Accounts Enable or Disable Built-in Administrator Account in Windows 11

  • Staff
Administrator_banner.png

Windows 11 includes a hidden built-in Administrator account that serves as the system administrator with elevated rights by default without needing Run as administrator or UAC (User Account Control) for elevation approval.

The built-in Administrator is not protected by a password by default, but you can add a password to the account to help prevent unauthorized users from signing in to the account.

The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.

The built-in Administrator account cannot be deleted or locked out, but it can be renamed, enabled, or disabled.

This tutorial will show you how to enable or disable the built-in Administrator account in Windows 11.


Anything that runs while signed in to this built-in Administrator account will also have the same full access elevated rights as the Administrator. This can be a security risk if you have malware or a virus while signed in to the built-in Administrator.

It is not recommended to use the built-in Administrator account as an everyday account.

It is recommended to only enable and use the built-in Administrator account as needed and disable it when finished.



Contents

  • Option One: Enable or Disable Built-in Administrator in Elevated Command Prompt
  • Option Two: Enable or Disable Built-in Administrator in Elevated PowerShell
  • Option Three: Enable or Disable Built-in Administrator in Local Users and Groups
  • Option Four: Enable or Disable Built-in Administrator in Local Security Policy
  • Option Five: Enable or Disable Built-in Administrator in Command Prompt at Boot


EXAMPLE: Administrator enabled on Sign in screen
Administrator_sign-in.jpg






OPTION ONE

Enable or Disable Built-in Administrator in Elevated Command Prompt


You must be signed in as an administrator to use this option.


1 Open an elevated Windows Terminal, and select Command Prompt.

2 Copy and paste the command below you want to using into the elevated command prompt, and press Enter. (see screenshots below)

(Enable)
net user Administrator /active:yes

OR

(Disable)
net user Administrator /active:no

If you had previously renamed the built-in "Administrator" account's name, then you will need to substitute Administrator in the command above with the new name instead.

If your Windows uses a different language than English, then you would need to substitute Administrator in the command above with the translation for your language instead.


3 When finished, you can close the elevated command prompt if you like.

Enable_Administrator_in_command_prompt.png

Disable_Administrator_in_command_prompt.png






OPTION TWO

Enable or Disable Built-in Administrator in Elevated PowerShell


You must be signed in as an administrator to use this option.


1 Open an elevated Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below you want to using into the elevated PowerShell, and press Enter. (see screenshots below)

(Enable)
Enable-LocalUser -Name "Administrator"

OR

(Disable)
Disable-LocalUser -Name "Administrator"

If you had previously renamed the built-in "Administrator" account's name, then you will need to substitute Administrator in the command above with the new name instead.

If your Windows uses a different language than English, then you would need to substitute Administrator in the command above with the translation for your language instead.


3 When finished, you can close the elevated PowerShell if you like.

Enable_Administrator_in_PowerShell.png

Disable_Administrator_in_PowerShell.png






OPTION THREE

Enable or Disable Built-in Administrator in Local Users and Groups


You must be signed in as an administrator to use this option.

Local Users and Groups is only available in the Windows 11 Pro, Enterprise, and Education editions.


1 Open Local Users and Groups (lusrmgr.msc).

2 Click/tap on the Users folder in the left pane, and double click/tap on Administrator in the middle pane. (see screenshot below)

Administrator_in_lusrmgr-1.png

3 In the General tab, check (disable) or uncheck (enable) the Account is disabled box for what you want, and click/tap on OK. (see screenshot below)

Administrator_in_lusrmgr-2.png

4 You can now close Local Users and Groups if you like.





OPTION FOUR

Enable or Disable Built-in Administrator in Local Security Policy


You must be signed in as an administrator to use this option.

Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.


1 Open Local Security Policy (secpol.msc).

2 Expand open the Local Policies folder in the left pane, click/tap on the Security Options subfolder in the left pane, and double click/tap on Accounts: Administrator account status in the right pane. (see screenshot below)

Administrator_in_secpol-1.png

3 In the Local Security Setting tab, select (dot) Enabled or Disabled for what you want, and click/tap on OK. (see screenshot below)

Administrator_in_secpol-2.png

4 You can now close Local Security Policy if you like.





OPTION FIVE

Enable or Disable Built-in Administrator in Command Prompt at Boot


This option is good to use when you do not have another administrator account to sign in with, or unable to sign in to Windows 11.


1 Open a command prompt at boot.

2 Type regedit into the command prompt at boot, and press Enter. (see screenshot below)

Administrator_in_command_prompt_at_boot-1.png

3 Click/tap on the HKEY_LOCAL_MACHINE key in the left pane of Registry Editor. (see screenshot below)

Administrator_in_command_prompt_at_boot-2.png

4 Click/tap on File on the menu bar, and click/tap on Load Hive. (see screenshot below)

Administrator_in_command_prompt_at_boot-3.png

5 In the Load Hive dialog, open the drive (ex: C: or D:) that Windows 11 is installed on, and navigate to the location below. (see screenshot below)

The drive letter (ex: C) will not always be the same at boot as it is from within Windows 11.

It will not be the Boot (X:) drive.


C:\Windows\System32\config

Administrator_in_command_prompt_at_boot-4.png

6 Select the SAM file inside the config folder, and click/tap on Open. (see screenshot below)

Administrator_in_command_prompt_at_boot-5.png

7 In the Load Hive dialog, type REM_SAM, and click/tap on OK. (see screenshot below)

Administrator_in_command_prompt_at_boot-6.png

8 Navigate to and open the key below the left pane of Registry Editor. (see screenshot below)

HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4

Administrator_in_command_prompt_at_boot-7.png

9 In the right pane of the 000001F4 key, double click/tap on the F binary value to modify it. (see screenshot above)

10 Do step 11 (Enable) or step 12 (disable) below for what you want.


11 Enable Built-in Administrator Account

A) In the first column of row line 00000038, change 11 to 10, click/tap on OK, and go to step 13 below. (see screenshot below)​

You would do this by clicking to the left of 11 to place the cursor there, press the Delete key, then type 10.


Administrator_in_command_prompt_at_boot-8.png


12 Disable Built-in Administrator Account

A) In the first column of row line 00000038, change 10 to 11, click/tap on OK, and go to step 13 below. (see screenshot below)​

You would do this by clicking to the left of 10 to place the cursor there, press the Delete key, then type 11.


Administrator_in_command_prompt_at_boot-9.png


13 Close Registry Editor and the command prompt at boot.

14 Click/tap on Continue to startup back in Windows 11. (see screenshot below)

Administrator_in_command_prompt_at_boot-10.png


That's it,
Shawn Brink
 

Attachments

  • Administrator.png
    Administrator.png
    17.2 KB · Views: 26
Last edited:
Top Bottom