Access Denied: Disabling the Administrator Account under Windows XP

We never use the local built-in Administrator account on our Windows XP Professional Edition workstations, and we want to prevent attackers from using the account to access the workstations. Earlier versions of Windows don't let you disable the Administrator account, but I've noticed that XP has a new policy called Accounts: Administrator account status under Security Settings,\ Local Policies, \Security Options, \Local Security Policy. What's the effect of setting that policy to Disable?

Disabling the Accounts: Administrator account status policy makes the built-in Administrator account unavailable for remote or local logons, except under safe-mode boots. If your workstations are part of a domain, you'll still be able to use an account that belongs to the Domain Admins group to administer the workstations, unless the secure channel between the domain controller (DC) and workstation fails for some reason. In that case, you'll need to boot the workstation in safe mode and log on as the local Administrator. (You can use Group Policy Objects—GPOs—to centrally manage new XP policies in a Windows 2000 domain, but you'll need to update the Administrative Templates. For more information about Administrative Templates, see

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.