Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited user
account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I created
another account for myself as a standard user. The machine now has three
accounts- the disabled "real" Administrator, my Administrator-group account,
and my standard-user account.

Should I enable the real Administrator account, set a password for it, and
install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left disabled
without a password?

Thanks!

You won't need that account. By default, Vista will attempt to elevate
(and inform you via UAC) when installing applications.

- Rafael

Thomas H wrote:
Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited user
account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I created
another account for myself as a standard user. The machine now has three
accounts- the disabled "real" Administrator, my Administrator-group account,
and my standard-user account.

Should I enable the real Administrator account, set a password for it, and
install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left disabled
without a password?

Thanks!

I'm sorry for the confusion; I do understand UAC. I plan, no matter what,
to use a Limited User Account (LUA, not in the Administrators group) for my
daily computer use.

My question is mainly about whether or not I should enable the real
Administrator account and set a strong password for it, or if I should leave
the real Administrator account disabled?

Thanks!

"Rafael R. [Live Butterfly]" wrote in
message ...
You won't need that account. By default, Vista will attempt to elevate
(and inform you via UAC) when installing applications.

- Rafael

Thomas H wrote:
Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited
user account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I
created another account for myself as a standard user. The machine now
has three accounts- the disabled "real" Administrator, my
Administrator-group account, and my standard-user account.

Should I enable the real Administrator account, set a password for it,
and install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left
disabled without a password?

Thanks!

Thomas H wrote:
Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited user
account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I created
another account for myself as a standard user. The machine now has three
accounts- the disabled "real" Administrator, my Administrator-group account,
and my standard-user account.

Should I enable the real Administrator account, set a password for it, and
install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left disabled
without a password?

In Vista, the Administrator account is enabled if:
a) There are no other administrator accounts on the machine, and
b) You're logging in in safe mode.

This is so that if you delete all the administrator accounts, you can
recover the machine without wiping everything.

Note that you probably don't want to use two accounts - UAC solves those
security issues in a much more elegant way.

Alun Harford

Keep a backup account. Safe Mode is supposed to re-enable the buit-in admin
account in a bind, but it's got a bug where if you've got a non-welcome
screen (and hence unaccessible) admin account - such as a Media Center
Extender account - Safe Mode will not re-enable the built-in admin, and you
will be locked out.

Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in Administrator
(note the capitalization) account is for disaster recovery purposes only.

If your computer is NOT physically secured (such as a laptop or a business
computer) then you should absolutely set a password on the Administrator
account; and write that password down on something secure that you store away
in a safe place. A great option is to pick a relatively long (20-25
characters) phrase as the password, write it on a piece of paper, and put it
in a safe.

In prior versions of Windows there were special powers granted to the
Administrator that "regular" administrators did not have. With only two
exceptions that I am aware of, that is no longer the case. The two exceptions
a
1. The Administrator account is not subject to User Account Control. All
other administrators, except for the Administrator account on a domain, if
any, are.
2. If there are no other local administrators on the computer, then the
Administrator account can log on to the recovery console even if it is
disabled. A user that is a member of the Administrators group cannot do that
if it is disabled.

I am not aware of any other special powers granted to Administrator that
other members of the Administratrors group do not have.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Thomas H" wrote:

I'm sorry for the confusion; I do understand UAC. I plan, no matter what,
to use a Limited User Account (LUA, not in the Administrators group) for my
daily computer use.

My question is mainly about whether or not I should enable the real
Administrator account and set a strong password for it, or if I should leave
the real Administrator account disabled?

Thanks!

"Rafael R. [Live Butterfly]" wrote in
message ...
You won't need that account. By default, Vista will attempt to elevate
(and inform you via UAC) when installing applications.

- Rafael

Thomas H wrote:
Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as the
local Administrator, perform that work, and log back in as my limited
user account.

I planned to do the same at home with Vista- but after installing Vista
Ultimate, I saw that it disabled the real Administrator account. I
created another account for myself as a standard user. The machine now
has three accounts- the disabled "real" Administrator, my
Administrator-group account, and my standard-user account.

Should I enable the real Administrator account, set a password for it,
and install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled if
Windows had to boot into safe mode; should the real admin be left
disabled without a password?

Thanks!

Jesper, thanks! I probably should've mentioned that I'm well-versed in
2k/XP/2k3 workstation+server+domain security. I'm just not sure what
the proper procedures are for Vista, especially one that isn't joined to a
domain- and I don't want to do something "old school" that ruins a new
feature. I was shocked to see the local Admin account disabled and figured
there must be a special "tech" reason behind it. (I've already enabled
"hide last user name" in local security policy to get rid of the cute
Welcome screen.)

The physical-theft concern is something I never would've considered-
thanks!! So you're saying it's OK to enable the Administrator account, log
onto it, set a password for it, and then disable it again? (I don't like to
force a password reset from another account if I don't have to.) It won't
defeat any feature of Vista that expected a blank password (such as crash
recovery)?

Thanks,

-T

"Jesper" wrote in message
...
Leave it disabled. There is no reason to use that account. Your personal
administrator account will work exactly the same. The built-in
Administrator
(note the capitalization) account is for disaster recovery purposes only.

If your computer is NOT physically secured (such as a laptop or a business
computer) then you should absolutely set a password on the Administrator
account; and write that password down on something secure that you store
away
in a safe place. A great option is to pick a relatively long (20-25
characters) phrase as the password, write it on a piece of paper, and put
it
in a safe.

In prior versions of Windows there were special powers granted to the
Administrator that "regular" administrators did not have. With only two
exceptions that I am aware of, that is no longer the case. The two
exceptions
a
1. The Administrator account is not subject to User Account Control. All
other administrators, except for the Administrator account on a domain, if
any, are.
2. If there are no other local administrators on the computer, then the
Administrator account can log on to the recovery console even if it is
disabled. A user that is a member of the Administrators group cannot do
that
if it is disabled.

I am not aware of any other special powers granted to Administrator that
other members of the Administratrors group do not have.

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Thomas H" wrote:

I'm sorry for the confusion; I do understand UAC. I plan, no matter
what,
to use a Limited User Account (LUA, not in the Administrators group) for
my
daily computer use.

My question is mainly about whether or not I should enable the real
Administrator account and set a strong password for it, or if I should
leave
the real Administrator account disabled?

Thanks!

"Rafael R. [Live Butterfly]" wrote in
message ...
You won't need that account. By default, Vista will attempt to elevate
(and inform you via UAC) when installing applications.

- Rafael

Thomas H wrote:
Hello everyone,

I've always used Windows as a "limited user". When I needed to update
drivers, install software, or configure security, I would log in as
the
local Administrator, perform that work, and log back in as my limited
user account.

I planned to do the same at home with Vista- but after installing
Vista
Ultimate, I saw that it disabled the real Administrator account. I
created another account for myself as a standard user. The machine
now
has three accounts- the disabled "real" Administrator, my
Administrator-group account, and my standard-user account.

Should I enable the real Administrator account, set a password for it,
and install my drivers and software? Then I could delete that
Administrator-group "second" account, and just have two accounts on
the
machine- real Admin and standard user.

Or should I leave the real Administrator account disabled and do my
setup
with the second Administrator-group account?

I read something about the real Administrator account becoming enabled
if
Windows had to boot into safe mode; should the real admin be left
disabled without a password?

Thanks!

Keith, wow, thanks, I didn't see that one on the 'net!! Looks like I'll
definately keep that second account (in the Administrator-group) around.
Maybe I'll even make a third; couldn't hurt!

Thanks!!

-T

"Keith Patrick" wrote in message
...
Keep a backup account. Safe Mode is supposed to re-enable the buit-in
admin account in a bind, but it's got a bug where if you've got a
non-welcome screen (and hence unaccessible) admin account - such as a
Media Center Extender account - Safe Mode will not re-enable the built-in
admin, and you will be locked out.

I was shocked to see the local Admin account disabled and figured
there must be a special "tech" reason behind it.

Not really. There were really two main reasons it was disabled. First, far
too many people used that account on a daily basis, endangering themselves
when they were surfing the web by using an administrative account. This
contravened the principle of least privilege; and, as that account is exempt
from UAC, using it nullifies the benefits of UAC. Second, using a single
administrative account for all administrators violates the security principle
of accountability. It is not particularly hard to do so anyway as an
administrator, but why make it easier for people to avoid being tracked.
That's really all there was too it. The most important reason is that
Microsoft is finally trying hard to get people to run as a non-admin most of
the time.

The physical-theft concern is something I never would've considered-
thanks!!

You're welcome. It is important. I actually recommend to people in large
server farms to consider leaving the local Administrator password blank. I
figure those servers are locked up in racks and nobody can get physical
access to them. An account with a blank password cannot be used remotely
since XP, so leaving it blank may actually be far better than setting a weak
or crackable password on it. I know I would have been foiled, at least
temporarily, on more than one pen-test had the local admin account password
been blank.

So you're saying it's OK to enable the Administrator account, log
onto it, set a password for it, and then disable it again? (I don't like to
force a password reset from another account if I don't have to.) It won't
defeat any feature of Vista that expected a blank password (such as crash
recovery)?

Personally, I would just as soon reset it. That way you don't need to enable
the account at all. It's up to you though. You can also use a tool such as
passgen to manage that password:
http://www.protectyourwindowsnetwork.com/tools.htm

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

To my knowledge, I'm the only one who has been hit by this one (I had to
send my SAM file in to Microsoft to fix!). A few folks have gotten burned on
the disabled built-in admin, but those people were able to use Safe Mode to
get in. I had unfortunately just set up my Xbox 360 MCE stuff the day
before.