How to enable a disabled local administrator account on a Windows 7 computer with BitLocker enabled
Before you begin you are going to at a minimum know the following information:
- The account name and password of the local administrator account.
- The BitLocker recovery key for the local system drive. (see instruction on how to get the key from here How to use Group Policy to save “BitLocker to Go†recovery keys in Active Directory – Part 1 )
Step 1. Boot the computer using the Windows 7 Installation media
Step 2. When prompted to “Install now†click the “Repair your computer†option at the bottom left.
Step 3 (optional). If your local computer hard drive is BitLocker is encrypted you will now be prompted to type in the recovery key (see below) and just follow the next couple of step that is appropriate for your situation.
Note: You may need to use the Recovery Key Identifier (e.g. A5103515) to find the correct encryption recovery key from Active Directory.
Note2:Â This step is only required if your local hard drive is encrypted using BitLocker drive encryption.
Step 4. After you have entered the correct recovery and unlocked the drive select the appropriate installation of Windows 7 that you wish to gain access to (You will probably only have one option to select).
Note: Remember the drive letter in the location column as you will need to use this later (Almost definitely going to be “(D:) Local Disk†).
Step 5. From the System Recovery Options click on “Command Promptâ€
Step 6. Now run “regedit†from the command prompt.
Step 7. Click on HKEY_USERS and then click on File > Load Hive
Step 8. Navigate to D:\Windows\System32\Config folder and select the SAM file then click Open
Note:Â The drive letter you use in the path above is the same as the the drive letter in the Location column in Step 4.
Step 9. Now type “SAM_TEMP†(or any value) in the Key Name text field and click OK
Step 10. Expand SAM_TEMP\SAM\Domains\Account\Users\000001F4 and double click on the “F†key.
Step 11. Change the value “11†in the first column, row 0038 to “10†and click OK
| Before | After |
 |
 |
Step 12. Click back on “SAM_TEMP†and then from the File > Unload Hive and Yes to confirm.
Step 13. Exit Regedit and close the Command Prompt and click Restart from the System Recovery Option menu
Done…
Summary
You will now be able to logon as the local administrator account by using the account name “.\administrator†and the password of the account (which you should already know). This will enable you to configure the computer into a workgroup and then re-join the computer account back into the domain but without having to resort to enabling a back door administrator account on the all the computers in your environment…
Now you might now be wondering what is the point of security is on Windows 7 (i.e. BitLocker and disabled local admin) if it is so easy to circumvent however you need to remember that for this process to work you still need to know the local administrator password and more importantly you will need to know the unique BitLocker recovery key… Obviously this makes it very important to have BitLocker drive encryption deployed otherwise it will make it very easy to break into pretty much any computer if you have physical access.
I know this is not strictly a Group Policy topic however it is very closely related topic and one I feel that this is still well worth knowing for any IT administrator so you can configured a more secure environment…
Other References
How to configure Group Policy to use Data Recovery Agents with “Bitlocker to Go†drives – Part 2
How to use Group Policy to save “BitLocker to Go†recovery keys in Active Directory – Part 1
Windows Seven Forums: How to Enable the Built-in Administrator Account from WinRE
Blog Post: How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker) http://bit.ly/c787fh
How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker) http://j.mp/dbyDue
RT @xenappblog: How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker) http://j.mp/dbyDue
How to enable a disabled Local Administrator account offline in Windows 7 (even when using BitLocker) http://t.co/ABtnFes
G’day Alan,
This is a good post and goes nicely alongside the post I recently made on how to reset an Administrator password in Windows Server 2008 R2/Win 7 (and WS2K8/Vista) in case you’ve forgotten it (like I did) or someone changed it and doesn’t remember it (or it can’t be beaten out of them).
The link to my blog post is: http://hiltont.blogspot.com/2010/09/reset-password-in-windows-server-2008.html – I hope this also helps someone out…
wow this saved my a$$ great article!
Thank you very mach
its wonderful
This the only site which helps me and solved my crisis…
Thanks so much indeed
Really a great article,it worked.
thanks a bunddle.
Handy article, worked fine – except that when I then log on as local administrator, it won’t let me do a lot, e.g. (most relevant here, obviously) control panel -> system -> advanced system settings: it does nothing. Really nothing – no “access denied”, no error messages of any sort, no events logged. Just nothing.
Any suggestions? TBH if I can’t fix it quite quickly it’ll be easier to reinstall the whole thing
After you have enabled the account are you rebooting and going back into normal mode?
Or is your administrator account actually an admin? or just a dummy admin account.
You just saved my ass. I didn’t realize my localadmin account was disabled when I disjoined my bitlocker encrypted laptop from the domain. Kind of embarrassing… think I’ll just sweep this one under the rug 😉
Very Helpfull article
Boom Click! You sir, are a genius. I didn’t have Bitlocker, but Windows 7 did have a disabled admin account. I used Trinity Boot Disk to blank the admin password and your registry change to unlock my disabled admin account. Yay!
Neat article, but I found a quicker way, turn off the computer, unplug the NIC, turn it back on, log on as the domain admin . Once logged back in, plug the wire back in, unjoin the doamin, reboot (first set Local admin password if needed), rejoin domain.
Great info, but how did you know that a value of 10 would make it work rather than any other? I guess what I’m getting at is: do you have a reference guide that lists different values and their function. For example: expiring an account, unlocking an account, etc?
Worked perfectly and I shared it with the rest of my staff. 🙂
I got right to the end but where I had to change 11 for 38, the 11 wasn’t there. infact it wasn’t anywhere in the binary string???
any ideas. I really don’t want to reinstall this laptop
thanks
I operate on win 7 ultimate. My ONLY login account was an administer account. The account has become disabled and I am told to see my administrator on each attempted logon. I have tried to boot up using the win 7 ult installation disk. It will not boot from the disk. I have tried to enter safe mode but it will not boot in safe mode. Any suggestions on how to bypass the disabled Windows logon?
Great article
this described exactly the problem I had, and this is the only article I found on how to solve the problem!
After enabling the BitLocker on the system drive, the registry files should be inaccessible. Every time when I get locked out of my computer, I’ll use PCUnlocker Live CD and it can reset password and unlock/enable user account.
Perfect walkthrough. Just saved my bacon. Your instructions couldn’t have been any clearer.. thanks!
When I purchased this emachines computer, it had Desktop Gadgets on it. I noticed after several months of use that the clock and temperature were blank. Updating Windows seemed to help a few times but eventually I got a notice that Desk Top Gadgets were corrupted. It’s still on the list when I click on the start button so I clicked on it. A block came up stating “Desktop gadgets are managed by your system Administrator”. I thought I was the administrator since this computer is for home use only. How do I access Group Policy to list myself as administrator so I can access Desktop gadgets?
Amazing! You saved me a day of work. Thanks!
Hello There. I found your weblog using msn. That is a really neatly written article.
I will make sure to bookmark it and come back to read more of your helpful information.
Thank you for the post. I will definitely comeback.
Hi Alan,
that’s a very great article. i have same issue with the encryption using Win 7. but the encryption software was not bitlocker. i am using mcafee safeboot.
do you any clue to enable local admin encrypted with safeboot ?
waiting for your update.thanks
What’s the deal, the article ends without explaining anything and all the fake comments on here just link to the same article.
“So below I will show you how to enable the local administrator account so that you can at least still logon with the local administrator even if the account has been disabled…”
and then nothing?
Hi
You must see Pag 2.
Oh. My. I upgraded an old computer in the office to windows 10 that used to be connected to an old domain. The new install disabled the local admin account and we were locked out. You can’t log in to safe mode without domain credentials… Nothing. Changing that value worked! I also disconnected the network cable at the same time, but I’m attributing it the regedit. I also initially made the mistake of trying to open the wrong Sam file at first. Make sure you browse to the d: drive!! Thank you!!
Awesome…..it worked! thank you very much!
It’s in fact very complex in this busy life to listen news on TV, so
I simply use internet for that reason, and get the latest news.
Nice Work & a Great Knowledge About Windows 7 Thanks For Sharing Such Kind of Helping Material From: http://www.jojosoftwares.com/uncategorized/emsisoft-anti-malware-license-key-full/
Thank you.
This worked great! Luckily, we have 2 admin accounts on ours because one was Locked as well as being Disabled. Is there a way to Unlock these accounts as well?
To activate a locked or disabled Windows account, use a boot media to boot off your PC:
http://www.top-password.com/knowledge/enable-built-in-administrator-account-to-log-on-windows.html
Worked on Windows Server 2016 too
…thank you….
I can finally sleep because I found your baller guide. None of our company’s enterprise programs could boot from uefi, so they couldn’t see the new nvme drives’ SAM file. Tried so. Many. Things.
This was the one that worked. Also this taught me exactly what those tools do! I have become the tool!
Wait…that’s not right