Windows 7 Administrator, something special?

Trouble

Noob Whisperer
Can someone set me straight and clear up a question I have regarding the Windows 7 local user "Administrator".
I have seen both here and elsewhere on the internet, some folks attributing some type of special authoratative privledges associated with this account. And that because microsoft has choosen to disable it by default (strictly for security reasons, as it is a "known" name associated with the highest level of local control) that it has some mysterious super power and is somehow able to perform wonderous deeds that my account which is also an adminstators account is unable to perform. I haven't found this to be the case and was wondering if someone can point me to some definitive documentation that will help me understand this unusually powerful account.
When I right click the administrators account and choose the member of tab, I find that the account is a member of the Administrators Group. When I right click my user account and choose properties, the member of tab shows that I am also a member of the Administrators Group. When I right click the Administrators Group and choose properties I find this description Administrators have complete and unrestricted access to the computer/domain.
I suspect that if someone is having problems with their account which a member of the local administrators group, then perhaps there may be an issue with conflicting group membership and the account may also be a member of the local "Users" group and as a consequence may (probably does) have more restrictive permissions. This issue is easily exposed in Windows 7 Pro and above, by using the member of tab and removing groups other than the Administrators group. However, potential cross group / conflicting group membership is not as easily worked out in Windows 7 Home Premium and below, so I'm wondering if anyone knows, if when using Windows 7 Home Premium or downlevel OS (basic, starter) if when a new user is created and type administrator is choosen, or when a user is elevated to type administrator, is his account then only a member of the Local Administrators Group, or does it still contain an association with the "Users" group and perhaps consequently cause issues with ntfs security permissions and or share permissions resulting in the lesser permission being applied.

EDIT: And Mitchell, please go easy on me. I posted this in the Discussion Forum, because I would really like to discuss it. I realize that the last couple of sentences seem to be asking for help and support, but that is really not my intention. Thanks for understanding
 
Hi

Windows 7 is kind of weird about the administrator thing.
I can't say that I understand it at all.

None of the normal accounts is really the "Administrator Account" no matter what it says. The real Administrator account seems to be the one you access through the command prompt. I have a document on my task bar with the commands to enable and disable it, my memory isn't that great anymore.

I gave up trying to get it to let my regular account do anything. I know that they are trying to make it more secure but how about just having a password when it questions whether I have the privilege to do something or not.

I also have no idea why Windows will sometimes refuse to let my access a folder that I made myself the day before.

When that happens I use an application called Take Ownership that adds a command to my right click download that overrides Windows security.

Mike
 
Mostly, when users have issues while using an Administrator-privileged account, it is because they are trying to access, write to, or otherwise modify the NTFS file system created by a different Windows install, whether that be another Windows 7 or Vista. (Think CREATOR OWNER group.) As Mike mentioned, Take Ownership command (takeown) or the Windows Explorer plugin to automate it, can be used to alleviate these situations. Usually, then the user's account name should be added or other group, to the security permissions, to do what is wanted that currently could not be done, while also modifying permissions to suit.

If a normal user account is set as Administrator-privileged, there is nothing worthy else to be gained by using the true Administer account name instead. Perhaps there is something obscure or not-so-well-known that it can do that others can't, but I'm neither aware of it nor have I ever had any instance or need to find out.

I do all sorts of things to files on all my drives for any number of reasons. I have never run into any issue at any time where I needed the actual Administrator account. My Administrator-grouped user account does everything I've ever needed or wanted it to do without issue. That includes even when I had the PS3 native hard drive attached in Windows 7 so I could wipe the disk and use a special method to format it, to fix a corrupt game save which rendered the machine unusable. (The power was lost while saving. Fix worked. :) ) I was able to get what I needed from the drive easily.

Otherwise, when you log into safe mode, it is the true Administrator account and that's a good reason alone for it to exist.
 
I have found things that I needed to log into the real Administrator Account for, right now then only one that I can remember was to install the game "The Witcher".
It gave me an error every time I tried to install it on both my old computer after I converted it to Window 7 and my new Windows 7 64bit computer.

Other people were having the same problem and I finally found a post on the Witcher forum that said you need to install it as Administrator. That's when I first found out how to log into the other Administrator Account.

Once I did that I was finally able to get the game installed and running.

There have been other issues as well but that's the only specific one I can remember now, but I have seen other post from people having issues with "You have to be logged in as administrator to do that!" messages when they try to install some software.
 
Interesting.

I am willing to guess here that you and/or others that needed this have UAC (User Account Control) enabled? That might be interfering with otherwise normal operations, even if told to authorize.

I disable UAC on any machine I touch, first thing, without exception. (All machines I maintain and admin for myself, friends, family.)
 
Excellent and interesting read, thanks for posting.

I did however notice something incorrect: "Since an account with a blank password cannot be accessed over the network, you can substantially reduce the attack surface of a computer this way."

That is wrong because there are tools that many people, warez groups on IRC especially, use to do just that...access a Null-passworded account (meaning none.) It is actually one of the simplest ways of gaining control of a remote pc and why people at universities or fast home networks such as OptOnline here in NY, routinely find that they have bots serving warez in IRC channels, ftp servers installed so warez can be uploaded (hidden in System32) and anything else the controller would like to do as if he/she was sitting at the machine. DameWare NT Utilities comes into play with this too...the Remote Control utility.

There's even a tool to clear the event log to hide all traces of accountability. Routinely, these things are done using a proxy server too.

Blocks of ips are scanned on these fast networks and when there is no password protecting NetBios shares, things can and do get done. Simple passwords are easily cracked as well. So that's why my advice is always to set passwords on all accounts, even non-admin ones. A good idea is to also set Windows so that 5 consecutive failed attempts at logging in disables the ability to login at all, for 15 minutes. This can be done with Group Policies.
 
@Kemical:
Thanks for the link, I have indeed been able to confirm that the built in administrator account is in fact unique in how it deals with UAC, but the reference regarding it turning off IE protected mode, I was unable to confirm, perhaps because I'm currently using IE9 and it no longer applies. But this only leads me to wonder how this account may be unique in even more cases and is infact as some have claimed, some type of super administrator account.
The built-in "Administrator" account

This account is special for a number of reasons, and is disabled by default in Windows Vista and Windows 7. Because this account explicitly turns off some important security features (such as Internet Explorer® Protected Mode) as well as UAC, it's a really bad idea to use Administrator for anything.
SOURCE: http://technet.microsoft.com/en-us/library/ee623984(WS.10).aspx Kemical's Link.

@TorrentG:
Good observation and as usual good advice. A blank password on any account, is just asking for problems and when ever possible (always) a strong P@SSw0rd should be employed just as a security best practice. I suspect that blank passwords may be in some cases producing some of the network issues we see here on the forums.
Picking a password

Curiously enough, it's not always necessary to have a password on an account. Since an account with a blank password cannot be accessed over the network, you can substantially reduce the attack surface of a computer this way.
SOURCE: http://technet.microsoft.com/en-us/library/ee623984(WS.10).aspx Kemical's link.
 
As an aside, it has long been my practice just as a matter of personal paranoia to automatically and instantly rename the built in administrator account, just to take it out of the realm of easy to guess account names. I continue with this practice today and would suggest that if anyone is tempted to enable and use the built in administrator (as some have evidently found necessary) they might consider this practice as one more step to make things just a little more difficult for attackers. It has no impact or effect on the properties of the account itself.
 
EDIT: And Mitchell, please go easy on me. I posted this in the Discussion Forum, because I would really like to discuss it. I realize that the last couple of sentences seem to be asking for help and support, but that is really not my intention. Thanks for understanding

Last edited by Trouble; 1 Day Ago at 03:10 PM. Reason: To protect me from Mitchell​

You guys talk about me like I'm some murderer about to go nuts..
 
Hi there, I know it’s a bit crunchy in terms of details, but I found you a thread on technet that deals with best practices for the users account control. Check out this link User Account Control in Windows 7 Best Practices, for some of that content. I hope that this might help a bit. - Regards - John C. - Windows 7 Professional Outreach Team
 
I have had reasons as I said before to use the Administrator account.

But I don't keep it enabled, partly because I want my computer to boot and run my antivirus when I turn it on and walk away in the morning. I don't want to have to select which account to log into.

Anyway as soon as I have done whatever I needed it for I go back in and disable it.

Since the last time I posted in this thread I have disabled the UAC and it is kind of a relief to not have it asking me whether I really want to do that, all the time.

I can't tell if it will make it unnecessary to log in as administrator to do certain things, but I haven't run into anything like that recently.

Mike
 
Back
Top