Accounts Enable or Disable Built-in Administrator Account in Windows 11


  • Staff
Administrator_banner.png

Windows 11 includes a hidden built-in Administrator account that serves as the system administrator with elevated rights by default without needing Run as administrator or UAC (User Account Control) for elevation approval.

The built-in Administrator is not protected by a password by default, but you can add a password to the account to help prevent unauthorized users from signing in to the account.

The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.

The built-in Administrator account cannot be deleted or locked out, but it can be renamed, enabled, or disabled.

This tutorial will show you how to enable or disable the built-in Administrator account in Windows 11.


Anything that runs while signed in to this built-in Administrator account will also have the same full access elevated rights as the Administrator. This can be a security risk if you have malware or a virus while signed in to the built-in Administrator.

It is not recommended to use the built-in Administrator account as an everyday account.

It is recommended to only enable and use the built-in Administrator account as needed and disable it when finished.



Contents

  • Option One: Enable or Disable Built-in Administrator in Elevated Command Prompt
  • Option Two: Enable or Disable Built-in Administrator in Elevated PowerShell
  • Option Three: Enable or Disable Built-in Administrator in Local Users and Groups
  • Option Four: Enable or Disable Built-in Administrator in Local Security Policy
  • Option Five: Enable or Disable Built-in Administrator in Command Prompt at Boot


EXAMPLE: Administrator enabled on Sign in screen

Administrator_sign-in.jpg





Option One

Enable or Disable Built-in Administrator in Elevated Command Prompt


You must be signed in as an administrator to use this option.


1 Open an elevated Windows Terminal, and select Command Prompt.

2 Copy and paste the command below you want to using into the elevated command prompt, and press Enter. (see screenshots below)

(Enable)
net user Administrator /active:yes

OR

(Disable)
net user Administrator /active:no

If you had previously renamed the built-in "Administrator" account's name, then you will need to substitute Administrator in the command above with the new name instead.

If your Windows uses a different language than English, then you would need to substitute Administrator in the command above with the translation for your language instead.


3 When finished, you can close the elevated command prompt if you like.

Enable_Administrator_in_command_prompt.png

Disable_Administrator_in_command_prompt.png





Option Two

Enable or Disable Built-in Administrator in Elevated PowerShell


You must be signed in as an administrator to use this option.


1 Open an elevated Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below you want to using into the elevated PowerShell, and press Enter. (see screenshots below)

(Enable)
Enable-LocalUser -Name "Administrator"

OR

(Disable)
Disable-LocalUser -Name "Administrator"

If you had previously renamed the built-in "Administrator" account's name, then you will need to substitute Administrator in the command above with the new name instead.

If your Windows uses a different language than English, then you would need to substitute Administrator in the command above with the translation for your language instead.


3 When finished, you can close the elevated PowerShell if you like.

Enable_Administrator_in_PowerShell.png

Disable_Administrator_in_PowerShell.png





Option Three

Enable or Disable Built-in Administrator in Local Users and Groups


You must be signed in as an administrator to use this option.

Local Users and Groups is only available in the Windows 11 Pro, Enterprise, and Education editions.


1 Open Local Users and Groups (lusrmgr.msc).

2 Click/tap on the Users folder in the left pane, and double click/tap on Administrator in the middle pane. (see screenshot below)

Administrator_in_lusrmgr-1.png

3 In the General tab, check (disable) or uncheck (enable) the Account is disabled box for what you want, and click/tap on OK. (see screenshot below)

Administrator_in_lusrmgr-2.png

4 You can now close Local Users and Groups if you like.




Option Four

Enable or Disable Built-in Administrator in Local Security Policy


You must be signed in as an administrator to use this option.

Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.


1 Open Local Security Policy (secpol.msc).

2 Expand open the Local Policies folder in the left pane, click/tap on the Security Options subfolder in the left pane, and double click/tap on Accounts: Administrator account status in the right pane. (see screenshot below)

Administrator_in_secpol-1.png

3 In the Local Security Setting tab, select (dot) Enabled or Disabled for what you want, and click/tap on OK. (see screenshot below)

Administrator_in_secpol-2.png

4 You can now close Local Security Policy if you like.




Option Five

Enable or Disable Built-in Administrator in Command Prompt at Boot


This option is good to use when you do not have another administrator account to sign in with, or unable to sign in to Windows 11.


1 Open a command prompt at boot.

2 Type regedit into the command prompt at boot, and press Enter. (see screenshot below)

Administrator_in_command_prompt_at_boot-1.png

3 Click/tap on the HKEY_LOCAL_MACHINE key in the left pane of Registry Editor. (see screenshot below)

Administrator_in_command_prompt_at_boot-2.png

4 Click/tap on File on the menu bar, and click/tap on Load Hive. (see screenshot below)

Administrator_in_command_prompt_at_boot-3.png

5 In the Load Hive dialog, open the drive (ex: C: or D:) that Windows 11 is installed on, and navigate to the location below. (see screenshot below)

The drive letter (ex: C) will not always be the same at boot as it is from within Windows 11.

It will not be the Boot (X:) drive.


C:\Windows\System32\config

Administrator_in_command_prompt_at_boot-4.png

6 Select the SAM file inside the config folder, and click/tap on Open. (see screenshot below)

Administrator_in_command_prompt_at_boot-5.png

7 In the Load Hive dialog, type REM_SAM, and click/tap on OK. (see screenshot below)

Administrator_in_command_prompt_at_boot-6.png

8 Navigate to and open the key below the left pane of Registry Editor. (see screenshot below)

HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4

Administrator_in_command_prompt_at_boot-7.png

9 In the right pane of the 000001F4 key, double click/tap on the F binary value to modify it. (see screenshot above)

10 Do step 11 (Enable) or step 12 (disable) below for what you want.


11 Enable Built-in Administrator Account

A) In the first column of row line 00000038, change 11 to 10, click/tap on OK, and go to step 13 below. (see screenshot below)​

You would do this by clicking to the left of 11 to place the cursor there, press the Delete key, then type 10.


Administrator_in_command_prompt_at_boot-8.png


12 Disable Built-in Administrator Account

A) In the first column of row line 00000038, change 10 to 11, click/tap on OK, and go to step 13 below. (see screenshot below)​

You would do this by clicking to the left of 10 to place the cursor there, press the Delete key, then type 11.


Administrator_in_command_prompt_at_boot-9.png


13 Close Registry Editor and the command prompt at boot.

14 Click/tap on Continue to startup back in Windows 11. (see screenshot below)

Administrator_in_command_prompt_at_boot-10.png


That's it,
Shawn Brink


 

Attachments

  • Administrator.png
    Administrator.png
    17.2 KB · Views: 73
Last edited:

Scott

Active member
Member
Local time
3:25 PM
Posts
190
Location
Maui, HI
OS
Win 11 Pro 22000.778
Great tutorial Shawn. Question: Would password protecting my disabled built-in Admin account prevent someone attempting to re-enable it using Option Five?
 

My Computer

System One

  • OS
    Win 11 Pro 22000.778
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
    Motherboard
    ASUS Prime Z370-P II
    Memory
    CORSAIR Vengeance LPX 8GB DDR4 3000 (x4)
    Graphics Card(s)
    EVGA GeForce RTX 3050 XC Black Gaming
    Sound Card
    Creative Labs PCIe Sound Blaster X-Fi Titanium (dan_k drivers)
    Monitor(s) Displays
    ASUS TUF Gaming 27" WQHD
    Screen Resolution
    2560 x 1440
    Hard Drives
    SAMSUNG 970 EVO 1TB NVMe (x2)
    SAMSUNG 870 EVO 2TB SATA III (x2)
    SAMSUNG 870 EVO 250GB SATA III
    PSU
    CORSAIR HX Series HX750
    Case
    Antec Dark Phantom DP502 FLUX
    Cooling
    Corsair Hydro Series H60 AIO
    Keyboard
    Logitech MK 320
    Mouse
    Logitech MX 1000 Laser
    Internet Speed
    200Mbs
    Browser
    Firefox
    Antivirus
    Winows Security
    Other Info
    UEFI, Secure Boot, TPM 2.0
    MR 8 HE

Brink

Administrator
Staff member
MVP
Thread Starter
Local time
8:25 PM
Posts
4,242
OS
Windows 11 Pro for Workstations
Great tutorial Shawn. Question: Would password protecting my disabled built-in Admin account prevent someone attempting to re-enable it using Option Five?

Hello Scott, :)

They would still be able to enable the built-in Administrator using option 5, but would need to know the password to sign in to the account.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 980 PRO M.2,
    1TB Samsung 970 EVO Plus M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Motorola MB8611 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S20 Ultra 5G phone
  • Operating System
    Windows 11 Pro for Workstations
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1
    CPU
    i7-1065G7 3.9 GHz
    Memory
    16 GB LPDDR4-3200
    Graphics card(s)
    Intel Iris Plus
    Sound Card
    Intel SST
    Monitor(s) Displays
    13.3" 4K UWVA AMOLED multitouch
    Screen Resolution
    3840 x 2160
    Hard Drives
    512 GB PCIe NVMe M.2 SSD
    Browser
    Google Chrome
    Antivirus
    Windows Defender and Malwarebytes Premium
Top Bottom