×


Enable Built-in Administrator Account on Windows 10 - How to implement this

Are you trying to Enable Built-in Administrator Account?

This guide is for you.


The built-in Administrator is basically a setup and disaster recovery account. You should use it during setup and to join the machine to the domain. After that you should never use it again, so disable it.

Windows 10 installation creates a user account and grants local administrator privileges to this account.

However, it creates another built-in (hidden) administrator account, which is disabled for security reasons.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Windows queries.

In this context, we shall look into how to use the built-in Windows 10 Administrator account to enable or disable it and reset the password.


What is the Built-in Administrator Account on Windows ?

We saw that the creation of an Administrator account happens automatically during Windows installation.

This is to initialize the operating system. 

However, it is then disabled and the user has to create their own account.

The built-in administrator account has full unlimited privileges on a computer.

We can enable UAC using the Group Policy option User Account Control: Admin Approval Mode for the Built-in Administrator account.

The built-in Administrator is disabled by default in Windows 10 and Windows Server 2016.

We cannot remove or exclude these accounts from the Administrators group.

However, a boot in Safe or Recovery Mode can enable the administrator account.

For security reasons, our Support Experts recommend renaming the built-in administrator account.

This can be done manually, using LAPS or the GPO parameter Accounts: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Make sure to only enable the "Administrator" account if absolutely necessary to perform a specific task or troubleshoot.


How to Enable the Built-in Administrator Account on Windows 10 ?

The quickest and easiest way to activate the administrator account is from the command prompt with elevated privileges.

To do this, we run:

net user administrator /active:yes

The command completed successfully.

Also, we can use the PowerShell cmdlet to manage local accounts:

Get-LocalUser -Name “Administrator” | Enable-LocalUser

If our computer has a domain password complexity policy, we may see the following message when we try to enable the administrator account:

The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.

In this case, before enabling the administrator account, we need to set a password for it:

net user administrator *

If we again come across “The user name could not be found”, most likely there was a renaming of the administrator account on the computer.


We can find it by its known SID. Use the command:

wmic useraccount where “SID like ‘S-1-5-%-500′” get name

In this case, the name is admin. To enable it, run:

net user admin /active:yes

In order to list all local accounts:

net user

If we get a “System error 5 has occurred. Access is denied” when we try to enable the built-in Windows administrator, make sure that the cmd.exe or powershell.exe console is running as an administrator.


In addition, check that the account is a member of the local Administrators group:

net user administrator /active:yes ACCESS IS DENIED

Then to list the groups our account is a member of:

whoami /all

We can display a list of users in the local administrator’s group in Windows using:

net localgroup administrators

This method to activate the built-in administrator account works in all Windows 10 editions.


However, the below methods are not applicable to Home editions of Windows 10:

1. Enter lusrmgr.msc in the search bar or in the command prompt to open the MMC snap-in Local Users and Groups.

2. In the console window, expand the Users section.

3. Find the account named Administrator and double-click it, then uncheck Account is Disabled.

4. Eventually, save the changes.


We can enable the built-in administrator account through the local GPO:

1. Open the Local Group Policy Editor gpedit.msc (or secpol.msc).

2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

3. Find Accounts: Administrator account status policy and set it to Enable.

4. Then update the Group Policy settings with the command: gpupdate /force or just reboot the computer.


Once done, it will display on the Windows logon screen.

To disable the built-in administrator account, use the command:

net user administrator /active:no


Lost Administrator Privileges (Password) on Windows 10

We might accidentally disable our user account with administrator privileges or remove the account from the local admin group.

Moving ahead, let's see how to enable the built-in Administrator or add our account to the local Administrators group.

On a domain computer, we can manage the list of users with administrator permissions using a GPO.

We need to boot our computer from a LiveCD or a Windows 10 install media.

The easiest way to create a bootable USB stick with a Windows 10 install image is using the Media Creation Tool.

A command prompt will open when we hit Shift + F10 on the Windows Setup screen.

Here we need to determine which drive our Windows is installed on.

Run diskpart and enter list vol.

For instance, suppose it is on the C: drive.

Type exit to close the diskpart session.

Run the following commands to create a copy of utilman.exe and replace it with the executable cmd.exe:

copy c:\windows\System32\utilman.exe c:\
copy c:\windows\System32\cmd.exe c:\windows\System32\utilman.exe

Then reboot the computer:

wpeutil reboot

Boot Windows normally. On the Windows login screen, press the Win + U keys combination.


A command prompt window will open.

To add our account, enable the built-in Windows administrator and reset its password, run the commands:

net localgroup administrators user1 /add
net user Administrator /active:yes
net user administrator *

Now we can log in to Windows under the built-in Administrator or our user account, which has the local administrator permissions.


Make sure to replace the original utilman.exe file.

Boot from the install media again and run the command:

copy c:\utilman.exe c:\windows\System32\utilman.exe


[Need help with Windows related procedures? We'd be happy to assist. ]


Conclusion

This article covers an easy way to activate the administrator account is from the command prompt with elevated privileges. Windows 10 includes a built-in Administrator account that, by default, is hidden and disabled for security reasons. Sometimes, you need to perform a bit of Windows management or troubleshooting or make changes to your account that requires administrator access.

Windows 10 administrator default password will not be required, alternatively you can enter password for local account and sign in.


To know if I have the built-in Administrator account in Windows 10:

1. Right-click the name (or icon, depending on the version Windows 10) of the current account, located at the top left part of the Start Menu, then click on Change account settings. 

2. The Settings window will pop up and under the name of the account if you see the word "Administrator" then it is an Administrator account.


To reset the built-in Administrator account in Windows 10:

1. Boot from Windows 10 bootable CD/DVD or USB.

2. When the install now screen shows up click on Repair your computer > Advanced Options >Troubleshoot > Command Prompt.

3. Once you can boot into the command prompt, type "net user administrator /active:yes".


To enable hidden administrator:

1. Go to Security Settings > Local Policies > Security Options. 

2. The policy Accounts: Administrator account status determines whether the local Administrator account is enabled or not. 

3. Check the "Security Setting" to see if it is disabled or enabled. 

4. Double-click on the policy and select "Enabled" to enable the account.