres the addy to the article

http://technet2.microsoft.com/WindowsVista/en/library/9fe3a3eb-01ec-47d4-abac-227bd6d8490f1033.mspx?mfr=true

Anonymous said...

to ENABLE your VISTA home premium ADMINISTRATOR acccount
Use the net user command

right click the COMMAND PROMPT shortcut and click "run as administrator"

Then Run (without the quotes) the following command to enable the Administrator account.

"net user administrator /active:yes"

VERY IMPORTANT - then LOG off|
and then back on with the ADMINISTRATOR account and CREATE a password for the ADMINISTRATOR account OR you will have a BIG GAPPING security hole..
now you can access ALL files such as cookies and APP DATA folders with the ADMINISTRATOR account...

Happy hacking
g-luck

 

Google Analytics

Popular Posts

Powered by Blogger.