How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker)



How to enable a disabled local administrator account on a Windows 7 computer with BitLocker enabled

Before you begin you are going to at a minimum know the following information:

Step 1. Boot the computer using the Windows 7 Installation media

Step 2. When prompted to “Install now” click the “Repair your computer” option at the bottom left.

Windows 7 Install Windows Menu

Step 3 (optional). If your local computer hard drive is BitLocker is encrypted you will now be prompted to type in the recovery key (see below) and just follow the next couple of step that is appropriate for your situation.

Note: You may need to use the Recovery Key Identifier (e.g. A5103515) to find the correct encryption recovery key from Active Directory.

Note2: This step is only required if your local hard drive is encrypted using BitLocker drive encryption.

BitLocker Drive Encryption Recovery

Step 4. After you have entered the correct recovery and unlocked the drive select the appropriate installation of Windows 7 that you wish to gain access to (You will probably only have one option to select).

WinRE Select System Recovyer Option

Note: Remember the drive letter in the location column as you will need to use this later (Almost definitely going to be “(D:) Local Disk” ).

Step 5. From the System Recovery Options click on “Command Prompt”

WinRE System Recovery Options

Step 6. Now run “regedit” from the command prompt.

Regedit in WinRE

Step 7. Click on HKEY_USERS and then click on File > Load Hive

Load Hive...

Step 8. Navigate to D:\Windows\System32\Config folder and select the SAM file then click Open

Note: The drive letter you use in the path above is the same as the the drive letter in the Location column in Step 4.

Loading SAM registry

Step 9. Now type “SAM_TEMP” (or any value) in the Key Name text field and click OK

Load Hive Name

Step 10. Expand SAM_TEMP\SAM\Domains\Account\Users\000001F4 and double click on the “F” key.

Local Administrator Account SAM registry

Step 11. Change the value “11” in the first column, row 0038 to “10” and click OK

Before After
Account Disabled Account Enabled

 

Step 12. Click back on “SAM_TEMP” and then from the File > Unload Hive and Yes to confirm.

Unload Hive...

Step 13. Exit Regedit and close the Command Prompt and click Restart from the System Recovery Option menu

Done…

Summary

You will now be able to logon as the local administrator account by using the account name “.\administrator” and the password of the account (which you should already know). This will enable you to configure the computer into a workgroup and then re-join the computer account back into the domain but without having to resort to enabling a back door administrator account on the all the computers in your environment…

Now you might now be wondering what is the point of security is on Windows 7 (i.e. BitLocker and disabled local admin) if it is so easy to circumvent however you need to remember that for this process to work you still need to know the local administrator password and more importantly you will need to know the unique BitLocker recovery key… Obviously this makes it very important to have BitLocker drive encryption deployed otherwise it will make it very easy to break into pretty much any computer if you have physical access.

the best network software security measures can be rendered useless if you fail to physically protect your systems

I know this is not strictly a Group Policy topic however it is very closely related topic and one I feel that this is still well worth knowing for any IT administrator so you can configured a more secure environment…

Other References

How to configure Group Policy to use Data Recovery Agents with “Bitlocker to Go” drives – Part 2
How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1

Windows Seven Forums: How to Enable the Built-in Administrator Account from WinRE



Author: Alan Burchill

Microsoft MVP (Group Policy)

41 thoughts on “How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker)

  1. G’day Alan,

    This is a good post and goes nicely alongside the post I recently made on how to reset an Administrator password in Windows Server 2008 R2/Win 7 (and WS2K8/Vista) in case you’ve forgotten it (like I did) or someone changed it and doesn’t remember it (or it can’t be beaten out of them).

    The link to my blog post is: http://hiltont.blogspot.com/2010/09/reset-password-in-windows-server-2008.html – I hope this also helps someone out…

  2. Handy article, worked fine – except that when I then log on as local administrator, it won’t let me do a lot, e.g. (most relevant here, obviously) control panel -> system -> advanced system settings: it does nothing. Really nothing – no “access denied”, no error messages of any sort, no events logged. Just nothing.

    Any suggestions? TBH if I can’t fix it quite quickly it’ll be easier to reinstall the whole thing

  3. You just saved my ass. I didn’t realize my localadmin account was disabled when I disjoined my bitlocker encrypted laptop from the domain. Kind of embarrassing… think I’ll just sweep this one under the rug 😉

  4. Boom Click! You sir, are a genius. I didn’t have Bitlocker, but Windows 7 did have a disabled admin account. I used Trinity Boot Disk to blank the admin password and your registry change to unlock my disabled admin account. Yay!

  5. Neat article, but I found a quicker way, turn off the computer, unplug the NIC, turn it back on, log on as the domain admin . Once logged back in, plug the wire back in, unjoin the doamin, reboot (first set Local admin password if needed), rejoin domain.

  6. Great info, but how did you know that a value of 10 would make it work rather than any other? I guess what I’m getting at is: do you have a reference guide that lists different values and their function. For example: expiring an account, unlocking an account, etc?

  7. I got right to the end but where I had to change 11 for 38, the 11 wasn’t there. infact it wasn’t anywhere in the binary string???

    any ideas. I really don’t want to reinstall this laptop

    thanks

  8. I operate on win 7 ultimate. My ONLY login account was an administer account. The account has become disabled and I am told to see my administrator on each attempted logon. I have tried to boot up using the win 7 ult installation disk. It will not boot from the disk. I have tried to enter safe mode but it will not boot in safe mode. Any suggestions on how to bypass the disabled Windows logon?

  9. Great article
    this described exactly the problem I had, and this is the only article I found on how to solve the problem!

  10. Pingback: Coach 財布
  11. After enabling the BitLocker on the system drive, the registry files should be inaccessible. Every time when I get locked out of my computer, I’ll use PCUnlocker Live CD and it can reset password and unlock/enable user account.

  12. When I purchased this emachines computer, it had Desktop Gadgets on it. I noticed after several months of use that the clock and temperature were blank. Updating Windows seemed to help a few times but eventually I got a notice that Desk Top Gadgets were corrupted. It’s still on the list when I click on the start button so I clicked on it. A block came up stating “Desktop gadgets are managed by your system Administrator”. I thought I was the administrator since this computer is for home use only. How do I access Group Policy to list myself as administrator so I can access Desktop gadgets?

  13. Hi Alan,

    that’s a very great article. i have same issue with the encryption using Win 7. but the encryption software was not bitlocker. i am using mcafee safeboot.

    do you any clue to enable local admin encrypted with safeboot ?

    waiting for your update.thanks

  14. What’s the deal, the article ends without explaining anything and all the fake comments on here just link to the same article.

    “So below I will show you how to enable the local administrator account so that you can at least still logon with the local administrator even if the account has been disabled…”

    and then nothing?

  15. Oh. My. I upgraded an old computer in the office to windows 10 that used to be connected to an old domain. The new install disabled the local admin account and we were locked out. You can’t log in to safe mode without domain credentials… Nothing. Changing that value worked! I also disconnected the network cable at the same time, but I’m attributing it the regedit. I also initially made the mistake of trying to open the wrong Sam file at first. Make sure you browse to the d: drive!! Thank you!!

  16. It’s in fact very complex in this busy life to listen news on TV, so
    I simply use internet for that reason, and get the latest news.

  17. This worked great! Luckily, we have 2 admin accounts on ours because one was Locked as well as being Disabled. Is there a way to Unlock these accounts as well?

  18. …thank you….

    I can finally sleep because I found your baller guide. None of our company’s enterprise programs could boot from uefi, so they couldn’t see the new nvme drives’ SAM file. Tried so. Many. Things.

    This was the one that worked. Also this taught me exactly what those tools do! I have become the tool!

    Wait…that’s not right

Leave a Reply