Enable and Disable the Built-in Administrator Account (Standard 7 SP1)
7/8/2014
In Windows Embedded Standard 7, the built-in administrator account is disabled by default. In earlier versions of Windows, an Administrator account was automatically created during Out-of-Box-Experience (OOBE) with a blank password.
An Administrator account that has a blank password is a security risk. To better protect the system, the built-in Administrator account is disabled by default in all clean installations of Standard 7.
In audit mode, Image Builder implicitly enables the built-in Administrator account as the last action in the auditSystem configuration pass if the built-in Administrator is not already enabled. The first action in the auditUser configuration pass is to disable the built-in Administrator account. This enables you to run programs and applications as an Administrator. When you complete your customizations in audit mode and log off, the built-in Administrator account will be disabled. Unless you want to explicitly leave the built-in Administrator account enabled, you do not have to re-enable the built-in Administrator account in audit mode.
Enable the Built-in Administrator Account
You can enable the built-in Administrator account in one of the three following ways:
Use the
net usercommand
Run the following command to enable the Administrator account.net user administrator /active:yesYou can run this command after Standard 7 finishes installation.
Use the AutoLogon unattended setting
You can enable the built-in Administrator account during unattended installations by setting the AutoLogon setting to Administrator in the WinEmb-Shell-Setup component. This enables the built-in Administrator account, even if a password is not specified in the AdministratorPassword setting.
You can create an answer file by using Image Configuration Editor.
The following sample answer file shows you how to enable the Administrator account, specify an Administrator password, and automatically log on to the system.<component name="WinEmb-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="https://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <AutoLogon> <Password> <Value>SecurePasswd123</Value> <PlainText>true</PlainText> </Password> <Username>Administrator</Username> <Enabled>true</Enabled> <LogonCount>5</LogonCount> </AutoLogon> <UserAccounts> <AdministratorPassword> <Value> SecurePasswd123</Value> <PlainText>true</PlainText> </AdministratorPassword> </UserAccounts> </component>Use the Local Users and Groups MMC
Change the properties of the Administrator account by using the Local Users and Groups MMC.- Open MMC and select Local Users and Groups.
- Right-click the Administrator account and then click Properties. The Administrator Properties window appears.
- On the General tab, clear the Account is Disabled check box.
- Close MMC.
Administrator access is now enabled.
Disable the Built-in Administrator Account
OEMs and system builders are required to disable the built-in Administrator account before delivering the computers to customers. You can disable the built-in Administrator account in one of two ways:
Run the
sysprep /generalizecommand.
When you run the sysprep /generalize command, all account information is removed from the computer. This includes the built-in Administrator.
The next time that the computer starts, the built-in Administrator account is disabled.Use the
net usercommand.
Run the following command to disable the Administrator account.net user administrator /active:noYou can run this command after you configure the computer, before delivering the computer to a customer.