News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

    Home Forums AskWoody blog Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

    This topic contains 13 replies, has 8 voices, and was last updated by

     b 2 weeks, 4 days ago.

    • Author
      Posts
    • #243676 Reply
    • #243686 Reply

      b
      AskWoody Plus

      Difficult to see why this is an issue for anyone in any circumstances, or even a bug at all:

      The bug occurs when the following two conditions are met:
      The built-in Administrator account is enabled (it is disabled by default).
      There is at least one additional account with Administrator permissions.

      https://www.ghacks.net/2019/01/02/windows-10-version-1809-upgrade-could-invalidate-administrator-account/

      The account is not disabled when the feature update is installed if there is no other administrator account.
      Personally, I would have said that’s the behavior I expected. (says Günter Born)
      https://borncity.com/win/2019/01/02/windows-10-v1809-upgrade-deactivates-build-in-administrator/

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

    • #243692 Reply

      Bluetrix
      AskWoody Plus

      may break the built-in “Administrator” account, but you probably aren’t affected

      Three most assuring words to start your day off with.

      1 user thanked author for this post.
    • #243698 Reply

      ch100
      AskWoody_MVP

      The built-in Administrator account was disabled during previous upgrades, unless the installation/upgrade in place was performed under the built-in Administrator account.
      Nothing new here and it is not a bug, but done on purpose I believe, for the reasons stated by Woody in the main post, i.e. security enhancement, as this account is normally the only account not subject to UAC, at least on a computer not joined to an Active Directory domain.
      Saying that, I generally tend to perform the OS upgrade under the built-in Administrator to avoid potential permissions bugs during the upgrade, but normally this should not be a pre-condition for a successful installation.

      3 users thanked author for this post.
      • #243709 Reply

        warrenrumak
        AskWoody Plus

        The first part of this is correct — it’s been documented for years.

        The second part is not — the mechanics of the upgrade process is not performed by the user who started the upgrade, so it doesn’t matter what user you’re logged in as.

        • This reply was modified 2 weeks, 5 days ago by
           warrenrumak.
        1 user thanked author for this post.
        • #243868 Reply

          ch100
          AskWoody_MVP

          It matters in the sense that it affects the profile of the user under which the upgrade is performed.

    • #243747 Reply

      EspressoWillie
      AskWoody Plus

      I enable the Administrator account for all the machines at my location for when I need to do “admin” things that avoid changing the users desktop or other items like that.  The Administrator account is only used by me when needed and is, of course, password protected.

      1) If it disables the Administrator account, can it just be reenabled?

      2) What do they mean “break”?

      3) If I use the Administrator account to do the upgrade, does the regular user admin account that gets created during setup get disabled or “broken”?

      4)  I have renamed some of the Administrator accounts to something else for security purposes, just like I do on my servers.  Do the same bugs apply?

      Cheers!!
      Willie McClure
      www.datarim.com
      Talk's cheap, takes money to buy whiskey.
      • #243783 Reply

        b
        AskWoody Plus

        1) Yes.
        2) Disabled/Inactivated.
        3) No.
        4) Same situation.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

        1 user thanked author for this post.
    • #243965 Reply

      anonymous

      Wouldn’t it be better to enable the built-in administrator account and password protect it.  Rather than leaving it disabled without a password?

      • #243981 Reply

        b
        AskWoody Plus

        I don’t see why. It’s one more password for you to remember/store and for a hacker to guess/crack.

        It can’t be enabled without other administrator or physical access, so not a risk if it’s disabled.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

    • #243995 Reply

      Damian
      AskWoody Lounger

      All of our Win7 domain machines have the Admin enabled and password protected.  This was a carry-over practice from the WinXP endpoints and it’s worked well for us.  Just as the Domain Admin has a password, Endpoints have the Local Admin with a password.  Unfortunately, we will be converting to Win10 this year but the practice will likely continue.  I could’ve sworn there were ways to active the built-in Admin account during an offline state.

      • #244001 Reply

        Damian
        AskWoody Lounger

        I believe the best option is to password protect and then disable if you’re able to.  We have a relatively small environment of 180 or so endpoints.  There have been times where an endpoint has lost trust with the Domain and the built-in Admin account is needed to leave and rejoin.  This can also happen when restoring a older image to an endpoint.  I’m sure I’m not alone in this thought, nor am I solely right in my efforts.  There’s always ten ways to accomplish everything in Windows.  Thank you for your feedback, b.

        2 users thanked author for this post.
        • #244016 Reply

          b
          AskWoody Plus

          There have been times where an endpoint has lost trust with the Domain and the built-in Admin account is needed to leave and rejoin.

          Yes, I’ve experienced that a few times. I wouldn’t suggest not having any local admin account available.

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

          1 user thanked author for this post.
      • #244010 Reply

        b
        AskWoody Plus

        I could’ve sworn there were ways to active the built-in Admin account during an offline state.

        There are with physical access and the ability to boot from something like Offline Password and Registry Editor on CD/DVD/USB (although not if the system drive has disk encryption with that tool apparently), or Safe Mode.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

        • This reply was modified 2 weeks, 4 days ago by
           b.
        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Upgrading from Win10 1803 to 1809 may break the built-in “Administrator” account, but you probably aren’t affected

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.