I'm trying to create a hidden local admin account on my Windows 11 Pro machine without connecting to a domain. My goal is to ensure that this account is either not visible on the login screen or cannot log in at all, while still allowing standard users to perform system tasks via UAC elevation, using this admin account's password when needed.
I've attempted a couple of methods like adding a registry entry in [WinLogon\SpecialAccounts\UserList], but that stopped the account from appearing in the UAC prompt. I also tried using SecPol.msc to deny local logins for this user, but that resulted in issues when entering the password at the UAC prompt.
I'm keen to avoid unlocking the default Administrator account due to security concerns. Any suggestions would be greatly appreciated!
4 Answers
If users already have admin rights, it seems odd that you're trying to add a hidden admin account. Why bother with a separate account?
UAC is an interactive logon event, so achieving exactly what you're asking might be tricky. You could prevent cached logins via secpol by hiding the last signed-in user or adjusting the registry options to not display the last username, which might help.
Thanks for that tip about the last signed-in user—that could be a great workaround!
Consider using MDM solutions to let users self-install approved software rather than handing out an admin account. For more control over tasks, tools like Admin by Request can help without exposing a hidden admin account.
You could try changing the shell for this user to logoff.exe instead of explorer.exe. It sounds like you might not completely trust the person with this admin password, though.
You got that right! It's for my mom. She's had issues with accidental installs before, so I want to keep her from messing up the system again while still allowing her some flexibility.
I want more control, similar to how Linux handles permissions. I don't want users just clicking 'yes' during UAC; I need them to enter a password for installs or critical settings.