Administrator Elevation- one of Win11's most disruptive changes?

hdmi · Feb 22, 2022

The built-in administrator account should normally NOT be used. It is there to still be able to gain access in the possible event that the "non built-in" administrator account that the people who need that access should be using instead gets corrupted and/or becomes unusable somehow, i.e. only as a last resort. The only other reason why you'd want to temporarily enable the built-in admin account and log in to it that I can think of is, if the public desktop folder of that account is giving you troubles with how the dektop virtual folder behaves under other user accounts. Aside from that, keep the built-in admin account disabled unless you're looking to jinx the computer on purpose, like, and etc..

As for the snippet that reads "Running as a standard user helps to maximize security for a managed environment". For a managed environment. What that basically means is, if management can't figure a way to grant access to things you need to do your job, then if management complains to you about it, you should ask management to lead by example and teach you how to do your job, i.e. by showing you how it's done, and showing how it can be done on your work computer without access. Just trust me about it, they will come around soon enough!

radsdau · Feb 22, 2022

hdmi said:
The built-in administrator account should normally NOT be used.

How do you propose using the main user account as 'Standard' and still being able to administer the system, without having an Administrator account?

hdmi · Feb 23, 2022

radsdau said:
How do you propose using the main user account as 'Standard' and still being able to administer the system, without having an Administrator account?

What do you mean, without having an administrator account? Having an administrator account is what's actually recommended for this purpose.

Try3 · Feb 24, 2022

radsdau said:
How do you propose using the main user account as 'Standard' and still being able to administer the system, without having an Administrator account?

HDMI is correct. The Admin account to use for Admin purposes is one of those you have created yourself.

The Built-in Admin was created for one purpose only - to appear as a login option at the Safe mode login screen if Windows detects that there are no functional user-created Admin accounts on the computer.
- Do note that the Built-in Admin is no more powerful than Admin accounts you create yourself.

All the best,
Denis

radsdau · Feb 24, 2022

Try3 said:
HDMI is correct. The Admin account to use for Admin purposes is one of those you have created yourself.

The Built-in Admin was created for one purpose only - to appear as a login option at the Safe mode login screen if Windows detects that there are no functional user-created Admin accounts on the computer.

That makes sense, thanks for the description. Is that part of MCSE training? I've not come across it before (obviously). Should it have 'no password'?

Try3 · Feb 24, 2022

I have never heard of MCSE.

The Built-in Admin has no password by default. And there is no point setting one because you will keep it disabled anyway.

The function of the Built-in Admin is described in Administrator account status, Safe mode considerations - MSDocs

MS said:
How to access a disabled Administrator account
You can use the following methods to access a disabled Administrator account:
- For non-domain joined computers: when all the local administrator accounts are disabled, start the device in safe mode (locally or over a network), and sign in by using the credentials for the default local administrator account on that computer.

All the best,
Denis

radsdau · Feb 25, 2022

Try3 said:
I have never heard of MCSE.

The Built-in Admin has no password by default. And there is no point setting one because you will keep it disabled anyway.

The function of the Built-in Admin is described in Administrator account status, Safe mode considerations - MSDocs

All the best,
Denis

MCSE = Microsoft Certified Systems Engineer (or Solutions Expert, depending on who you ask). I guess it's an older certification MS did. Thanks for the link to that page!

hdmi · Feb 25, 2022

In the example from the video that I linked in my previous reply, if you don't want the Command window to remain open until the program is closed, you could modify the command like this:

Code:

runas /user:Apps /savecred "cmd /c start \"\" \"C:\Program Files\MyReport BE\Server\ServerManager.exe"""

Please remember, after the credentials are saved in Credential Manager, the standard user can use the runas /savecred /user:Apps "command to run" command to run and access anything they want on the computer with the same rights as the admin account. Although it is possible to set NTFS permissions (ACL) to deny access to sensitive filesystem objects for the specific admin account in question and although it also is possible to also apply settings via Group Policy to deny this same admin account to take ownership of objects so as to add further protections still, any member of the Administrators group can undo these additional protections nevertheless. Essentially, you shouldn't give admin rights to a standard user if you don't trust the user the same way that you would trust an admin.

In the comments section below this article, on October 16, 2021 - 5:07 pm, someone named ERIC commented:

Code:
You can convert the credential object password to plaintext by using the following.

Code:

$cred = Get-StoredCredential -Target Test1 [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))

EDIT: as an attempt to work your way around the issue of potential abuse, you could decide to use a 3rd party tool like RunAsSpc or RunAsRob in lieu of using the runas built-in tool. But this doesn't solve the initial problem, that the standard user will still be able to modify rights, purposely, to bypass security restrictions like I said.