Friday, February 8, 2008

Built-in "Administrator" account disabled by default

If you haven't seen this one before, be aware: with Vista, the built-in Administrator account is disabled by default.

When you install Vista (in any flavor: 32/64-bit, home, business, ultimate or enterprise), the first account that is created gets put into the local Administrators group; subsequently added accounts are created as limited users unless otherwise specified.

This leaves for an amusing little scenario (not):
  1. Install Vista
  2. Add machine to a Domain
  3. Log in to Vista using a Domain Admin account (giving administrative privileges on the machine)
  4. Delete the (admin) user created during install
  5. Dis-join from the Domain
You now have a PC that cannot be logged into using the local accounts (both the default built-in accounts are disabled) or the domain account (the PC isn't in the domain anymore, so there's no trust relationship). Vista will happily present to you the domain account for authentication, but you can't get it to authenticate. Attempting to use the local Administrator account will fail; after all, the account is disabled.

Luckily, the folks on the Vista team recognized this possibility. The fix is to restart in Safe Mode (hold down F8 during POST). Vista will boot into the Safe Mode GUI using the built-in Administrator account, even though it is disabled. From there, you can enable the Administrator account, reboot, then log in "normally" to re-join the domain.

You can also shorten the process by using "Safe Mode with Networking" to re-join the domain (whether you enable the Administrator account or not).

If you enable the local Administrator account using this process, it does remain enabled, even after rejoining the domain.