How to Gain Full Admin Privileges in Windows 10

Gaining full local administrator privileges in Windows 10 often requires bypassing UAC restrictions and the split-token model, even when accounts show as Administrators. Start by booting into Recovery Environment via Shift+Restart to run elevated CMD commands like net user administrator /active:yes, then verify in Safe Mode with lusrmgr.msc. If bootable USB tools like 2K10 fail, use native Recovery or Safe Mode instead—these restore unrestricted admin access without prompts for installs or grayed-out buttons.

Contents

• Why Admin Accounts Lack Full Privileges
• UAC and the Split-Token Model Explained
• Elevated CMD via Shift+Restart Recovery
• Enabling the Built-in Administrator
• Safe Mode for Deeper Fixes
• Verify Groups, Policies, and Permissions
• Creating a Fresh Admin Account
• Advanced Steps: UAC Disable and Registry
• Sources
• Conclusion

Why Admin Accounts Lack Full Privileges

You’ve nailed the symptoms—UAC prompts popping up for installs, that frustrating grayed-out “Change account type” button in Settings, and CMD whining “This account already has admin rights” without any real power. Even enabling the built-in Administrator or creating new ones doesn’t stick. Why? Windows 10’s security layers, like User Account Control (UAC) and group policies, create filtered tokens for “standard” admins. You’re in the Administrators group, sure, but without full elevation, changes fizzle out.

Bootable tools like 2K10 or Strlets often fail because they can’t override active sessions or domain policies if you’re on a work machine. (Double-check: is this a home PC or managed by IT?) The fix lies in elevated environments—Recovery or Safe Mode—where you can force true local administrator privileges.

UAC and the Split-Token Model Explained

Here’s the kicker: standard admin accounts get a split token. Normal mode runs a filtered version (no full rights), while “Run as admin” temporarily grabs the unfiltered one. But consistent prompts mean something’s blocking full access, like policies or corrupted SIDs.

Lowering the UAC slider helps temporarily—search “UAC” in Start, drag to bottom, reboot. For permanence, we’ll hit registry later. Users report this after upgrades, where accounts lose elevation despite group membership, as detailed in SuperUser discussions.

Quick test: Right-click CMD, “Run as administrator.” If whoami /groups shows *BUILTIN\Administrators (enabled), but tasks still fail, proceed to Recovery.

Elevated CMD via Shift+Restart Recovery

No USB needed—this is native and reliable. Hold Shift while clicking Restart from login screen or Start menu. Navigate: Troubleshoot > Advanced options > Command Prompt. You’re now in a true admin session (X:\Windows\System32).

Key commands to run full local administrator privileges restoration:

net user administrator /active:yes
net localgroup administrators administrator /add
wmic useraccount where name='administrator' set PasswordChangeable=True

Type exit, then Continue to boot normally. Log in as Administrator (blank password by default—set one immediately with Ctrl+Alt+Del > Change password). Test: Try installing without prompts.

This beats bootables because it targets the live system directly, per TenForums guides.

Enabling the Built-in Administrator

That built-in account you enabled? It might not propagate due to token filters. From the Recovery CMD above, or normal elevated CMD:

1. net user administrator /active:yes
2. net user administrator MyNewPass123! (set strong password)
3. Reboot, log in as Administrator.

If “already has rights” blocks it, force via Recovery. Verify: lusrmgr.msc > Users > Administrator > Member Of > Administrators (should be there). Still grayed out? Group policy override—next section.

Pro tip: This account bypasses most UAC by design. But what if login fails? Safe Mode next.

Safe Mode for Deeper Fixes

Safe Mode loads minimal drivers, sidestepping third-party blocks. Restart while holding Shift > Troubleshoot > Advanced > Startup Settings > Restart > Press 4 (Safe Mode).

Once in:

1. Win+R > lusrmgr.msc > Users > Right-click your account > Properties > Member Of > Add > Administrators.
2. gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > “Deny access to this computer from the network” > Remove any listings.
3. Reboot normally.

Can’t access lusrmgr? Run cmd as admin first. This fixes “Change account type” gray-outs, as Microsoft Learn threads confirm for policy-locked systems.

Bootable USBs fail here because they don’t persist changes without proper mounting—stick to native.

Verify Groups, Policies, and Permissions

Elevation working? Double-check:

• Groups: Elevated CMD > netplwiz > Your account > Group Membership > Administrator > Apply.
• Policies: secpol.msc > Local Policies > User Rights > Ensure Administrators have “Take ownership” and “Full control.”
• Folders: Right-click C:\Windows > Properties > Security > Edit > Administrators > Full control.

If whoami /priv shows disabled privileges, run gpupdate /force. Corrupted profiles? Microsoft recommends clean boot: msconfig > Services > Hide Microsoft > Disable all > Selective startup.

Table of common checks:

Creating a Fresh Admin Account

Old accounts glitched? Make a new one in Recovery CMD:

net user NewAdmin SuperSecurePass! /add
net localgroup administrators NewAdmin /add

Reboot, log in as NewAdmin. Use Settings > Accounts > Family & other users > Change account type if needed (won’t be grayed). Tools like iSumsoft echo this for USB fails—Recovery mounts the drive perfectly.

Why fresh? Avoids profile SID issues from upgrades.

Advanced Steps: UAC Disable and Registry

Last resort for unrestricted access: Kill UAC entirely (not for production PCs—security risk).

In Safe Mode or Recovery CMD, regedit:

Navigate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Set EnableLUA to 0 (DWORD). Reboot.

Or PsExec (download from MS Sysinternals): psexec -i -s cmd for SYSTEM shell, then admin tweaks.

SuperUser notes deleting SpecialAccounts registry for ghost denies. Test post-change: No UAC, full installs.

Warning: Re-enable for security. Domain? Contact IT—GPO overrides local.

Sources

1. Why do I not have full admin privileges Windows 10 — Common symptoms of grayed-out admin options and UAC issues: https://learn.microsoft.com/en-us/answers/questions/3932187/why-do-i-not-have-full-admin-privileges-windows-10
2. Cannot access admin privileges — Shift+Restart method for enabling built-in admin via CMD: https://www.tenforums.com/user-accounts-family-safety/120823-cannot-access-admin-privileges.html
3. Windows 10 permissions denied and strange errors — Safe Mode, lusrmgr.msc, and secpol.msc policy fixes: https://learn.microsoft.com/en-us/answers/questions/746510/windows-10-permissions-denied-and-strange-errors-e
4. After Windows 10 upgrade administrator account lacking full access — UAC split-token explanation and registry tweaks: https://superuser.com/questions/1078100/after-windows-10-upgrade-administrator-account-lacking-full-access-privileges
5. Lost Administrator Rights in Windows 10 — Safe Mode and new account creation steps: https://www.isumsoft.com/windows-tips/lost-administrator-rights-in-windows-10.html
6. Administrator account does not have administrator priviledges — netplwiz group changes and verification: https://learn.microsoft.com/en-us/answers/questions/3234192/administrator-account-does-not-have-administrator
7. Fix Windows 10 not recognizing administrator account — Overview of clean boot and hidden admin enable: https://thegeekpage.com/fix-windows-10-not-recognizing-administrator-account/

Conclusion

Restore full local administrator privileges in Windows 10 by prioritizing Recovery CMD (Shift+Restart) for net user commands, Safe Mode for lusrmgr.msc edits, and UAC tweaks as backup. Most users see unrestricted access after enabling built-in admin and verifying groups—no more prompts or gray buttons. Test with a program install; if issues linger, it’s likely domain policies. Stay safe—re-enable protections after.