Make your Vista's admin account acts like in XP

[+Tantawi Subscriber²]

First let me start by saying that one of the main features of Windows Vista is the new user accounts security enhancements, but sometimes, defaults don't meet everyone's taste when it comes to how we deal with our PCs. I for one, always used full administrator accounts since I first knew what a Windows user account is, and never been hit by a virus/spyware/crap, using common sense and updated AV software, so I don't want to give permissions to myself or face strange error messages every time I do a simple task on my computer.

We know UAC feature in Windows Vista, and we all know how to disable it, this is not the purpose of this thread, because even after you disable UAC, you'll have other prompts about folder/file permissions errors sometimes (I faced it in strange, unexpected occasions, like deleting an empty folder for a program left by the uninstaller), or you'll need to right click and select "Run as Administrator" for most applications to work/install correctly.

That's because Microsoft made the administrators accounts (in local administrators group) run as standard users, unless we give permissions for every and each administrative tasks, with a little difference when UAC is turned on/off

Enough introductions, lets get our hands dirty:

*************************************

Remember that cute "Administrator" account you see when you login to safe mode in XP? That's the built-in administrator account that's installed by default, and disabled by default too, after a little digging-in I made this tutorial that'll let you enable and use this account in normal mode, and with a little other tweak, enjoying an XP-like administrator experience, while UAC is left ON (or off, it doesn't matter), but with no prompts or right clicks.

For Windows Vista Ultimate/Business/Enterprise:

1- Click Start, and type "secpol.msc" in the search area and click Enter. (You may receive a prompt from UAC, approve/login and proceed)

2- In the left list, choose "Local Policies", then "Security Options"

3- Set "Accounts: Administrator account status" to Enabled.

4- Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

For Windows Vista Home Basic/Home Premium:

1- Click Start, and type "cmd" in the search area, right click on "Command Prompt" and select 'Run as Administrator".

2- In the command prompt type "net users Administrator /active:yes" (Note the capital "A" in Administrator) and press Enter, you will get a confirmation as "The command completed successfully".

3- Click Start, and type "regedit" in the search area and click Enter, navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

Double click on "FilterAdministratorToken" and set it to ""

*************************************

Now log-off, and you'll see new account named "Administrator" is available, click on it to login.

Now you are the master of your domain! I recommend if you're going to use this method is to apply it as soon as you do a fresh install of Windows, so you can simply delete whatever administrator you've created in the setup process, and make this one the "real" administrator for your PC, also you can rename this new admin account or change its password like any other account from "User Accounts" in the Control Panel.

A last note/disclaimer:

Please note that disabling UAC and using the built in Adminstrator account will also disable IE7 "Protected Mode", fore more information and a work around please see this post.

Please apply this procedures only if you know what you're doing. Disabling security features in the operating system is not something recommended to the average Joe, and for sure I won't be held accountable for any damaging happens to your system or files resulting from running a full administrator account all the time.

Enjoy! :)

Special thanks to:

- Farstrider for providing the location of the relevant register keys that made applying this method to the home versions of Vista possible!.

- bradavon for his comment/solution of IE7 protected mode.

Edited May 12, 2007 by Tantawi

[Amano]

That's great :) no more annoying messages

[Rahul]

thanx mate , been looking for this for so long

[Elagizy]

Thanks man, nice thread! I'm glad that you figure this out.

[Lifeflayer]

Thanks a lot, helped me lots =)

[solardog]

Thanks so much for this! I actually reinstalled xp because of the way vista handled this, yes I hated it that much. Thanks again!

[primexx]

the built in admin account, iirc, has some perms that your normal admins dont, but it also lacks some perms that your normal admins do. at least in XP it was like this....anyone confirm?

[WooSH]

excellent post. been looking for something like this for a long time

***** < five stars. great job.

[nautiqueskier]

the built in admin account, iirc, has some perms that your normal admins dont, but it also lacks some perms that your normal admins do. at least in XP it was like this....anyone confirm?

By default the administrator account does not have permission to access the files of other users if the others users are configured to make their files private (I'm basing this on my domain controller setup but I believe its the same for local accounts)

But as an administrator, you can take ownership of the files and then change the permissions.

And of course if other users encrypt their files then the admin account can't access them.

Vista appears to be the same.

[Commodore Max]

Nice ! Thanks !

[ShaneSparky_YYZ]

Thanks for the info, glad someone figured it out and posted! (Y)

[+Tantawi Subscriber²]

Welcome everyone :)

[klaasman]

Vista Home Premium says it can't find "secpol.msc"

Now what??

[Farstrider]

You can also use gpedit.msc

secpol.msc's items are a subset of gpedit.msc

You can also adjust the settings in the registry here:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]

These are the main keys that affect UAC, equivalent to the secpol.msc

settings.

"ConsentPromptBehaviorAdmin"

"ConsentPromptBehaviorUser"

"EnableInstallerDetection"

"EnableLUA"

"EnableSecureUIAPaths"

"EnableVirtualization"

"PromptOnSecureDesktop"

"ValidateAdminCodeSignatures"

"FilterAdministratorToken"

[torrentthief]

You can also use gpedit.msc

secpol.msc's items are a subset of gpedit.msc

You can also adjust the settings in the registry here:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]

These are the main keys that affect UAC, equivalent to the secpol.msc

settings.

"ConsentPromptBehaviorAdmin"

"ConsentPromptBehaviorUser"

"EnableInstallerDetection"

"EnableLUA"

"EnableSecureUIAPaths"

"EnableVirtualization"

"PromptOnSecureDesktop"

"ValidateAdminCodeSignatures"

"FilterAdministratorToken"

maybe someone could post some reg tweaks for the above keys, so that we can just copy and paste them into notepad and save them as .reg files, would be very handy:)!

[Zyphrax]

Nice work, but why would someone use the Administrator account?

I've just turned off UAC and have my own user with Administrator privileges.

That was even less work then this solution...

[torrentthief]

Nice work, but why would someone use the Administrator account?

I've just turned off UAC and have my own user with Administrator privileges.

That was even less work then this solution...

because of some popup messages and some programs wont even run like the bios flash utility for my hp laptop, it wont even work when you choose "run as administrator".

[So-Unreal]

I found out how to do this myself. The hard thing was finding out how to uninstall programs.... Why did they have to rename it? :whistle:

[nippyjun]

Suppose i use this method. I currently don't have to log onto my computer, it just boots to windows. After doing this change will i be prompted choose a user to log in with as there would be 2 users and i would then have to log in?

If it does create a log in after i deleate the old admin account will the log in process go away (assuming that i don't use a password for the new admin)?

[+Tantawi Subscriber²]

Suppose i use this method. I currently don't have to log onto my computer, it just boots to windows. After doing this change will i be prompted choose a user to log in with as there would be 2 users and i would then have to log in?

If it does create a log in after i deleate the old admin account will the log in process go away (assuming that i don't use a password for the new admin)?

Yes, that's why I recommend to do it as soon as you install a fresh window so you don't be worried about deleting the admin account you created in the setup process :) After you delete it, you'll login automatically as long as you don't set a password of course.

[Rudi1]

You can also use gpedit.msc

secpol.msc's items are a subset of gpedit.msc

You can also adjust the settings in the registry here:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System]

These are the main keys that affect UAC, equivalent to the secpol.msc

settings.

"ConsentPromptBehaviorAdmin"

"ConsentPromptBehaviorUser"

"EnableInstallerDetection"

"EnableLUA"

"EnableSecureUIAPaths"

"EnableVirtualization"

"PromptOnSecureDesktop"

"ValidateAdminCodeSignatures"

"FilterAdministratorToken"

Nice guide,but I can only access to this settings via registry in vista home basic.

I like to ask which one number we must past here in this lines?

[klaasman]

Yeah, on my Vista Home Premium, I have neither secpol.msc OR gpedit.msc available. NOW WHAT??

[Brandon Live Veteran]

), or you'll need to right click and select "Run as Administrator" for most applications to work/install correctly.

That makes absolutely no sense. There's no split token when you disable UAC via that dialog. The "Run As Administrator" option should have no effect at all.

The only time you'd have to do that would be if you disable UAC by setting admins to auto-elevate (as I suggested in another thread).

[UncleSpellbinder]

@ Brandon Live

I'm curious to know your opinion on:

Remember that cute "Administrator" account you see when you login to safe mode? That's the built-in administrator account that's installed by default, and disabled by default too, after a little digging-in I made this tutorial that'll let you enable and use this account in normal mode, and with a little other tweak, enjoying an XP-like administrator experience, while UAC is left ON (or off, it doesn't matter), but with no prompts or right clicks.

1- Click Start, and type "secpol.msc" in the search area and click Enter.

2- You may receive a prompt from UAC, approve/login and proceed.

3- In the left list, choose "Local Policies", then "Security Options"

4- Set "Accounts: Administrator account status" to Enabled.

5- Set "User Account Control: Admin Approval Mode for the Built-in Administrator account" to Disabled.

6- Now log-off, and you'll see a new account named "Administrator" will be available, click on it to login.

Now you are the master of your domain! I recommend if you're going to use this method is to apply it as soon as you do a fresh install of Windows, so you can simply delete whatever administrator you created in the setup process, and make this one the "real" administrator for your PC, also you can rename this new admin account or change its password like any other account from "User Accounts" in the Control Panel.

[i||uSi0n^]

thanks for the info!