Windows - Security - Enable Local Administrator

What the Administrator account enablement Worklet does

This Automox Worklet™ enables the built-in local Administrator account on Windows endpoints. The Worklet uses PowerShell's CimInstance class and the Win32_UserAccount class to determine if the Administrator account is currently disabled on the endpoint.

If the account is already enabled, the Worklet exits without making changes and the endpoint is marked as compliant. If the account is disabled, the Worklet flags the endpoint for remediation and enables the account during the remediation phase. The script verifies the account name exists before attempting any modifications.

Why enable the local Administrator account

Standard administrative accounts may become unavailable or compromised, leaving endpoints inaccessible for critical maintenance tasks. The local Administrator account provides an additional administrative access method for your endpoints. In scenarios where standard administrative accounts are unavailable or compromised, having an enabled Administrator account enables emergency access and account recovery operations.

The Administrator account serves as a fallback administrative credential for troubleshooting system issues, recovering from failed security policies, or performing critical maintenance tasks that require elevated privileges. Enabling this account supports your disaster recovery procedures and business continuity planning.

Some organizations require the Administrator account to be enabled for specific applications, legacy software, or third-party tools that depend on this account. This Worklet allows you to standardize the enablement of this account across your Windows fleet.

How Administrator account enablement works

1. Evaluation phase: The Worklet validates current endpoint state and identifies non-compliant conditions.

2. Remediation phase: The Worklet applies enable local administrator changes required to reach the target state.

1. Remediation phase: If the account is disabled, the Worklet uses Set-CimInstance to modify the account and set the Disabled property to $false. The Worklet then verifies that the account is enabled by querying the account again and confirming the Disabled property reflects the change. If the account is not found or the enable operation fails, the Worklet returns an error.

Administrator account enablement requirements

• Windows 10, Windows 11, or Windows Server 2016 or later

• PowerShell 3.0 or later

• Local administrative privileges to execute and enable the account

• WinRM service must be running (for CimInstance communications)

• Windows Remote Management (WinRM) must allow local connections

Expected state after Administrator account enablement

After the Worklet runs successfully, the built-in local Administrator account will be enabled on the endpoint. The account becomes available for login and administrative operations, providing a fallback access method for emergency situations. You can verify the account is enabled by opening the Local Users and Groups management console (lusrmgr.msc) or by running the Get-CimInstance -ClassName Win32_UserAccount -Filter "Name='Administrator'" command in PowerShell.

The account will remain enabled until a separate action or Worklet disables it. Once enabled, IT Operations personnel can use this account for administrative tasks, system recovery, or emergency access scenarios. The Administrator account is not affected by subsequent Worklet runs as long as the account remains enabled, maintaining your disaster recovery capabilities.

How to validate enable local administrator changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for enable local administrator.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Set-CimInstance, Get-CimInstance, Write-Output.

4. Validate remediation effects from script operations such as Set-CimInstance, Get-CimInstance, Write-Output, then rerun evaluation for compliance.