Administrator account with no password

by Mitch Tulloch [Published on 4 Jan. 2006 / Last Updated on 4 Jan. 2006]

While conventional wisdom is that Administrator accounts should have long, complex passwords, this is not always so...

While conventional wisdom is that Administrator accounts should have long, complex passwords, this is not always so. Beginning with Windows XP, if a user account has no password then it can only be used for local console (interactive) logons. In other words, you can't use it for accessing the machine over the network. You also can't use it with the Runas command to run applications with admin credentials during an ordinary user session. The downside of course is that if the physical security of your computer is compromised (i.e. if someone else can sit down at the console and press CTRLK+ALT+DEL) then it's trivially easy to gain admin-level control over your machine. So why would you ever want to have an admin account with no password?

One simple scenario might be in a small office or home office where your XP machines belong to a workgroup. In that case, you can do the following:

  • Create a local user account for each user and assign them a password (or no password if you trust everyone in your office)
  • Leave the password for the local Administrator account on each machine set to null (i.e. no password).
  • Enable Fast User Switching

Then educate your users by telling them that they should use their local Administrator account only installing new programs that are deemed safe to install, for configuring the few Control Panel applets that require admin creds to work, and a few other tasks you specify. And to make sure they recognize when they're logged on as admin, change the theme for the Administrator desktop to Classic Windows.

Now the user only has to press Windows Key + L in order to switch between their ordinary user session (which they user for doing work, checking email, browsing the web and so on) and their admin desktop (which they only occasionally need for the purposes listed above). This is a lot easier than (a) teaching ordinary users how to use runas.exe and (b) logging on as admin for them when they need an admin-level task performed.

Will this work in a domain scenario? I wouldn't recommend it, since a compromised desktop could be used to launch an attack against a domain controller. But in a workgroup environment this can make your life easier as a network administrator. Just be sure to have a good lock on your door and hire only people you trust!

See Also

Featured Links