Enable and disable the built-in administrator account
When manufacturing PCs, you can use the built-in Administrator account to run programs and apps before a user account is created.
Tip
This topic is about manufacturing PCs. For help with the admin account on your own PC, try one of these pages:
This account is used when you log into the system by using audit mode, or when you add scripts to the auditUser configuration pass.
Enabling the built-in administrator account
You can use any of the following methods to enable the built-in Administrator account:
- Use an answer file
- Log on by using audit mode
- Use the Local Users and Groups MMC (Server versions only)
Use an answer file
You can enable the built-in Administrator account during unattended installations by setting the AutoLogon
setting to Administrator in the Microsoft-Windows-Shell-Setup component. This will enable the built-in Administrator account, even if a password is not specified in the AdministratorPassword
setting.
You can create an answer file by using Windows System Image Manager (Windows SIM), which is available in the Assessment and Deployment Kit.
The following sample answer file shows how to enable the Administrator account, specify an Administrator password, and automatically log on to the system.
Note
Both the Microsoft-Windows-Shell-Setup\Autologon
section and the Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword
section are needed for automatic logon in audit mode to work. The auditSystem configuration pass must include both these settings.
The following XML output shows how to set the appropriate values:
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<AutoLogon>
<Password>
<Value>SecurePasswd123</Value>
<PlainText>true</PlainText>
</Password>
<Username>Administrator</Username>
<Enabled>true</Enabled>
<LogonCount>5</LogonCount>
</AutoLogon>
<UserAccounts>
<AdministratorPassword>
<Value>SecurePasswd123</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
</component>
To prevent having to enter a password for the built-in Administrator account after you complete the out-of-box experience, set Microsoft-Windows-Shell-Setup\UserAccounts\AdministratorPassword
in the oobeSystem configuration pass.
The following XML output shows how to set the appropriate values:
<UserAccounts>
<AdministratorPassword>
<Value>SecurePasswd123</Value>
<PlainText>true</PlainText>
</AdministratorPassword>
</UserAccounts>
Log on by using audit mode
If the computer has not yet gone through Out-Of-Box Experience (OOBE), you can enter the built-in Administrator account by re-entering audit mode. For more information, see Boot Windows to Audit Mode or OOBE.
Use the Local Users and Groups MMC (server versions only)
Change the properties of the Administrator account by using the Local Users and Groups Microsoft Management Console (MMC).
- Open MMC, and then select Local Users and Groups.
- Right-click the Administrator account, and then select Properties. The Administrator Properties window appears.
- On the General tab, clear the Account is Disabled check box.
- Close MMC.
Administrator access is now enabled.
Disabling the Built-in Administrator Account
For new installations, after the end user creates a user account in OOBE, the built-in Administrator account is disabled.
For upgrade installations, the built-in Administrator account remains enabled when there is no other active local administrator on the computer, and when the computer is not joined to a domain.
Use either of the following methods to disable the built-in administrator account:
Run the sysprep /generalize command
When you run the sysprep /generalize command, the next time that the computer starts, the built-in Administrator account will be disabled.
Use the net user command
Run the following command to disable the Administrator account:
net user administrator /active:no
You can run this command after you configure the computer and before you deliver the computer to a customer.
Original equipment manufacturers (OEMs) and system builders are required to disable the built-in administrator account before delivering the computers to customers. To do this, you can use either of the following methods.
Configuring the Built-in Administrator Password
When you run the sysprep /generalize command, Sysprep resets the built-in Administrator account password. The Sysprep tool only clears the built-in Administrator account's password for server editions, not for client editions. The next time that the computer starts, Setup displays a prompt for a password.