0X0000055B

Fix 0X0000055B: Can't Modify Built-In Windows Accounts

Windows Errors Intermediate 👁 0 views 📅 Jun 9, 2026

Windows won't let you change a built-in account like Administrator or Guest. Here's the quick fix and why it happens.

You're trying to rename, disable, or delete the Administrator or Guest account in Windows and you get error 0X0000055B. It's frustrating because you know you have admin rights. Don't worry—this is by design, and the fix is simple once you know where Windows hides these protections.

The Quick Fix: Use the Command Line

Forget the GUI—it won't let you touch these accounts directly. Open an elevated Command Prompt (right-click Start, select Command Prompt (Admin) or Windows Terminal (Admin)).

Step-by-step

  1. Press Win + X, then click Terminal (Admin) or Command Prompt (Admin).
  2. Click Yes on the UAC prompt.
  3. Type this command to see all local accounts: 
    net user
    You'll see a list—note the exact name of the account you want to change (usually "Administrator" or "Guest").
  4. To enable the built-in Administrator account (if it's disabled): 
    net user administrator /active:yes
    Press Enter. You'll see "The command completed successfully."
  5. To rename the Administrator account (you can't delete it): 
    net user administrator NewAdminName
    Replace NewAdminName with whatever you want. Press Enter. No error this time.
  6. To disable the Guest account: 
    net user guest /active:no

After each command, you should see a success message. If you still get 0X0000055B, you're probably trying to delete the account—you can't. You can only disable or rename it.

What if the account isn't showing up in net user?

Some built-in accounts are hidden by default. Run this to see them all: 

net user /all
That lists every hidden account including the default Administrator and Guest.

Why does this error happen?

Windows marks certain accounts as "special" using a security descriptor flag SE_GROUP_SPECIAL (group SID S-1-5 domain). These accounts—Administrator, Guest, DefaultAccount—are hard-coded into the OS at the kernel level. The Local Security Authority (LSA) refuses any operation that would remove or fundamentally alter these accounts because they're required for system recovery, safe mode, and domain join scenarios.

Think of it like this: Windows trusts these accounts more than any user-created account. If you could delete them, a bad update or a malware infection could lock you out of your own machine permanently. So Microsoft locked them down hard.

Less common variations of the same issue

You're using an RMM tool or script

If you're getting 0X0000055B from a remote management tool like PDQ Deploy, Active Directory Users and Computers, or a PowerShell script, the same rule applies. The tool is trying to modify a built-in account on a local machine or domain controller. You can't do it through those tools either.

Fix: Run the net user command directly on the target machine via remote PowerShell or PsExec. Example: 

psexec \\computername net user administrator /active:yes

You're on a domain controller (Windows Server)

On a domain controller, built-in accounts like Administrator and Guest exist in the NTDS database, not the local SAM. You can't rename or disable the built-in Domain Admin account through ADUC—same error.

Fix: Use Group Policy Management Console to rename the Administrator account across the domain:

  1. Open Group Policy Management (gpmc.msc).
  2. Create a new GPO or edit the Default Domain Policy.
  3. Go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options.
  4. Find Accounts: Rename administrator account. Set it to the new name.
  5. Link the GPO to your domain, then run gpupdate /force on domain controllers.

This is the only way to rename the built-in domain admin account without triggering 0X0000055B.

You're trying to change the account SID or permissions

Some advanced users try to change permissions on the built-in accounts using icacls or Set-Acl. This will also fail with 0X0000055B. The OS protects the account's security descriptor at a level below what ACLs can touch.

The real fix: Don't try to modify the account's permissions. Instead, create a new local user with the exact permissions you need, then disable or rename the built-in account using the net user commands above.

How to prevent this going forward

  • Never try to delete built-in accounts. You can't, and the error will waste your time. Just rename and disable them.
  • Always use net user or Group Policy when working with built-in accounts. The GUI tools like lusrmgr.msc will throw this error every time for these special accounts.
  • Document your renamed accounts. If you rename Administrator to "Admin-Backup", write it down. I've seen people lock themselves out because they forgot the new name after a reboot.
  • Test on a VM first. If you're a help desk tech rolling out a rename GPO across 500 desktops, test it on one machine. The GPO works, but a typo in the new name can cause logon failures.

That's it. Error 0X0000055B is Windows telling you "I won't let you break the machine." Listen to it, use the right tools, and you'll be fine.

Was this solution helpful?

ERROR_SPECIAL_ACCOUNT 0X0000055B built-in account cannot perform this operation on built-in accounts Windows account management Administrator account Guest account rename built-in account disable built-in account Windows 10 Windows 11 Windows Server local users and groups lusrmgr.msc net user command SID S-1-5 domain protected account