![]()
![]() How to enable a disabled Local Administrator account offline in Windows 7 (even when using Bit. Locker) Back in the days of Windows XP IT administrators could disable the local administrator account on domain joined computers but still be able to use the account if they rebooted the computer into safe mode (see How to access the computer after you disable the administrator account ). To log on to Windows by using the disabled local Administrator account, start Windows in Safe mode. However this behaviour has change since Windows Vista (and 7) and now you are no longer able to logon to a computers local administrator account if it is disabled (see Built- in Administrator Account Disabled ). On domain joined computers, the disabled built- in administrator account cannot logon in safe mode. This presents some challenges as IT administrator as sometime you still need to ability to logon to a computer using the local administrator. The most common scenario you need to do this is when you need to troubleshoot domain account issues (e. Its even more difficult if you have Bit. Locker encryption enabled on your local hard drive. How To Enable More Than 4GB Memory in Windows Vista and Windows 7. Get a 3 licensed copy of Windows 7 Home Premium at a big discount. You better hurry. Click on OK twice to save the settings. Turn on Remote Desktop on Windows via Group Policy. To enable the Remote Desktop functionality, navigate to the following. It is possible that you could logon with a user with local administrator access using cached credentials however this is limited to the last 1. Cached. Logons. Count below registry key). But even so, this would also mean you have to know the username and password of the account at the time they last logged onto the computer. This may be a bit hard to do as they may have changed their password a number of times since they logged on to that computer. Unfortunately, it is also much more unlikely now that the normal local user of the computer has not been given local admin due to all the improvement with Windows 7 (e. UAC) that allows users to work with standard user permissions. Now you might think the really obvious solution is to just enable the local administrator account and set a password in advanced using Group Policy Preferences (see below) so that you can use it when you need to however doing this has a few security issues. However enabling the local administrator account means it can be used by anyone who knows the credentials and they could then use the account to remotely access any workstation on the network (not good). It also mean a normal user that knows the local admin credentials ( we would like to think they don’t but somehow they find out) could us them whenever they are presented with a specify credentials UAC prompt. So it’s pretty much a back door that anyone can use to get around the fact you spent all this time setting up their computers for them to not require local administrator access. However, the password is not secured. To help mitigate this I have also written an article that explain a way to more securely apply the new password to all the computers (see How to use Group Policy Preferences to change account Passwords ) but even if you did this on a regular basis you would still need to tell all the IT support staff what the new password is when you change the password and thus people quickly learn the local admin account credentials all over again. You use such third- party products and services at your own risk. So lets assume you have a computer that is no longer properly connected to the domain with a disabled local administrator account. The computers local system drive is Bit. Locker encrypted and and you don’t know the credentials of any other accounts that have previously logged on with local administrator permissions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |