The built-in WindowsAdministrator account has unlimited rights on the computer and, if compromised, gives the attacker complete control over the system. In this article, we will look at some basic techniques that can help secure Windows’s built-in Administrator account.
By default, the administrator account in Windows is disabled. To verify that this account is disabled, open the Local Users and Groups console (lusrmgr.msc).
Check the Account is disabled option in its properties or run the command to disable this account:
net user administrator /active:no
Renaming this account is recommended if you cannot disable the built-in Windows Administrator for some organizational reason.
Group Policies can be used to disable and rename the Administrator account. Open the local (gpedit.msc) or domain (gpmc.msc) Group Policy Editor (if you need to make changes on multiple computers in an AD domain).
Go to the following section of the GPO Editor: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. There are two parameters here:
- Accounts: Administrator account status – is used to disable the Administrator account;
- Account: Rename administrator account –you to rename the built-in administrator account;
To rename an account, enable the policy (Define this policy settings) and specify a new username. For example, localadminaccount.
Renaming an account makes hacking more difficult because the attacker must first figure out the username and then begin the brute-force attack. Renaming an account improves the system security, but it is not effective enough. The Administrator account has a well-known Security Identifier (SID), and tools are available to perform authentication using the SID instead of the username.
Therefore, a more effective way to protect the Administrator account is to disable it through the GPO. To do this, enable the Accounts: Administrator account status policy and change its value to Disabled.
You can restrict the built-in administrator’s access to the system. This provides additional security. Open the GPO editor and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. Note the following Group Policy options.
- Deny log on locally – deny the local logon to the computer;
- Deny log on through Remote Desktop Service – disable access RDP access through Remote Desktop Services;
- Deny access to this computer from the network – deny remote access to the computer over the network.
- Deny log on as a service – prevent a user from registering as a service. This prevents background Windows services from starting on behalf of the built-in Administrator.
- Deny log on as a batch job – prevent a user from registering as a batch job (used by Task Scheduler and some other services).
You can enable some of these policies (or all of them at once) by selecting the Define these policy settings check box and adding the Administrator account to the policy. 
Microsoft recommends that you disable all logon methods other than the local logon method for the local administrator.
- Be sure to create at least one user with local administrative privileges on the computer if you disabled the built-in administrator account.
- To periodically change the built-in administrator password on domain computers, you can configure a LAPS (Local Administrator Password Solution) policy.
- It is not recommended to apply these policies to AD domain controllers. The point is that there are no local accounts on domain controllers, and the policy is applied to the DSRM administrator account. You cannot log on to the domain controller in Active Directory Recovery mode if this account is unavailable;
Make sure the User Account Control: Admin Approval Mode for the Built-in Administrator account option is enabled in your local GPOs (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). In this case, a UAC prompt will ask you to confirm the action when you perform any action under the built-in administrator.
In October 2024, Microsoft announced a new mechanism to protect administrator accounts for Windows 11, called Administrator Protection (currently only available in preview versions of Windows 11 starting with 27718.1000.).
This mechanism can be enabled via Intune or a local GPO under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. Change the value of the User Account Control: Configure Type of Admin Approval Mode parameter to
Admin Approval Mode With Administrator Protection.
With protection enabled, when a user runs something as a local administrator, instead of the UAC prompt, a Windows Security window appears, requiring you to enter the administrator PIN code or password.
Your task will then be executed in the context of the dynamically created and linked System Managed Admin account
.