A post has been making the rounds on LinkedIn lately: a technician shares how they restored admin privileges on a Windows workstation using the built-in recovery tools. Hold Shift, click Restart, open a command prompt, enable the Administrator account, done.
It's a real technique. And on the right machine, it works. But if you're managing workstations across a school district or a business with dozens of endpoints, 'it works sometimes' isn't good enough. Here's what that post leaves out.
The BitLocker Problem
Most newer business-class machines — and a growing number of consumer PCs — ship with BitLocker enabled by default. That means the moment you try to access the OS drive from the Windows Recovery Environment, you're going to get asked for a 48-digit recovery key.
No key, no access. Full stop.
If your organization doesn't have a system for storing BitLocker recovery keys (Active Directory, Entra ID, or even a secured spreadsheet), this is the scenario that turns a 15-minute fix into a full reimage. We see this more often than you'd expect, especially in environments where devices were set up quickly and nobody documented the keys.
The takeaway: BitLocker key management isn't optional anymore. If you don't know where your recovery keys are stored right now, that's the thing to fix today — before you need them.
WinRE Isn't What It Used To Be
The LinkedIn post assumes you can run net user commands from the Windows Recovery Environment command prompt. That used to be reliable. On newer builds of Windows 10 and Windows 11, Microsoft has been locking down what you can do from that prompt.
There are workarounds — offline registry edits, boot tools, PE environments — but they require knowing which method to reach for based on the Windows version, the security configuration, and whether the machine is encrypted. It's not a copy-paste-from-LinkedIn situation.
Domain-Joined Machines Are a Different Animal
If the workstation is joined to Active Directory (which covers most school districts and businesses), local account recovery isn't the right approach at all. Admin rights are managed centrally through AD group policy, and the fix happens at the domain controller, not at the workstation.
Same goes for machines joined to Azure AD / Entra ID — that's an Intune or Entra portal fix.
The LinkedIn post doesn't mention this, which means someone could waste an hour trying to enable a local Administrator account on a domain-joined machine when the answer was a 30-second change in Active Directory.
The Part Nobody Talks About: Re-Securing the Machine
The original post does mention disabling the built-in Administrator after you're done. Good. But there's more to it than flipping a switch.
After any admin recovery, you should be verifying that BitLocker is still active, confirming the target user's group membership is correct, removing any temporary credentials, and documenting what happened and why. If the admin account was deleted in the first place, there's usually a reason — or a mistake worth understanding so it doesn't repeat.
What We'd Actually Recommend
If you're responsible for workstations in a school district or business environment in the DFW area, here's the short version:
- Know where your BitLocker keys are before you need them.
- Don't rely on a single recovery method. WinRE works until it doesn't. Have a fallback.
- Know whether you're dealing with a local, AD-joined, or Entra-joined machine before you start troubleshooting. The fix is completely different for each.
- Document the recovery and address the root cause.
We handle workstation issues like this across school districts and public agencies in the Frisco, Prosper, and greater DFW area. If your team runs into a locked-out machine — or if you want to make sure your environment is set up so it doesn't happen — give us a call.
Need IT Support in Frisco or Prosper?
The Brass Effect provides managed IT services, workstation support, and endpoint management for Texas school districts and DFW businesses. We're local, responsive, and we document everything.
