News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Getting rid of local administrators

    Home Forums AskWoody blog Getting rid of local administrators

    • This topic has 17 replies, 11 voices, and was last updated 1 month ago.
    Viewing 9 reply threads
    • Author
      Posts
      • #2372540
      • #2372565
        Simon_Weel
        AskWoody Plus

        We took being an administrator for granted because we needed to install software and run programs that required administrator rights.

        The need for Admin rights to install software is a good thing. That’s why I don’t understand more and more programs, like Teams, install themselves in the Userprofile. Yes, it’s easier for users to install software, but the same applies to malware. Can anyone explain the idea behind this behaviour?

        • #2372578
          EricB
          AskWoody Plus

          Administrator privileges are only needed if software installers write to system locations that require Administrator privileges for write access (e.g., Program Files folder, HKLM registry keys, etc.).  If software is installed to locations accessible to the user and doesn’t otherwise use those protected resources then Administrator privilege is not needed installation.

      • #2372607
        b
        AskWoody MVP

        Review the entries for ConsentPromptBehaviorAdmin and ConsentPromptBehaviorUser. Set the former to 1 and the latter to 3. (See Figure 1.)

        Aren’t these transposed?

        There’s no valid setting of 3 for the User: ConsentPromptBehaviorUser

        Windows 10 Pro version 21H2 build 19044.1149 + Microsoft 365 (group ASAP)

        1 user thanked author for this post.
        • #2372681
          Susan Bradley
          Manager

          It got flipped on edit.  I’ll fix the image as well.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
          b
      • #2372621
        Coldheart9020
        AskWoody Lounger

        I use a standard account in my day to day use, but have a separate Admin account which I only log in to when I want to make system-wide changes. I use elevated privileges on my standard account when I need to – requiring my Admin account’s password. I also have the system Administrator account disabled.

        Might be a bit excessive, but I’m more than used to it at this point.

        2 users thanked author for this post.
      • #2372615
        grandma78633
        AskWoody Plus

        Many thanks for this. However, just have to say I found it difficult/confusing to figure out HOW to create my “standard”/”limited” account when setting up a new machine within the last year. Windows 10 seems to ASSUME that you want to use the admin account!!!
        I won’t tell you my age, but I began using PC’s with DOS 2.1!! So maybe I am not as flexible as I used to be. But I did feel like I had to “hunt around” a bit to do that!!

      • #2372649
        anonymous
        Guest

        I don’t see the need to have any other account other than the Local Account Administrator. I live alone in my own apartment and never have visitors or guests, and my living quarters are secure. I am home for all but two hours a week and my computers never leave my apartment. I never even take my smartphone with me for my two hour trip to the supermarket each week. I just don’t see the need nor any advantage to having a Microsoft Account (I don’t use any application that requires a Microsoft account); and I don’t leave any of my computing devices (other than the smartphone) up and running unattended when I am not directly using them. I don’t like having to enter a username and password just to sign onto a computer that no one ever accesses (other than Big Brother Microsoft) but me; and I want whoever finds my body, in the event of my untimely demise or sudden death, to have access to my computers for obvious reasons (Executor, beneficiary, etc.).

         

        1 user thanked author for this post.
        • #2372651
          Susan Bradley
          Manager

          If you are on the Internet you could have attackers that come after you. It’s not just physical security to be concerned over, it’s what you do on the web. When you run your machine without admin rights, it makes it harder for attackers to take over your system.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
      • #2372663
        PaulK
        AskWoody Lounger

        I don’t like having to enter a username and password just to sign onto a computer

        A password is not required; just leave the field blank when creating a new user account.
        And the logon screen shows icons for all the defined accounts; just click on the one desired.
        Try it: it is easy enough to delete the account if one doesn’t like it.

        Susan’s comment is quite valid.

      • #2372734
        Norio
        AskWoody Plus

        One of the tools I’m adding to my arsenal is the use of multi-factor authentication. I rely on the service Duo (from Cisco) to add the additional requirement of a phone app (or a phone call to those without a smartphone).

        Great tips, thank you very much!
        Two questions I have are: Approximately how much is Duo costing you?  And what version/edition are you using?

        Thanks!

        • #2373052
          Paul T
          AskWoody MVP

          Duo have a free version for up to 10 users.

          cheers, Paul

          1 user thanked author for this post.
      • #2372784
        dmt_3904
        AskWoody Plus

        Most of the time, standard user rights are enough. Even Windows Updating handles standard user rights properly. But every now and then, especially on older software, administrator rights are needed. The easiest way to deal with this is to set up two accounts for yourself, one standard and one administrator. Then let User Account Control (UAC) be your friend. whenever you are running as a standard user and some process needs admin rights, UAC will pop up and ask for an account with elevated rights. Just use your administrator account to carry on.

        I would like to take Susan‘s advice and change my admin account to Standard. I do not have a need to share across other computers.  I don’t want/need a family group or sharing, it’s just me, but I have no experience with the user accounts, and I’m afraid I will mess it up and possibly lose access to my computer! I’ve always had the computer set up by someone and have never done anything with user accounts.

        Right now it’s an admin account. I can follow Susan‘s instructions and check the registry for UAC. How do I create and use a standard account? Should I follow these instructions? https://support.microsoft.com/en-us/windows/create-a-local-user-or-administrator-account-in-windows-10-20de74e0-ac7f-3502-a866-32915af2a34d

        On your local machine, see whether you can change your user account to a standard user instead of administrator.

        What do I have to check to see if I can change to account to standard? What else do I have to pay attention to when I make this change?  I know where User Accounts are in the control panel and I can see the admin account is selected. I assume I create the Standard user account (instructions above?) and then select it?Thanks. Donna

      • #2372789
        PKCano
        Manager

        DO NOT convert the only account on the computer from an Administrative account to a Standard account. There needs to be ONE (non-used) Administrative account or your hands will be tied for making some changes. The first account created during Windows installation is an Administrative account.

        If you want to use a Standard account for security there are two methods:

        If your current account is an Administrator (the first account created during installation), and you want to keep that ID, create a second Administrative account with a password, then convert the original account to a Standard account. Use that Standard account for everyday purposes and use the new Admin account only when Admin privileges are needed.

        If your current account is an Administrator (the first account created during installation), and you do not care about keeping that ID, create a Standard and use it for everyday purposes. Be sure the Admin account has a password and use it only when Admin privileges are needed.

        1 user thanked author for this post.
        • #2372791
          dmt_3904
          AskWoody Plus

          Thanks PK. But I guess I don’t understand the difference between the two methods – don’t I end up with a std & admin in the end?

          • In the first method – my current admin becomes my standard (I think I prefer this bc I don’t know how my user account was set up in the beginning and I am happy with how it is working – everything is associated to this account.)?
          • In the 2nd method – I’d be creating a brand new account for everyday purposes, but that original Admin remains intact?
          • #2372854
            Susan Bradley
            Manager

            But you need to make sure that you still have an administrator account.  So go back in and set up another account and change it to be an administrator.  Log into that new account and make your original one a standard user.  I can do a video and show you what I mean.

            Susan Bradley Patch Lady

            • #2372879
              dmt_3904
              AskWoody Plus

              I can do a video and show you what I mean.

              that would be great thank you!

          • #2372857
            PKCano
            Manager

            If you use the second method, you will have to transfer all your data and settings to the new Standard account and remove them from the original account.

            If you have an account that is already being used, and all your data and settings are there, the first method is best for you. The new account will be the Admin and there it will not need your data to function. And the only thing you will need to do is change the original account that you are using from Admin to Standard.

            And whatever you do, DO NOT loose the password for the Administrative account. Write it down and put it somewhere safe.

            Susan can make a video to show how to do it.

            1 user thanked author for this post.
    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Getting rid of local administrators

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.