Administrator vs User

jyeagley3

Honorable Member
#1
I was a little insecure about losing my files at one time and I created a 2nd account with Administrator priviliges. And I have the Guest Account active. Now I always log into the same account that supposedly has the administrator privileges yet at times I get a message that I need to contact the administrator for permission to change or delete an account. How can this be...I AM the administrator.
Question: Is there any reasonablly easy way to rid the cumputer of all administrators except the one I log in with so properties > security > for files and folders sees only one administrator and allows that administrator to do all and anthing with the files and folders?
I know I need to be careful about deleting accounts 'cause if the account I delete is an administrator of some files or folders I probablly won't have access.

Any and all help greatly appreciated.
Would like tried and true replies so as not to really mess up my PC.

Thanks
Jerry
:confused:
 


#2
Jerry,

Properly speaking there should be only 1 Admin acc't & all others Limited. Now, the Admin acc't/user, be it named Jerry, User or Herman, doesn't matter... even that acc't, when trying to do certain things, will get asked by the UAC (User Account Control) for 'permission' or "Elevated Privileges". IF you want to make sure the profiles are in order run MBSA 2.2 It will quickly tell you what it doesn't like, why & how to correct things, in no uncertain terms.

Oh, & by the way, if you don't care to have the screen dimming when the UAC bit comes up, move the UAC slider down 1 notch.

Regards,
Drew
 


Last edited:

Trouble

Noob Whisperer
#4
I was a little insecure about losing my files at one time and I created a 2nd account with Administrator priviliges. And I have the Guest Account active. Now I always log into the same account that supposedly has the administrator privileges yet at times I get a message that I need to contact the administrator for permission to change or delete an account. How can this be...I AM the administrator.
Question: Is there any reasonablly easy way to rid the cumputer of all administrators except the one I log in with so properties > security > for files and folders sees only one administrator and allows that administrator to do all and anthing with the files and folders?
I know I need to be careful about deleting accounts 'cause if the account I delete is an administrator of some files or folders I probablly won't have access.

Any and all help greatly appreciated.
Would like tried and true replies so as not to really mess up my PC.

Thanks
Jerry
:confused:
Hello Jerry.
The basic underlying concept that is difficult for most of us to get our head around is that, if you log on to a Windows 7 Computer that has UAC (user account control) enabled, with an account that is a member of the local Administrator's Group, you get what Microsoft calls a "Filtered Access Token" as well as an "Administrator's Access Token". During normal operation your account then functions as a normal user account, except in those instances that may require elevated permissions in which case you get the annoying prompt to provide administrator credentials, in which case simply or normally clicking continue or OK will generally allow you to invoke your unfiltered access token and thereby support whatever action provoked the prompt for elevated credentials.
There is a lot of very confusing information regarding UAC and Filtered Access Tokens available if you want to use Google to do some research but as I said it's a bit confusing and muddled at best. Here is a relatively simple reference which may help you better understand what might be going on under the hood of Windows 7 regarding this topic.
When a member of the Administrators group logs on to a Windows Vista-based computer or to a Windows 7-based computer that has User Account Control enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and if you want to perform a task that requires a full administrator access token, User Account Control prompts you for approval. For example, you are prompted if you try to edit security policies on the computer. If you click Allow in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.

When an administrator logs on to Windows Vista or to Windows 7, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user clicks Allow in a User Account Control dialog box.
SOURCE: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or in Windows 7
You seem to already know that you need to be careful regarding the handling of other accounts on your machine, and always make sure you preserve one administrator account. I might suggest using either an elevated command prompt and type
net user UserName /active:no (where UserName is the account you are wanting to deal with) to disable the account, or
net user UserName /active:yes (where Username is the account you are wanting to deal with) to enable the account
or by using the Local User Manager Console by typing
lusrmgr.msc
into the search or run dialog box to launch the console (if you are using Windows 7 Pro or higher)
and using the GUI to enable or disable accounts before deleting any accounts.
 


jyeagley3

Honorable Member
#5
Hello Jerry.
The basic underlying concept that is difficult for most of us to get our head around is that, if you log on to a Windows 7 Computer that has UAC (user account control) enabled, with an account that is a member of the local Administrator's Group, you get what Microsoft calls a "Filtered Access Token" as well as an "Administrator's Access Token". During normal operation your account then functions as a normal user account, except in those instances that may require elevated permissions in which case you get the annoying prompt to provide administrator credentials, in which case simply or normally clicking continue or OK will generally allow you to invoke your unfiltered access token and thereby support whatever action provoked the prompt for elevated credentials.
There is a lot of very confusing information regarding UAC and Filtered Access Tokens available if you want to use Google to do some research but as I said it's a bit confusing and muddled at best. Here is a relatively simple reference which may help you better understand what might be going on under the hood of Windows 7 regarding this topic.

SOURCE: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or in Windows 7
You seem to already know that you need to be careful regarding the handling of other accounts on your machine, and always make sure you preserve one administrator account. I might suggest using either an elevated command prompt and type
net user UserName /active:no (where UserName is the account you are wanting to deal with) to disable the account, or
net user UserName /active:yes (where Username is the account you are wanting to deal with) to enable the account
or by using the Local User Manager Console by typing
lusrmgr.msc
into the search or run dialog box to launch the console (if you are using Windows 7 Pro or higher)
and using the GUI to enable or disable accounts before deleting any accounts.
Wow, that's an awful lot of information. I'm going to try to digest all of it and see what I may do. Thanks so much!
Jerry
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.