Windows-itpro-docs: Disabled administrator account cannot be used in safe mode

@officedocsbot assign @jvsam

@KrypticChewie. Did you mean the builtin administrator is automatically enabled in the recovery console?
I checked many times, that account won't be available. even though i am using 1903.

the only user created administrator account can be used to login to safe mode

Hi @KrypticChewie just a follow-up on @RAJU2529's question. Are you saying that even if the default local Administrator account is disabled, you can still login to it via safe mode? The important note in this document indicates that yes, the default local Administrator account can login via safe mode because it's enabled by default, that is why it is recommended to disable the Administrator account to avoid security issues.

We want to make sure we fully understand your concern so we would know if it is about the accuracy of this document, since as you know, this site is intended to help improve the quality of the technical documentation of Microsoft Docs. We look forward to hearing from you. Thanks.

Sorry for the delay.

The documentation says you can log on to a machine using the local administrator account even if it is disabled if you are logging on using safe mode. It therefore suggests disabling local administrator and use it only to log on in safe mode.

This is does not happen in actuality. If you disable the local administrator account you cannot use it to log into safe mode, the opposite of what the document says.

@KrypticChewie . Thanks for reply. You saying that the document should be editted such a only local administrator account can be able to log in to safe mode.. If local administrator account is disabled then it can't be logged into safe mode.
IS my suggestion is correct according to you

Not exactly. What I am saying if an account is disabled then it's disabled. It cannot be used for a normal login or login to safe mode. Any account that can be authenticated can be used to login to safe mode. It does not need to be an Administrator account or a local account.
If the situation is such that the local administrator account is the only local account and no domain account can be authenticated (due to no network access and no cached credentials) and the local administrator account is disabled then you cannot login to safe mode. This would be the same situation if we were trying a normal login, with the above conditions that is.
Therefore, what I am saying is that the recommendation to disable the local administrator account so it cannot be used normally but can be used to login to safe mode is not correct or possible.
I was following the document but not getting to login to safe mode with the disabled account. I spoke with Microsoft support and they confirmed that you cannot login to safe mode with a disabled account (at least they confirmed for Windows 10 for sure). They said their internal documentation confirms you cannot login with a disabled account but they could not provide me with the internal documentation.

Hi @KrypticChewie the additional information helps. There were multiple references of this on some documentation, where it basically suggests that even if the Administrator account is disabled, you should be able to gain access to a computer through Safe Mode.

I spoke with Microsoft support and they confirmed that you cannot login to safe mode with a disabled account (at least they confirmed for Windows 10 for sure). They said their internal documentation confirms you cannot login with a disabled account but they could not provide me with the internal documentation.

Perhaps they mean, if it's not showing (it's disabled so you cannot login), you may need to enable the built-in Administrator in Windows 10 first, e.g. via Recovery Options and then you can login to it via safe mode, or choosing Safe Mode with Command prompt and then enable it. Did you confirm if this is the case since this is what I've noticed as a common problem for a lot of users in the Technet forum? Apologies if we ask a lot of questions, we just want to make sure we get enough information related to your feedback so the Windows writing team will know what changes to suggest/propose to improve this documentation. Thank you and we really appreciate your patience.

In the Recovery Console or in safe mode, the Administrator account is automatically enabled.

I believe this is also where we need more clarity. If this is talking about other administrator accounts (members of the Administrators group) or the built-in Administrator account (the first account that is created during the Windows installation). This document also says "In Windows 10 and Windows Server 20016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group." Refer: Administrator account

Don't be sorry for asking questions. That's how we all are going to learn.

As far as I have seen you cannot enable the account unless you have another administrative account. That defeats the purpose of using the built-in account.

The only reference I have found, other than here, to this behaviour is for Server 2003.
https://support.microsoft.com/en-us/help/814777/how-to-access-the-computer-after-you-disable-the-administrator-account

But this does not seem to be the case now.

Right now any account, once disabled, cannot be used for any login, safe mode or otherwise.

You need an administrative account to enable any account. So, to enable the disabled administrator account you'd need an administrative account.

It's like having wet matches and looking for dry matches to light so you can dry the wet matches so you can light a match.

What I am not sure about is if you have the computer set to login without requiring a password if that also applies to safe mode so you can get to safe mode or even safe mode with command prompt without a password and hence you might get to use the built-in administrative account if it is disabled. That's just a guess. What I do know is if you have to login to the PC you also have to login to any of the safe mode options (at least I am sure for domain joined machines for sure). And in this scenario, you can only log in with an enabled account and you can only enable an account with an administrative account.

Hi @jvsam and @RAJU2529 ,
I've been doing some testing and it seems the built-in administrator does get enabled in safe mode for a machine that is not joined to a domain. This fact is not explained in the documentation. I would believe that most people using this documentation would be using domain joined machines.

The documentation does have:
"Should a member server or workstation become disjoined from the domain with no other local accounts granted administrative privileges, the computer can be booted into safe mode, the Administrator account can be enabled, and the account can then be used to effect repairs on the computer. When repairs are completed, the Administrator account should again be disabled."

To verify how this would work on a domain I disabled the local administrator and created a trust relationship error. I also set the cached accounts to 0. There are no local users besides the built-in administrator. This would be a perfect example of when a local administrative accunt would be needed as there would be no way to login with administrative privilages. I still got the error that the built-in administrator account was disabled in safe mode. This means there is no way to fx the error or login to the machine. (Well not without some questionable tooling.)

Hi @KrypticChewie thanks for sharing the results of your tests.

Hi @DulceMontemayor can you please verify if this is still the expected behavior for Windows 10 & 7? The doc applies to Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Should a member server or workstation become disjoined from the domain with no other local accounts granted administrative privileges, the computer can be booted into safe mode, the Administrator account can be enabled, and the account can then be used to effect repairs on the computer. When repairs are completed, the Administrator account should again be disabled. Refer: Implementing Least-Privilege Administrative Models

In here (Local Accounts), which is for Windows 10, Windows Server 2019, and Windows Server 2016, it communicates the same thing.

Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled

However, as per @KrypticChewie , the behavior is different for joined machines. Your feedback will help us asses and propose amendments to this documentation. Looking forward to your help.

@KrypticChewie how about contacting Windows 10 support? You may be able to get an immediate answer, and then you can update us here so we would know how to proceed? Thank you again.

I did contact support but their response was that the disabled administrator account cannot be used to log in, even in safe mode.

Even though it seems like it can in safe mode, for me, when the machine is not domain joined.

Hi @KrypticChewie thanks for that update. I guess it might also depend on your current set up or other contributing factors that may cause it to behave differently in your case. As confirmed by support, the content of this documentation remains up-to-date. What I would recommend is to raise this in the Tech Community so other users, even experts, can assist you. We will now close this issue, however, feel free to re-open if you have other suggestions or ideas to improve the quality of this documentation. Thank you.

@officedocsbot close

Correct me if I'm wrong but doesn't the documentation say to leave the local administrator disabled so that it can be used in safe mode? Support says this cannot happen. Therefore, support is saying what the documentation says is incorrect. I gave them a link to the page and they did confirm that the documentation is wrong.

@martyav or @mapalko , would you like to follow up with a comment to that feedback?

Thanks @illfated and @KrypticChewie, I believe the best person who can provide clarification is the Microsoft author. @DulceMontemayor, we'd like to follow up on the original question please. If time permits, can you please look into this issue and confirm/deny the feedback from support (of course after conferring with the Product team)? I'd like to emphasize that what makes the scenario different is the inconsistent behavior for domain joined machines. @martyav @Dansimp any idea? We appreciate your assistance.

I I don't even know where to start with this I'm I'm I'm not administrator of a group the 50 six-year-old man on the truck driver I get home like once a month back try to get on my computer in this been going on for about 2 years they 1st started out I was hacked and I was that on out with these guys that weren't trying to rip me off in anyway but they're pretending that they're Microsoft noon after that Microsoft starts tell me that I'm administrator in a have a group herbs at something I'm II got AAA windows started out 7 in its a home edition my brother has a laptop I paid for the saddle I hear we live out in the country and its me and my brother so II don't know how they can get into my computer in and it just totally jacking around this has been going on for over a year it's crazy I don't know what to think about it it's that I'm going down to morrow I falling I got back on the computer today after reloading it for hours and as soon as I got on this they attacked me and started taking stuff away so Amyas's Finn an ongoing battle which unite joy play and but they always win so it coming at all some go down to morrow by a Mackintosh and in makkah soft came kiss my heinie. Sorry is some of that did not make sense I'm using my voice and its typing it in for me I've had a long day anyway my name's Tom chambers on the truck driver I have no idea how they can come and I've I tried talking to himself all times Microsoft's does it seem to care tell me that I'm a group or a in charge your I don't know the silliest stuff in the world to me anyway sorry I

@tcman6477 : Please note that this site & repository is for improving the documentation only. If you need support, we recommend that you contact your regional Microsoft Support (please note, Microsoft never contacts you directly, you call them). As long as you do not have any constructive suggestions for improving the IT Professional documents (not for home use), please call Microsoft Support instead or use the Microsoft Support pages: https://support.microsoft.com/en-us/contactus/

Thank you.

On Thu, Mar 26, 2020, 4:30 AM Trond B. Krokli notifications@github.com
wrote:

@tcman6477 https://github.com/tcman6477 : Please note that this site &
repository is for improving the documentation only. If you need support, we
recommend that you contact your regional Microsoft Support (please note,
Microsoft never contacts you directly, you call them). As long as you do
not have any constructive suggestions for improving the IT Professional
documents (not for home use), please call Microsoft Support instead or use
the Microsoft Support pages:
https://support.microsoft.com/en-us/contactus/

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4214#issuecomment-604378007,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AOVPDQNL67I5JEILLL3G2V3RJM4E3ANCNFSM4H2W3GCQ
.