WinSecWiki > Security Settings > Local Policies > Security Options > Accounts > Administrator account status

Accounts: Administrator account status

Applies to: Windows Server 2003, XP, Windows Server 2008
Default value: Disabled
Registry path: n/a

With this setting you can disable the built-in Administrator account on the local computer (in the case of local security policy) or, in the case of a group policy object, on all computers where the GPO is applied. This setting does not recognize the administrator account if you rename it.

Should you disable the Administrator account? Yes. No one should be logging on as Administrator; each admin should have his own account. This account should only be used in emergency when there is no other way to log onto the system. Such an emergency should be rare since you will normally be able to logon as any Domain Admin account. If this account is disabled and you must log on with, you will need to reboot into SafeMode which allows you to logon as Administrator even if it is disabled. That does mean that in case of such an emergency you will need physical access to the computer and will have to restart it. If this is not acceptable, do not disable the account.

Related to the issue of disabling Administrator is the decision about renaming Administrator

By booting into Safe Mode you bypass this setting and still logon as Administrator

Interestingly, enabling or disabling Administrator in Computer Management updates this setting displayed in the Local Policy Object accordingly. If this setting is defined in an Active Directory group policy object, the setting in Local Security Policy will be read-only but will faithfully display the actual status of the account. The next time group policy is reapplied, the account will be re-enabled or disabled according to the winning GPO in AD.

An administrator can temporarily override this setting by resetting the Disabled check box on the accounts properties, but upon the next application of group policy, Windows will return the account the status indicated by this policy – provided Group Policy’s Security policy processing is configured to reapply policies even if they haven’t changed.

This policy DOES affect the built-in Administrator domain account in Active Directory if the policy is enabled at the root of the domain in Default Domain Policy. It has no affect if enabled in Default Domain Controllers Policy. 

Bottom line

You should probably enable this policy but please read this entire article before making that decision.

Back to top

 

Additional Resources