Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 10 / How to Enable/Disable the Built-in Administrator Account in Windows

May 15, 2025

How to Enable/Disable the Built-in Administrator Account in Windows

When you perform a clean installation of Windows, the system prompts you to create a user account and automatically grants it local administrator privileges. However, Windows installation creates another built-in (hidden) Administrator account that is disabled by default. In this article, we’ll look at the built-in Windows Administrator account, what it’s used for, how to enable or disable it, and how to reset its password.

Contents:
  • What is the Built-in Administrator Account in Windows
  • How to Enable the Built-in Administrator Account on Windows
  • Reset Admin Password When Administrator Privileges Are Lost

What is the Built-in Administrator Account in Windows

The Administrator account is automatically created during Windows installation and is used to initialize the operating system. This built-in account is then disabled, and the user is prompted to create their own account, which is automatically added to the local Administrators group.

For security reasons, the built-in Administrator account should always be disabled in most cases. This account may be needed in rare cases when there are no other users with administrative privileges on the computer, for system recovery or troubleshooting, to reset passwords, to add other admin accounts, and so on.

In earlier versions of Windows, the built-in Administrator account had full administrative privileges and was not affected by the User Account Control (UAC) restrictions. This made it possible to run programs or perform any action with elevated privileges without any restrictions or prompts from the UAC.

Starting with Windows 10 version 1709 and later, even the built-in Administrator account receives UAC prompts and must confirm elevation when performing administrative tasks. To disable UAC for this account, disable the local GPO option User Account Control: Admin Approval Mode for the Built-in Administrator account.

The built-in Administrator account in Windows is disabled by default. This user cannot be deleted or removed from the local Administrators group.

The following error occurred while attempting to save properties for user Administrator:
Cannot perform this operation on built-in accounts.

cannot delete builtin administrator in windows

For security reasons, it is recommended to rename this built-in administrator account. This can be done manually, using LAPS, or using the GPO option Accounts: Rename administrator account under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Renaming the Administrator account slightly increases its security against password brute-force attacks.  However, the built-in Administrator account always has a well-known Security Identifier (SID), S-1-5-domain-500which can be used to find out the new name of the administrator account.

Tip. By default, the Administrator password is not set (blank).

hidden admiinstrator account on windows 10

Important. Microsoft doesn’t recommend keeping the Administrator account enabled or using it for daily tasks.  You should only enable the Administrator account when it is absolutely necessary to perform a specific task or troubleshoot a problem. Never use it to automatically log on to Windows.

How to Enable the Built-in Administrator Account on Windows

Let’s look at simple ways to enable еру built-in Administrator account in Windows 11 and 10. You can:

  • Activate the Administrator account from the command prompt (started in Run as Administrator mode): net user administrator /active:yes enable built-in admin on windows 10 using cmd: net user administrator /active:yes
  • Use PowerShell to enable local account: Get-LocalUser -Name "Administrator" | Enable-LocalUser
  • With the Local Users and Groups graphical MMC snap-in ( lusrmgr.msc ). In the console, expand the Users section. Open the properties of the account named Administrator and uncheck the Account is Disabled checkbox. Save the changes. windows 10 enable built-in admin
  • Using the Group Policy Editor. Open the local GPO editor gpedit.msc (or the local security policy editor secpol.msc ). Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Find the Accounts: Administrator account status policy and set it to Enabled.  Update the Group Policy settings with the gpupdate /force command, or simply reboot a computer. Accounts: Administrator account status policy

As mentioned earlier, the built-in Administrator account does not have a password by default. You can set the administrator account password by using the command:

net user administrator *

can't enable the built-in administrator - The password does not meet the password policy requirements

Or from the user management snap-in (Set Password)

set builtin administrator password

It is recommended to use a complex and strong password that complies with the default Windows password policy (you can generate it using a simple PowerShell script).

If the previous command returns The user name could not be found, the administrator account on the computer has probably been renamed.

You can find out the name of the built-in administrator account on your computer by looking at its known SID ( it must have -500at the end of the SID). Use the command:

wmic useraccount where "SID like 'S-1-5-%-500'" get name

or

Get-LocalUser | Where-Object {$_.Sid -Like "*-500"}

how to check built-in windows administrator account name by well-known SID 500

In this case, the built-in account has been renamed to admin. To enable it, run:

net user admin /active:yes

To list all local accounts:

net user

If you receive the message System error 5 has occurred. Access is denied when trying to enable the built-in Administrator , make sure that the cmd.exe or PowerShell console is running elevated (as an administrator). Also, ensure that your account is a member of the local Administrators group.

net user administrator /active:yes ACCESS IS DENIED

List users in the local Administrators group:

net localgroup administrators
net localgroup administrators - list members of a Windows group using cmd.

Check that your account is a member of this group.

In this example, there are only two accounts in the Administrators group. If you don’t know the password for any of them, then you don’t have administrator rights on the computer. To enable the built-in Administrator account and grant your user local administrator privileges, see the next section of this article.

After enabling the Administrator account using one of the methods described above, it will appear on the Windows logon screen.

To disable the built-in administrator:

net user administrator /active:no

If you are using a localized version of Windows in a language other than English, the name of the built-in Administrator account may be different.

If you enabled the built-in Administrator through the Accounts: Administrator account status policy, you must disable it through the same policy (or completely reset all local GPO settings).

Reset Admin Password When Administrator Privileges Are Lost

There are situations where you might accidentally disable your administrator account, remove it from the local Administrators group, or lose its password. How to regain local administrator privileges? Let’s look at how to enable the built-in Administrator account, reset its password, or add your account to the local Administrators group if you’re unable to log in to Windows.

Boot your computer from a LiveCD, into WinRE recovery environment, from an MSDaRT recovery image, or a Windows installation media. The easiest way to create a bootable USB stick with a Windows 10 (11) installation image is to use the Media Creation Tool.

Press Shift + F10 on the Windows Setup screen. A command prompt will open

windows 10 setup screen

Now you need to determine which drive your Windows is installed on. Run diskpart and enter list vol. In my example, Windows is on the C: drive. I will use this drive letter in the following commands. Type exit to close the diskpart session.

list partiions in winpe mode

Run the following commands to create a copy of utilman.exe (Ease of Access applet) and replace it with the cmd.exe executable:

copy c:\windows\System32\utilman.exe c:\
copy c:\windows\System32\cmd.exe c:\windows\System32\utilman.exe

Restart a computer:

wpeutil reboot

replace utilman with cmd on windows

Boot Windows normally. On the Windows login screen (with the list of accounts), press Win + U (or click the Ease of Access/ Accessibility button).

Click Easy of access/ Accessibility butto on logon screen to run utilman.exe

This will open a command prompt with NT Authority\SYSTEM privileges. List local users:

net user

net user: list local accounts

To add your account to the local Administrators group (for example, user1), enable the built-in Windows administrator and reset its password:

net localgroup administrators user1 /add
net user Administrator /active:yes
net user administrator *

windows 10 reset admin password from login screen via utilman.exe

Learn more about how to reset a Windows administrator password.

You can now log on to the computer as the built-in Administrator or using your account with local administrator privileges.

Be sure to replace the original utilman.exe file. Boot from the rescue media again and run the command:

copy c:\utilman.exe c:\windows\System32\utilman.exe

On domain-joined computers, you can use Group Policy to manage membership in the local Administrators group.
4 comments
6
Facebook Twitter Google + Pinterest
Windows 10Windows 11
previous post
Mapping Network Drives (Shared Folders) via Group Policy
next post
Configuring Password Policy in Active Directory Domain

Related Reading

How to Repair Windows Boot Manager, BCD and...

March 11, 2024

PowerShell: Get Folder Size on Windows

April 2, 2024

Fix: The Computer Restarted Unexpectedly or Encountered an...

May 16, 2024

Fixing “Winload.efi is Missing or Contains Errors” in...

March 16, 2024

How to Download Offline Installer (APPX/MSIX) for Microsoft...

March 12, 2024

Windows Doesn’t Automatically Assign Drive Letters

March 15, 2024

How to Clean Up System Volume Information Folder...

March 17, 2024

Protecting Remote Desktop (RDP) Host from Brute Force...

February 5, 2024

4 comments

Jennifer Young February 1, 2017 - 6:22 pm

For all of the commands, I got a message indicating Access denied.

Its all about the built in administrator password. I inherited a work machine and I can’t get past anything to get stuff installed without this password. I have no access to the person that may have set this password up. Any help would be SO appreciated!

Jennifer

Reply
patricia March 26, 2021 - 8:11 am

U have allowed someone to be Admintrator of my PHINE IW I CAN’T ACCESS IT OR CONTROL I BSRELY HAD THE PHONE WHEN APPS HIDDEN , EMAILS PASSCODES AND ACCTS HAVE BEEN COMPROMISIZE . PLZ HELP ME GET THiS PHONE F I X THIS US MY SECOND PHONE TO BE COMPROMIZED

Reply
Arian van der Pijl December 29, 2024 - 6:12 pm

I think the boot in safe mode / enable built-in Administrator doesn’t work for Windows 11 anymore?

Reply
Adam April 17, 2025 - 1:30 pm

This method when you are locked out does not work. Windows+U let me enter one command, then fails to open ever again.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Repair EFI/GPT Bootloader on Windows 10 or 11
  • How to Restore Deleted EFI System Partition in Windows
  • Network Computers are not Showing Up in Windows 10/11
  • Install and Manage Windows Updates with PowerShell (PSWindowsUpdate)
  • How to Download Offline Installer (APPX/MSIX) for Microsoft Store App
  • Updating List of Trusted Root Certificates in Windows
  • Fix: Windows Cannot Connect to a Shared Printer
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top