Role Based Access Control Exchange 2010

Role Based Access Control(RBAC) is the new permission control feature introduced by Microsoft in Microsoft Exchange 2010. By using the RBAC, we can define/control what resources or actions or controls a user or an administrator can access. RBAC in Exchange Server 2010 allows you manage your exchange server permissions effectively. Using a combination of management role groups, management role assignment policies, and management scopes etc, you can grant permissions to administrators and end users. RBAC allows the permission control in broad and granular levels, what an administrator or an end user can do.

RBAC has two primary ways of assigning permissions to users, depends on whether the user is an administrator or specialist or an end user (using Management Role Groups and Management Role Assignment Policies). You may also use direct role assignment to the users.

Now let us discuss what a Management Role Group and Management Role Assignment Policy.

ü  Management Role Assignment Policy

Management role assignment policies associate end-user management roles to users. Role assignment policies consist of roles that control what a user can do with his or her mailbox or distribution groups. When we create an assignment policy we can define all action that a user can do with his or her mailbox. Sometimes a role assignment policy may allow a user to set the display name, configure Inbox rules, update their addresses etc. Another role assignment policy might allow a user to use text messaging, and set up distribution groups. Exchange will have a default role assignment policy, we can create a new one and make it as default if needed. We will not discuss more about management role assignment policy in this post. 

ü  Management Role Group:

Management Role Group is nothing but one more role that are clubbed together to grant permission to the administrators or specialist users. A Management Role Group consists of the following,

• Management Role Group: The management role group is a special USG (universal security group) that contains users, mailboxes and USGs and some time other role group. You can add or remove members in it, and the roles are assigned to it using the management assignments. The combination of all the roles in the role group defines what a specialist user and administrator those are added to this group can do.

• Management Role: A management role contains a list of role entries or cmdlets grouped together. Basically a management role is used to define a specific task like recipient management, Mailbox Import Export etc. Read more about Management Role

• Management Role Assignment: A management role assignment links a role to a role group. Assigning a role to role group grants member of that role group to execute the cmdlets defines in the role.

• Management Role Scope: A management role scope says where the roles are apply. For e.g. when we assign a role to a group we also can specify the target scope to which the role is assigned for (It can be restricted only to particular OU, Users etc).

The below picture will give an idea how RBAC works.

The role assignment links the “Who”, “What” and “Where” together and it gives the effective permission using the Exchange 2010 RBAC. In other word Role entries are put together or grouped into role and then roles are assigned using role assignments to role group by specifying the role scope and the members are added into the role group.

Example:

Scenario - You want to delegate the administration of recipients(create, delete, manage user mailboxes) on a purticular OU in your domain to a Mail Admin user. Will this be possible in exchange 2007 or 2003, I will not say it is not possible. But how easy was the process, not easy isn't it? Now let us see how can we achieve this in exchange 2010 using couple of commands.

Steps in brief:

Note - Exchange 2010 already have number of built in management roles, for the above scenario we can use the role called 'Mail Recipient Creation' which has the following roles entries(you may execute the command get-ManagementRoleEntry " Mail Recipient Creation\*").

Set-ADServerSettings, Remove-Mailbox, Remove-MailUser,Remove-MailContact,Remove-LinkedUser, New-Mailbox, New-MailUser, New-MailContact, New-LinkedUser, Get-User, Get-ThrottlingPolicy, Get-SharingPolicy, Get-RoleAssignmentPolicy, Get-ResourceConfig,Get-OrganizationalUnit, Get-ManagementRoleAssignment, Get-ManagedFolderMailboxPolicy, Get-MailboxDatabase, Get-Mailbox, Get-MailUser, Get-MailContact, Get-LinkedUser, Get-DomainController, Get-ADServerSettings, Add-MailboxPermission, Add-MailboxFolderPermission,

We will use the role 'Mail Recipient Creation' to create the role group.

1. Create a management role scope(name the scope as ExchangeDictionary Mail Admin)
2. Create a role group assigning the role ' Mail Recipient Creation' and the scope created in the step1,in the same command we can club the group member addition as well.

That's it! you have achieved the goal! below sections shows the implementation and the testing part of above request.

Step1:Create the scope

Open the Exchange Management Shell and execute the below command.

New-ManagementScope -Name "ExchangeDictionary Mail Admin" -RecipientRoot "ExchangeDictionary.com/ExchangeDictionary-DLs" -RecipientRestrictionFilter { RecipientType -eq 'usermailbox' }

You can verify the role scope using the command get-managementscope cmdlet.

    Command explanation:

1. Target Organization Unit - ExchangeDictionary.com/ExchangeDictionary-DLs
2. Type of target object -  User Mailbox
3. Scope Name - ExchangeDictionary Mail Admin

Step2:Create the role group by assigning role, scope and member into it

Execute the below command to create a new role group for delegating the mail recipient administration permission to the user PraveenB

New-RoleGroup -Name "ED Mail Admin" -Roles "Mail Recipient Creation" -CustomRecipientWriteScope "ExchangeDictionary Mail Admin" -Members praveenb

The role group has been successfully created now, you can verify the group using either ADUC or exchange management shell.

     Command explanation:

1. Management Roles used(What) -  Mail Recipient Creation (you can use more roles separated by comma)
2. Role Group Name - ED Mail Admin
3. Target Scope(where) - ExchangeDictionary Mail Admin
4. Member of the new role group(Who) - PraveenB

Test the configuration:

1. Login to the server using the ID PraveenB (note - you may have to add the user into remote desktop user group).

2. Open the Exchange Management Console(you can even open the management shell to test it).

From the above screen shot you can see that the user does not have permission to view or edit any Organization configuration.

3. Expand Recipient Configuration/Mailbox

4. Create a new user by not specifying an OU for creating the new mailbox, let it take the default location, "Exchangedictionary.com/Users" ,.

Continue with the wizard and on finish page you will receive an error as shown in the below screen shot.

The error message clearly says that ExchangeDictionary.com/Users/ExchangeDictionary isn't within the write scope, we have created the management scope with the following OU path 'ExchangeDictionary.com/ExchangeDictionary-DLs'.

5. Now let us create the user by specifying the OU "ExchangeDictionary-DLs".

We have selected the OU as 'ExchangeDictionary.com/ExchangeDictionary-DLs". Continue with the user creation wizard and now let us look at the wizard stage"finish".

Now let us think about the permission model in exchange 2007 and earlier, we were using the Access Control List. Now in Exchange 2010 we use the easy to use RBAC not the ACLs. Hope this  was helpful in understanding the concept of RBAC.

Microsoft announces four Windows Server 2012 editions

Microsoft’s new licensing for the four editions of Windows Server 2012. Here is what you need to know about upgrading and choosing the right edition.

For years, as Microsoft has released new versions of Windows Server, the world has waited with anticipation while Redmond attempted to figure out the exact mix of editions that it would sell to various customer segments. This fragmentation of the Windows Server line has been the butt of jokes and the stuff of confusion as customers attempted to make the best possible economic decision for their organizations while, at the same time, making sure that their needs would be met with whatever edition was selected.

How times change!

This week, Microsoft announced that Windows Server 2012 would be released in just four editions — Datacenter, Standard, Essentials, and Foundation. Note that the previously popular Enterprise edition is one of the editions that didn’t make the 2012 cut.

Each edition brings something different to the table and it’s going to be easier than ever for organizations to pick the best edition to suit its needs. Here’s a look at the four editions:

Edition	Intent	Major feature	Licensing	Clients	List price
Datacenter	Highly virtualized environments	Unlimited virtual instance rights	Processor x 2	Per CAL	$4,809 per 2 procs
Standard	Little virtualization, low density	Two virtual instances	Processor x 2	Per CAL	$882 per 2 procs
Essentials	Small business	Simple administration, no virtualization rights	Per Server	25 accounts	$425
Foundation	Entry level, economy server	General purpose server, no virtualization rights	Per Server	15 accounts	OEM only

It’s important to note that, for the Standard and Datacenter editions, the pricing is based on per two processors, not per processor. Since most servers today are dual processor servers, this licensing strategy makes sense. However, if you do decide to buy single processor servers, understand that you can’t split licenses between servers. You will need to buy two of the dual processor licenses.

On the flip side, if you have an eight processor server, you will need to buy four of the dual processor licenses to cover all eight processors.

You might note that there are no major feature columns listed as there were in older versions of Windows Server. For example, in the past, if you wanted failover clustering, you needed to go with either the Enterprise or Data Center editions of Windows Server. With Windows Server, the only difference between Standard and Datacenter revolves around virtualization rights. Otherwise, both editions have the same exact feature sets and include:

• Windows Server Failover Clustering
• BranchCache Hosted Cache Server
• Active Directory Federated Services
• Additional Active Directory Certificate Services capabilities
• Distributed File Services (support for more than 1 DFS root)
• DFS-R Cross-File Replication

Note that you still need to obtain separate licenses to take advantage of Remote Desktop Services (RDS) and Active Directory Rights Management Service (ADRMS).

You should also take note that there are no more hardware limitation differences between Standard and Datacenter. Standard is no longer limited to 32 GB of RAM, nor is it limited to 4 CPUs. Of course, if you go beyond 2 CPUs, you will need to buy additional processor licenses.

Upgrade license trade in

If you’re a Software Assurance subscriber, and you’re planning to upgrade your licenses to Windows Server 2012, you have a number of items to take into consideration. Further, if you’re concerned that you’re now running an edition of Windows Server 2008 R2 or below that no longer has a corresponding edition in Windows Server 2012, don’t worry. Microsoft has made the following entitlements available in Windows Server 2012.

Old edition	2012 Edition	Information and License Disposition	SA req’d?
Datacenter	Datacenter	Convert every two 2008 R2 DC licenses into one dual processor 2012 license.	Yes
Enterprise	Standard	Replaced by Standard with all former Enterprise features now included in Standard.  You can convert each existing 2008 R2 Enterprise license into two 2012 Standard licenses.	Yes
Standard	Standard	Convert each 2008 R2 Standard license into one 2012 Standard licenses	Yes
Web (no SA)	See notes	No direct replacement, but web workloads running on any Windows Server 2012 edition receive a “CAL waiver.”	No
Web (SA)	Standard	Those with SA are entitled to receive a Standard Edition replacement and can still run the existing workloads on the 2008 Web server.	Yes
HPC editions	Standard	No direct replacement, but Microsoft will be making freely available the HPC Pack 2012 that works with Standard or Datacenter, HPC workloads also receive a “CAL waiver.”  Existing HPC edition users will also receive a Windows Server 2012 Standard license.	Yes
Small Business Server 2011 Essentials	Essentials	Small Business Server has been fully discontinued.  You will receive one Windows Server 2012 Essentials license.	Yes
Small Business Server 2011 Standard	Standard + Exchange	Small Business Server has been fully discontinued.  You will receive one Windows Server 2012 Standard edition license and one Exchange Server Standard 2010 license.	Yes
Windows Small Business Server 2011 Premium Add-on	Standard + SQL Server	Small Business Server has been fully discontinued. You will receive one Windows Server 2012 Standard edition license and one SQL Server 2012 Standard edition license	Yes

Exchange 2010 Quick Installation Guide

This documents describes how the exchange environment for ExchangeDictionary.com is installed. This includes the steps by step process of installing exchange in a new environment.

Exchange and AD Environment Pre-requirement 

• Ensure that the Active Directory® directory service is in 2003 Native mode. If Active Directory is not in native mode, we will not be able to install Exchange 14.
• Ensure that the schema master is running Windows® Server 2003 Sp2 or later.
• Apply Exchange Server 2007 Sp2 to the existing environment. If the environment contains Exchange 2007 servers the best way to upgrade is to install SP2 to all existing Exchange 2007 servers. 
• Migrate and Remove Exchange 5.5 or Exchange 2000 servers in the organization. Exchange 2007 cannot coexist with Exchange 5.5 and Exchange 2000 server in the same Exchange organization.

Note - It is always recommended to run an ExBPA to ensure the current environment is error free(if you are installing the exchange 14 to the existing organization.

Operating System Requirement
Yes, we have to complete the pre-requisites for the smooth installation of exchange 2010. The below table gives the operating system requirement for installing exchange 2010.

Exchange 2010 component	OS Requirement
Exchange Server 2010 (Note: 64 bit System is mandatory	64-bit edition of Windows Server 2008 Standard or Enterprise with Service Pack 2. 64-bit edition of Windows Server 2008 R2 Standard or Enterprise
Exchange 2010 Management Console only (Note - 64 bit system is mandatory)	Windows Vista with Service Pack 2 or later. Windows 7.

Now let us look at the step by step installation of Exchange 2010. I have used Windows 2008 R2 Enterprise edition for myExchangeDictionary.com exchange server 2010 lab.

1. Install Windows 2008 r2 operating system and join it to the domain(here it is exchangedictionary.com).
2. Open Windows PowerShell console window (click on Start and navigate to All Programs\Accessories\Windows PowerShell\Windows PowerShell)
3. Enter Import-Module ServerManager and hit Enter.

4.      With the help of Add-WindowsFeature cmdlet, install the required windows features for the Exchange  14 installation. The Below table gives the straight forward commands for adding windows features for each combination of exchange 2010 server.

Role Combination	Add-WindowsFeature command
Client Access, Hub Transport, and the Mailbox role	Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy
Client Access Role	Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy
Hub Transport	Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server
Edge Transport	Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS

I have chosen the features for typical exchange server(Hub, CAS and Mailbox installation)

The installation start immediately after the execution of the above command, see the status bar below.

The status of installation windows continues below, most of the feature addition requires the server reboot(status below).

you will have to restart the machine to continue with the installation.

5.    Set the start up type of Net.Tcp Port Sharing Service to automatic(this is required for successful completion of CAS role installation)Type the command Set-Service NetTcpPortsharing -Startuptype Automatic on Windows Powershell and hit enter.

Note - This can be done from services mmc console(as per your comfort level).

6.  Install the filter pack (this is required for MBX and CAS installation)

7.  Browse Exchange server source CD and start the installation (setup.exe)

8.  Click on Choose Exchange Language option and then select only from DVD option(this will install only US English).

9.   Click on Install Microsoft Exchange(step 4 in the below screen shot)

10.  Click Next

11.   Accept the License Agreement and click on Next

12.   Select on appropriate error reporting option and click Next

13.   Highlight the Typical Exchange Server Installation(Hub, CAS, MBX and Management Tools) and click on Next

Note - you also have option to change the default installation directory if required.

14.   Type an Exchange Organization name(here I have typed ExchangeDictionary) and click on Next

15.   Select the appropriate client setting and proceed with Next

16.   Type the OWA access URL and click on Next

17.   Select the right choice for CEIP and click on Next

18.   Now exchange will start the readiness check

19.   On successful completion of the readiness check, proceed with the installation by clicking on Install button on as shown below.

20.   Installation progresses !

21.   Below screen shows the successful installation of Exchange 2010.

Yes, you are done! now your exchange server is ready for operation!!! Write your comments to me!

Step by Step Installation Guide of Exchange 2013 on Windows 2012 Server

Let's get into the task straight. I have tried to make it simple on how to install your first Exchange Server 2013 on a Windows Server 2012 infrastructure. I already have given an idea about the pre-requisites and things to check before we start the installation on my preview installation guide. You may read those here, otherwise let's get started!! My Lab, - One Domain Controller (Windows Server 2012 Std), and the functional level is Windows 2008 r2 (you may chose 2012 as well). - One Member Server (Windows Server 2012 Std) - Domain Name heloed.local In case if you wish to use the Domain Controller to prepare your AD, you must install the following features additionally. Microsoft .NET Framework 4.5 Windows Management Framework 3.0 Install the Remote Tools Administration Pack (run Install-WindowsFeature RSAT-ADDS on 2012 server or Add-WindowsFeature RSAT-ADDS on 2008 server) And then prepare the domain by using the setup /PrepareSchema and/or by running setup /PrepareAD /OrganizationName:. The second command will also extend the schema, so you don't have to run prepareschema if you plan to use the same administrator account which has the forest level permission. Once you prepare your AD, you can straight go and install the Exchange Server. But, here I have planned to club the AD preparation and Exchange Server installation together so I did not install the above features on my DC. Let's start the Exchange part, Add the server(will be used for installing exchange 2013) into domain (heloed.local) and login with the credential which has the required permission. Note - If you already extended the schema and prepared the domain, you may use just a domain admin account to continue with the exchange installation. I recommend to delegate the permissions as required to avoid any hick ups. Execute the below commands to add the required features to the server, For Mailbox Role or Combined Mailbox and CAS role, Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation For CAS role only installation, Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation Restart the server to continue with the installation. Install the 3 components below in order (if you plan to install CAS role only, the filterpacks are not required), 1. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit 2. Microsoft Office 2010 Filter Pack 64 bit 3. Microsoft Office 2010 Filter Pack SP1 64 bit   It is time to start the actual Exchange Server 2013 installation, Extract the Exchange-x64.EXE to "C:\Ex2013_Extract" directory, and navigate the directory where it is extracted and double click on "setup", start the wizard and click next on "Check for updates" section on wizard. It will intiate the Copying Files process. Click next on Introduction and proceed to License Agreement section. select I agree and proceed next. On Recommended Settings section, I chose Don't use. you may select the appropriate. Select the Server Roles on the next screen, I chose both Mailbox and Client Access Roles. Click on next to proceed, If you wish to change the installation path, you may do on the next screen. Click next once you finalyze the installation path. Give and Org Name, I given it as HeloED Malware protection, select as appropriate (I said 'No'), then it will start the readiness check before the actual install. For me, there was only one warning which say's "Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2010 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers". This is just fine with me, so I proceed for installation. Now you may sit back and relax (as we see in earlier version of windows installation :) until it finishes its work and it takes about 30 - 40 minutes...You will receive a successful installation screen once all the installation steps are over.

Common remote desktop connection problems

There are many potential reasons for connection issues or connection drops. This is a list of the most common connection issues, with suggestions on how to solve them.

Buggy or old drivers

Strangely enough, out of date graphics drivers or network card drivers on the server that's hosting the RDP session can cause issues. This is the first and simplest thing to check -- make sure your graphics and network drivers are up to date on the server.

Connections blocked by the local Windows firewall

Sometimes the RDP service can be disabled, but the port blocked on the Windows firewall. To solve this, open port 3389 in Windows firewall.

Connections blocked by some other firewall device between your client and the server

If you have other firewalls on your network, check them to ensure that port 3389 is open.

NAT not forwarding the RDC port

If your server is behind a Network Address Translation (NAT) device, ensure that the NAT is forwarding port 3389 to your server.

Remote Desktop Services service is stopped or disabled

To solve this, open the Services Administrative Tools item and start the Remote Desktop Services service.

Remote Desktop isn't enabled, or it was but has been disabled

If all else fails, double check to make sure that remote desktop is in fact enabled on the machine. If not enable it. If you don't have physical access to the machine, you can follow the Remotely Enable Remote Desktop guide to enable it from a remote machine.

Latency, lag, or remote desktop client slowness

Occasionally, you'll run into major server lag and latency when trying to access remote desktop on certain servers. There are several potential causes of this issue. One cause of this is bad LAN drivers or graphics drivers. The first recommendation is to update your drivers to the latest version.

If driver updates don't solve the problem, here are several other potential fixes:

Disable AutoTuning

1. Open a command prompt as Administrator
2. Run this command:

   netsh interface tcp set global autotuninglevel=disabled

If you need to turn AutoTuning back on, run this command to re-enable it:

netsh interface tcp set global autotuninglevel=normal

Disable TCP Large Send Offload

1. Open Device Manager on the server
2. Find your network adapter in the tree
3. Go to the Properties dialog, Advanced tab
4. Select the property called Large Send Offload (IPv4)
5. Change the Value dropdown to "Disabled"
6. Click OK

Remotely enable remote desktop

Sometimes you're in a situation where you want to remotely access a computer, but Remote Desktop/Terminal Services isn't enabled on the machine. You might think you're stuck at this point, but if you have credentials on the machine and can remotely access the registry, you can actually enable remote desktop remotely.

The easy way to do this is through group policy. If you have access, you can change the following setting:

Group Policy Setting: Computer Configuration » Administrative Templates » Windows Components » Terminal Services » Allows users to connect remotely using Terminal Services

If you don't have access to group policy, here's the procedure to make the change through the registry:

1. Start Registry Editor on your local machine (by default, this is located atc:\windows\regedit.exe)
2. Click the File menu, then click "Connect Network Registry"
3. Either type the name of the remote server in the dialog box or browse Active Directory to locate the machine
4. Click OK
5. You may get a credentials screen – if so, enter in the credentials for the machine and hit OK
6. You are now connected to the registry of the remote computer
7. Go to the following registry key:HKEY_LOCAL_MACHINE\
       System\CurrentControlSet\Control\TerminalServer
8. If the fDenyTSConnections value doesn't exist, create a new DWORD value named fDenyTSConnections
9. Open the fDenyTSConnections value. The possible values for this setting are as follows:

   0x0

   Enable remote desktop

   0x1

   Disable remote desktop

10. Change the value from 1 (disable remote desktop) to 0 (enable remote desktop) and click OK
11. To make the change take effect, you will need to reboot the remote server
12. You can reboot the remote server by opening a command prompt and executing the following command:

    shutdown /m \\servername /r

13. Wait for the remote server to reboot – this usually takes a minute or two
14. Remote Desktop is now enabled on the remote machine

You can also make this change through the command prompt:

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x00000000 /f

How to enable/disable built-in administrator in Windows 7

You can use simple administrator user accounts to perform almost part of the actions in Windows 7. But sometimes you might need to use built-in administrator account.

You can easily use that account by following the instructions:

1. Open Command Prompt: click Start button and type cmd in the Start Search string. Find Command Prompt in the search result list and right-click on this item, then choose Run as administrator.

2. Press Yes button if you are prompted for User Account Control permission.

3. At the Command Prompt type:

    net user administrator /active:yes

press Enter button on your keyboard.

4. If you want set the password for this account at the Command Prompt type

    net user administrator

and then press Enter button on your keyboard.

Note: Replace the your_password with desired password that you want to set to built-in administrator account.

5. Close Command Prompt.

6. Log off the current user account and check the results.

If you want disable built-in administrator account you can perform that by following the instructions:

1. Open Command Prompt: click Start button and type cmd in the Start Search string. Find Command Prompt in the search result list and right-click on this item, then choose Run as administrator.

2. In the Command Prompt type:

    net user administrator /active:no

press Enter button on your keyboard.

3. Close Command Prompt.

4. Log off the current user account and check the results.