Getting rid of local administrators

Topic

New Reply

ON SECURITY By Susan Bradley Administrator rights are easy to set up but hard to remove. Once upon a time, we always configured Windows computers with
[See the full post at: Getting rid of local administrators]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Norio, oldfry, abbodi86

Reply | Quote

Replies

We took being an administrator for granted because we needed to install software and run programs that required administrator rights.

The need for Admin rights to install software is a good thing. That’s why I don’t understand more and more programs, like Teams, install themselves in the Userprofile. Yes, it’s easier for users to install software, but the same applies to malware. Can anyone explain the idea behind this behaviour?

Reply | Quote

Administrator privileges are only needed if software installers write to system locations that require Administrator privileges for write access (e.g., Program Files folder, HKLM registry keys, etc.).  If software is installed to locations accessible to the user and doesn’t otherwise use those protected resources then Administrator privilege is not needed installation.

Reply | Quote

Susan Bradley wrote:

Review the entries for ConsentPromptBehaviorAdmin and ConsentPromptBehaviorUser. Set the former to 1 and the latter to 3. (See Figure 1.)

Aren’t these transposed?

There’s no valid setting of 3 for the User: ConsentPromptBehaviorUser

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

1 user thanked author for this post.

Susan Bradley

Reply | Quote

It got flipped on edit.  I’ll fix the image as well.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

b

Reply | Quote

I use a standard account in my day to day use, but have a separate Admin account which I only log in to when I want to make system-wide changes. I use elevated privileges on my standard account when I need to – requiring my Admin account’s password. I also have the system Administrator account disabled.

Might be a bit excessive, but I’m more than used to it at this point.

2 users thanked author for this post.

Tom-R, Michael432

Reply | Quote

Many thanks for this. However, just have to say I found it difficult/confusing to figure out HOW to create my “standard”/”limited” account when setting up a new machine within the last year. Windows 10 seems to ASSUME that you want to use the admin account!!!
I won’t tell you my age, but I began using PC’s with DOS 2.1!! So maybe I am not as flexible as I used to be. But I did feel like I had to “hunt around” a bit to do that!!

Reply | Quote

I don’t see the need to have any other account other than the Local Account Administrator. I live alone in my own apartment and never have visitors or guests, and my living quarters are secure. I am home for all but two hours a week and my computers never leave my apartment. I never even take my smartphone with me for my two hour trip to the supermarket each week. I just don’t see the need nor any advantage to having a Microsoft Account (I don’t use any application that requires a Microsoft account); and I don’t leave any of my computing devices (other than the smartphone) up and running unattended when I am not directly using them. I don’t like having to enter a username and password just to sign onto a computer that no one ever accesses (other than Big Brother Microsoft) but me; and I want whoever finds my body, in the event of my untimely demise or sudden death, to have access to my computers for obvious reasons (Executor, beneficiary, etc.).

 

1 user thanked author for this post.

Mele20

Reply | Quote

If you are on the Internet you could have attackers that come after you. It’s not just physical security to be concerned over, it’s what you do on the web. When you run your machine without admin rights, it makes it harder for attackers to take over your system.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Tom-R

Reply | Quote

I don’t like having to enter a username and password just to sign onto a computer

A password is not required; just leave the field blank when creating a new user account.
And the logon screen shows icons for all the defined accounts; just click on the one desired.
Try it: it is easy enough to delete the account if one doesn’t like it.

Susan’s comment is quite valid.

Reply | Quote

One of the tools I’m adding to my arsenal is the use of multi-factor authentication. I rely on the service Duo (from Cisco) to add the additional requirement of a phone app (or a phone call to those without a smartphone).

Great tips, thank you very much!
Two questions I have are: Approximately how much is Duo costing you?  And what version/edition are you using?

Thanks!

Reply | Quote

Duo have a free version for up to 10 users.

cheers, Paul

1 user thanked author for this post.

Norio

Reply | Quote

Most of the time, standard user rights are enough. Even Windows Updating handles standard user rights properly. But every now and then, especially on older software, administrator rights are needed. The easiest way to deal with this is to set up two accounts for yourself, one standard and one administrator. Then let User Account Control (UAC) be your friend. whenever you are running as a standard user and some process needs admin rights, UAC will pop up and ask for an account with elevated rights. Just use your administrator account to carry on.

I would like to take Susan‘s advice and change my admin account to Standard. I do not have a need to share across other computers.  I don’t want/need a family group or sharing, it’s just me, but I have no experience with the user accounts, and I’m afraid I will mess it up and possibly lose access to my computer! I’ve always had the computer set up by someone and have never done anything with user accounts.

Right now it’s an admin account. I can follow Susan‘s instructions and check the registry for UAC. How do I create and use a standard account? Should I follow these instructions? https://support.microsoft.com/en-us/windows/create-a-local-user-or-administrator-account-in-windows-10-20de74e0-ac7f-3502-a866-32915af2a34d

On your local machine, see whether you can change your user account to a standard user instead of administrator.

What do I have to check to see if I can change to account to standard? What else do I have to pay attention to when I make this change?  I know where User Accounts are in the control panel and I can see the admin account is selected. I assume I create the Standard user account (instructions above?) and then select it?Thanks. Donna

Reply | Quote

DO NOT convert the only account on the computer from an Administrative account to a Standard account. There needs to be ONE (non-used) Administrative account or your hands will be tied for making some changes. The first account created during Windows installation is an Administrative account.

If you want to use a Standard account for security there are two methods:

If your current account is an Administrator (the first account created during installation), and you want to keep that ID, create a second Administrative account with a password, then convert the original account to a Standard account. Use that Standard account for everyday purposes and use the new Admin account only when Admin privileges are needed.

If your current account is an Administrator (the first account created during installation), and you do not care about keeping that ID, create a Standard and use it for everyday purposes. Be sure the Admin account has a password and use it only when Admin privileges are needed.

1 user thanked author for this post.

oldfry

Reply | Quote

Thanks PK. But I guess I don’t understand the difference between the two methods – don’t I end up with a std & admin in the end?

• In the first method – my current admin becomes my standard (I think I prefer this bc I don’t know how my user account was set up in the beginning and I am happy with how it is working – everything is associated to this account.)?
• In the 2nd method – I’d be creating a brand new account for everyday purposes, but that original Admin remains intact?

Reply | Quote

But you need to make sure that you still have an administrator account.  So go back in and set up another account and change it to be an administrator.  Log into that new account and make your original one a standard user.  I can do a video and show you what I mean.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I can do a video and show you what I mean.

that would be great thank you!

Reply | Quote

If you use the second method, you will have to transfer all your data and settings to the new Standard account and remove them from the original account.

If you have an account that is already being used, and all your data and settings are there, the first method is best for you. The new account will be the Admin and there it will not need your data to function. And the only thing you will need to do is change the original account that you are using from Admin to Standard.

And whatever you do, DO NOT loose the password for the Administrative account. Write it down and put it somewhere safe.

Susan can make a video to show how to do it.

1 user thanked author for this post.

dmt_3904

Reply | Quote