Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in Administrator
(note the capitalization) account is for disaster recovery purposes only.

Jesper:

I usually recommend having two Admin gp user accts enabled in case one gets
locked out as happened to me recently (I usually set Acct Lockout Threshold
policy to 10 invalid attempts).

Also, I rename both Admin and Guest user accts.

I need to amend my previous post. Susan Bradley (Microsoft SBS MVP
http://msmvps.com/blogs/bradley) and Amy Babinchak (Microsoft ISA MVP
http://isainsbs.blogspot.com/) conspired to remind me of something this
morning. While the two scenarios I listed are the only ones in the OS (at
least they should be) where the Administrator account is treated differently
from any other administrator, there are other situations where the built-in
Administrator account is needed to perform some task.

Poorly written software sometimes does access checks based on the account
rather than based on group membership. Probably the most egregious example of
that is Microsoft's own Small Business Server (SBS) 2003, which basically
cannot be effectively administered from any other administrative account than
the built-in Administrator account. Amy related a story about a piece of
Belkin software that did the same, which Susan wrote up:
http://msmvps.com/blogs/bradley/arch...ve-rights.aspx

Do not take this to mean that you should re-enable the Administrator account
and use it on a regular basis. Rather, if software requires use of the
Administrator account take it as an indication that the software is broken
and needs to be fixed. If the vendor refuses to provide a version that works
properly, and there is no other vendor providing this functionality in a
properly working piece of software, then you should use the built-in
Administrator account to get it to work; but you would be well advised not to
make a habit of it.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

Jesper, thanks for all your help on this! I reset the password for the
Administrator last night, and did all my driver and software installs using
the Administrator-group account. I didn't get any strange errors during the
driver installations, and all the software is working great. I may even try
to force a BSOD just so I can see how the safe mode/recovery option works
with the Administrator account.

I'm looking forward to the release of your Vista book! In the meantime,
I'll be visiting the hardware store to figure out how I can securely bolt my
computer to the floor and walls without it looking too rack-like! (laughs)

"Jesper" wrote:

I was shocked to see the local Admin account disabled and figured
there must be a special "tech" reason behind it.

Not really. There were really two main reasons it was disabled. First, far
too many people used that account on a daily basis, endangering themselves
when they were surfing the web by using an administrative account. This
contravened the principle of least privilege; and, as that account is exempt
from UAC, using it nullifies the benefits of UAC. Second, using a single
administrative account for all administrators violates the security principle
of accountability. It is not particularly hard to do so anyway as an
administrator, but why make it easier for people to avoid being tracked.
That's really all there was too it. The most important reason is that
Microsoft is finally trying hard to get people to run as a non-admin most of
the time.

The physical-theft concern is something I never would've considered-
thanks!!

You're welcome. It is important. I actually recommend to people in large
server farms to consider leaving the local Administrator password blank. I
figure those servers are locked up in racks and nobody can get physical
access to them. An account with a blank password cannot be used remotely
since XP, so leaving it blank may actually be far better than setting a weak
or crackable password on it. I know I would have been foiled, at least
temporarily, on more than one pen-test had the local admin account password
been blank.

So you're saying it's OK to enable the Administrator account, log
onto it, set a password for it, and then disable it again? (I don't like to
force a password reset from another account if I don't have to.) It won't
defeat any feature of Vista that expected a blank password (such as crash
recovery)?

Personally, I would just as soon reset it. That way you don't need to enable
the account at all. It's up to you though. You can also use a tool such as
passgen to manage that password:
http://www.protectyourwindowsnetwork.com/tools.htm

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

I may even try
to force a BSOD just so I can see how the safe mode/recovery option works
with the Administrator account.

You don't need to go to that length to try it. Just boot from your Vista DVD
and select "repair". That gives you an option to open a recovery console.

I'm looking forward to the release of your Vista book! In the meantime,
I'll be visiting the hardware store to figure out how I can securely bolt my
computer to the floor and walls without it looking too rack-like! (laughs)

You know you will have to take a picture of your creation and post it right!
:-)