Access Denied: Disabling the Administrator Account under Windows XP

You can disable the Administrator account under XP to prevent attackers from using the account to access users' machines.

ITPro Today

November 11, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today

We never use the local built-in Administrator account on our Windows XP Professional Edition workstations, and we want to prevent attackers from using the account to access the workstations. Earlier versions of Windows don't let you disable the Administrator account, but I've noticed that XP has a new policy called Accounts: Administrator account status under Security Settings, Local Policies, Security Options, Local Security Policy. What's the effect of setting that policy to Disable?

Disabling the Accounts: Administrator account status policy makes the built-in Administrator account unavailable for remote or local logons, except under safe-mode boots. If your workstations are part of a domain, you'll still be able to use an account that belongs to the Domain Admins group to administer the workstations, unless the secure channel between the domain controller (DC) and workstation fails for some reason. In that case, you'll need to boot the workstation in safe mode and log on as the local Administrator. (You can use Group Policy Objects—GPOs—to centrally manage new XP policies in a Windows 2000 domain, but you'll need to update the Administrative Templates. For more information about Administrative Templates, see http://www.microsoft.com/windowsxp/pro/techinfo/administration/policy/managing.asp.)

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like