The problem with local administrator accounts

Topic

New Reply

ISSUE 20.17 • 2023-04-24 Look for our BONUS issue on Monday, May 1, 2023! ON SECURITY By Susan Bradley Microsoft doesn’t want you to use a local admin
[See the full post at: The problem with local administrator accounts]

Susan Bradley Patch Lady

15 users thanked author for this post.

katiedid, Rick Corbett, teuhasn2, WCHS, ibe98765, Myst, fisher75, LH, WSAdrianB38, DLivesInTexas, Cybertooth, abbodi86, rc primak, lmacri, Chris B

Reply | Quote

Replies

Recently, Microsoft launched a new offensive in its attempt to thwart our love of absolute control over our own machines — by bullying us into making a choice it prefers but that we might not.

But we all know where this is going – one day you simply need to use a Microsoft account. And just as with smartphones, there will be things to ‘jail-break’ your Windows.

As for setting up Windows on business machines – I create a new (local) user account, install Windows, add the machine to the domain and then delete that account. As the admin-account is disabled by default, you don’t need things like LAPS. Now this WILL get you in trouble if for some reason the pc gets disconnected from AD. Then you have to hack the local admin account or reinstall Windows.

2 users thanked author for this post.

TechTango, rc primak

Reply | Quote

Susan Bradley wrote:

ISSUE 20.17 • 2023-04-24 Look for our BONUS issue on Monday, May 1, 2023! ON SECURITY By Susan Bradley Microsoft doesn’t want you to use a local admin
[See the full post at: The problem with local administrator accounts]

And Susan also wrote: <bullying us into making a choice it prefers but that we might not>

This very much reminds me of “The Net” (1995) with Sandra Bradley, NO, Bullock!

1 Desktop W11
1 Laptop W10
Both tweaked to look, behave and feel like Windows 95

Reply | Quote

I once made a Backup Admin account (never have used it) Only because of an article’s warning “What happens IF your Single Admin acct becomes corrupt?” (maybe Macrium wasn’t anticipated) ……

Is THAT still a practice with advanced users?  So, IF I change my current main Admin acct to User, I have the Backup Admin already (Chg Name to Admin?) . Would you Then make another Backup-2  Admin acct to be safe even while having Macrium?

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desk-Ethernet - SSD-HDD/ i5(8th Gen) 12GB / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

Reply | Quote

I am, sadly, still using an administrator account as my main account (with Microsoft login, which I can live with). The reason is that I set my PC up that way and, when I came to look at changing it, I saw that my backups, all scheduled using Acronis True Image 2019 onto my NAS, require administrator rights. So, if I change my normal account to Standard, I think Acronis would not have the permissions to run.

Is there a workaround that would enable me to run the backups automatically with administrator rights without having to move it to the Administrator account?

Chris
Win 10 Pro x64 Group A

Reply | Quote

Chris B wrote:

Is there a workaround that would enable me to run the backups automatically with administrator rights without having to move it to the Administrator account?

Add a [user] account (non-admin), reboot, login as that new [user], install Acronis True Image 2019 again, reboot, again login as new [user] and finally start Acronis from the File Explorer context menu with [Run as Administrator] and see if that works with the images on your NAS.

1 Desktop W11
1 Laptop W10
Both tweaked to look, behave and feel like Windows 95

Reply | Quote

Thanks – I’ll give it a try. Would that run OK if the account that has Acronis is not logged on when a scheduled backup is due to run?

I am trying not to have to reset-up all my backup jobs in the main account (which would then be Standard), so how then would I set the existing Acronis instance, in my regular account, to run as an administrator?

Chris
Win 10 Pro x64 Group A

Reply | Quote

Chris B wrote:

when a scheduled backup is due to run?

I have no idea how Acronis scheduling behaves, sorry. I used Acronis only on demand and SAKMM.

P.S. 1. About a year ago I switched to Macrium Reflect.

2. SAKMM = Standby At Keyboard Monitoring Monitor.

1 Desktop W11
1 Laptop W10
Both tweaked to look, behave and feel like Windows 95

Reply | Quote

My PC has three user accounts: mine, my wife’s, and one labeled with a movie character’s name.  The latter has admin privileges, and the other two are standard accounts.  I make my disk images manually.  When it’s time to make a disk image (Macrium Reflect), I log into the admin account and run it from there.  In the standard accounts, rarely a piece of software (usually when updating) will ask for admin privileges.  It’s just a matter of typing in the admin password, and all proceeds nicely.

On an associated note, I keep my data files separate from Windows and the applications.  I back up my data files using a Robocopy script immediately before logging off.  It usually takes about a minute to back up something new or an older file that has been changed.  I make a disk image about once a month, after the latest Microsoft update proves itself reliable.  Sometimes more often if I’ve made a big change, like adding a new printer.  I also copy everything to an external hard drive about once a month.  I then swap that drive for its partner that’s kept in a safe deposit box.  If my house burns down, worst case is I’ll be only have about a one month’s loss.   Separation of data from everything else is easy on a desktop.  I have three separate storage drives in mine.  It’s more problematic in a laptop, but you could still do it, using an external drive.

Casey H.

Reply | Quote

Using local accounts should not be a hassle for home users.  Like Casey, each Windows 10 Pro PC has only local accounts – two user accounts for normal work, and a local administrator account for installs, patches, and back-ups.  I use a different colored Toshiba external drive for back-up/recovery for each PC.  I use TrueImage 2012 on the old Windows 7 computer, and Macrium Free for the two newer PCs (initially I used TrueImage 2020, but it could not handle the encryption/decryption well.)  I do a pre & post update back-up each month.  I do not have fiber Internet, so cloud back-ups are a non-starter for lack of speed (not to mention my distrust of third party storage security and actual deletion capability.)

Reply | Quote

I just tried this and was unsuccessful in retaining all of my desktop applications and corresponding icons. I assume I was reverted to a basic Windows 10 setup. I previously had two monitors set up and when logging into the new administrator account. I lost the second monitor. I am sure I could have gotten it back in the settings. But it really freaked me out. So for now I am back to my old User account. I would like more information before proceeding.

Reply | Quote

Susan Bradley wrote:

Needless to say, I’m hoping that Microsoft will do one or the other — back down from this badgering and bullying, or provide the option “Don’t show this to me again” so the pop-up goes away.

It’s not a pop-up.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

What would you call this annoyance then?

Susan Bradley Patch Lady

Reply | Quote

A badge.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

I would not consider it a badge.

https://www.webopedia.com/definitions/badge/

A badge is not something that would have the option to ‘remind me later’. A badge is a permanent part of a profile.  Case in point the gold ribbon in the upper right corner of a user’s profile is a badge.

 

Susan Bradley Patch Lady

Reply | Quote

Turn On or Off “Show account-related notifications” on Start Menu in Settings

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

My wish list item is for MS to provide a visual clue when running as an administrator account.  I use a software product that only works properly under my standard user account when installation or updates are done while logged in as me with my account elevated to administrator.  It will not work properly for me if I do installs/updates using “Run as administrator” nor if I do them logged in as the Admin account.  Getting distracted and forgetting to change my account back to a standard account has happened a time or two.  Having a visual clue of the administrator status would have prevented unknowingly running with admin privileges.

Reply | Quote

Peobody wrote:

Having a visual clue of the administrator status would have prevented unknowingly running with admin privileges.

This is very easily done using something like an AutoHotkey script run from logon (e.g. a registry ‘Run’ key or a startup folder).

For example:

; Icons by Axialis (https://www.axialis.com/)
#SingleInstance On
If !A_IsAdmin = 1
Menu, Tray, Icon, C:\_MY\Resources\User-Warn.ico ; use a valid icon file name
else
Menu, Tray, Icon, C:\_MY\Resources\User-OK.ico ; use a valid icon file name
Return

Esc::ExitApp

This will show an icon in the Notification Area:

Which of the two icons it shows will depend on the status of the signed-in account. If you sign out then sign in with a differently-privileged account then the icon will change accordingly.

The 2 icons I used are from the free Axialis-Web-Mini-1-Ico pack but you can use any images you want (provided they are valid icons, e.g. ICO, CUR, ANI, EXE, DLL, CPL, SCR and other filetypes that contain icon resources… just ensure you provide a valid filepath to the icon resource.)

Hope this helps…

3 users thanked author for this post.

Peobody, NaNoNyMouse, tom m

Reply | Quote

Another more obvious way to signal yourself is to have a desktop background image you only use for the administrator account. https://support.microsoft.com/en-us/windows/change-your-desktop-background-image-175618be-4cf1-c159-2785-ec2238b433a8

I just have the default Windows E logo installed when I set up the admin acct. My user account has rotating photos loaded by John’s Background Switcher.

1 user thanked author for this post.

Rick Corbett

Reply | Quote

Hey Y’all,

FWIW: I’m GUILTY! Yes I run with an ADMIN account. But…

• I have a Strong Password on the account.
• I have BOTH Windows Defender and Malwarbytes Premium running. Along with several Browser extensions.
• I read popup permission boxes carefully before clicking OK.
• I ALWAYS have several generations of Macrium Reflect Image backups on external drives, never connected except while using Reflect.
• I have File History enabled with my NAS as the target.

The way I use my machines I would be constantly logging in and out as I use a lot of programs which require Administrative access. I just can’t see changing the way I’ve been operating for decades, w/o a Virus I might add.

That said, if I was running a business NOBODY would be using a Admin account except the Administrators and then only when doing Administrator things!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

5 users thanked author for this post.

wavy, ibe98765, Douglas, Cybertooth, PKCano

Reply | Quote

RetiredGeek wrote:

FWIW: I’m GUILTY! Yes I run with an ADMIN account.

I do too… but for an additional and slightly different reason.

Most Windows users are not aware that the first account created during a fresh install of Windows is, by default, a member of the Administrators group… and, for the most part, will neither know nor care, despite advice to create and use a standard account.

For me, that means writing answers to questions using the same user context as most posters… unless we ask every time “are you running as a standard user”, then explain the differences. It can all get complicated really quickly.

Reply | Quote

Question: as a local user acct, full admin, doesn’t setting UAC to notice changes (anything above NO notice) with user to approve a change (or not), offer extra/enough protection too?

Reply | Quote

Microsoft de-fanged UAC when it released Windows 7 to react to criticism of how Vista functioned.  Take a look at There are really only two effectively distinct settings for the UAC slider

Reply | Quote

Doug Schafer wrote:

Question: as a local user acct, full admin, doesn’t setting UAC to notice changes (anything above NO notice) with user to approve a change (or not), offer extra/enough protection too?

UAC provides a warning rather than protection. Protection would just disallow.

Reply | Quote

I’m out. This is way over my head. I’ll just wait for the cliff notes.

2 users thanked author for this post.

teuhasn2, WCHS

Reply | Quote

Rush2112 wrote:

I’m out. This is way over my head.

If you stick with ‘standard account = good; admin account = bad’ (unless advised differently) then you’ll be fine.

Reply | Quote

I have never run routinely under an Administrator account, always a Standard User except those rare occasions when maintenance or software installation required being logged into an Administrator account.  And they are indeed rare, for example, running a repair/reinstall requires being logged in as an Administrator.

Run as administrator gets 99.9% of what I need to accomplish done without issue.  The majority of my routine maintenance is carried out by Task Scheduler either running (whether user is logged in or not) as Administrator or running as System.

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

Re. legacy LAPS (which I helped a client deploy on a few hundred machines), I’m confused. Two quotes from this article:

“If you are deploying the April updates to an existing PC, remove the old LAPS app first.”

“Existing machines with LAPS already installed are fine — no action needed.”

I probably need to re-read and test, but I thought I’d ask for clarification first.

 

Reply | Quote

If your build process includes deploying legacy laps, don’t do it from now on. Anything with the new 10/11 code as the new LAPS code built in.

If you have laps already installed, it won’t stop functioning as a result of the April updates.

Susan Bradley Patch Lady

1 user thanked author for this post.

mcbsys

Reply | Quote

Is there a reason not to use the builtin admin account instead of creating a new one?

Reply | Quote

The main built in account should be considered more like a “in case of emergency”.  That main account has more rights than even a normal admin.

Susan Bradley Patch Lady

3 users thanked author for this post.

katiedid, Chris B, tom m

Reply | Quote

Susan Bradley wrote:

The main built in account should be considered more like a “in case of emergency”. That main account has more rights than even a normal admin.

In my tinkerin’, I have had only two occasions where I had to enable and use the built in Administrator.  In each case, after I accomplished my goal, I disabled the account again.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

Wow. After over 20 years, MS is finally going to address the exploits that easily get normal users admin or system rights. They will get rid of local admin accounts. Typical MS, rather than fix the issues they will block or ban it. I have use these exploits since high school with my friends to play games on school computers. Then use same exploits in college for games and running download torrents on school network. Even now at work, use the exploits when IT is too stupid to fix issues or need a specific program installed that is not IT approved.

The other reason that has been mentioned on net that MS is doing this is to easier track and spy on users for MS make a profit department.

 

Reply | Quote

Been running as full admin user forever.  Also have UAC turned off.  Have never encountered a problem due to this choice.  Also operate as a local account.  I figure if Microsoft is haranguing me to do something, it must be because they will reap more than me in the deal.

Reply | Quote

I first learned about separating the administrator account and the user account about 15 years ago from the book Microsoft Windows XP Inside Out. That subject was also covered in the subsequent similar book for Windows 7. It’s a lot more work because each account requires some customization, but having the administrator account and user account separated provides peace of mind that I find well worth the effort. See attached screenshot.

Reply | Quote

ibe98765 wrote:

Been running as full admin user forever. Also have UAC turned off.

Same.  I have never had any issues. Plus I do a lot of if-if and/or border line things on the net and never got a computer virus.  For several years on Windows NT, I never even had an antivirus since it cost too much. Now because of the 99% clueless tech people, MS wants to change things.

The 99% clueless people see a message from a pop that you have a virus and click on it get rid of the virus….This is ridiculous that the rest of us (1%) have to suffer because of them.

Reply | Quote

I don’t consider it suffering at all.

Susan Bradley Patch Lady

3 users thanked author for this post.

cloudsandskye, TechTango, bbearren

Reply | Quote

I know I should have set up a separate Standard User accnt long ago, but issues with apps always caused me to go  back to the one admin accnt. from the orginal admin accnt installation.

I’m now trying Susan’s recommendation. When in the new default Standard User accnt., certain apps require me to type in the admin accnt password–Windows System Restore backup and Macrium backup. Is there a way to bypass this on these commonly used apps?

Oddly, opening these two apps (hen in Standard User accnt.) don’t require me to log off and back into admin accnt; just type in the admin accnt password.

Reply | Quote

@cmar6,

I start any application that requires full admin privileges via a shortcut that calls a scheduled task set with the Highest Privileges checkbox. Works like a charm.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

When I right-clicked the shortcut, say to Create Restore point, Advanced, I was unable to change to “Run as Administrator.”

Reply | Quote

@cmar6,

You don’t change it in the shortcut but rather in the properties of the Task Scheduler task.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

In Task Scheduler, I found System Restore (if that’s what I should be looking for).

“Run whether user is logged in or not” is checked on gray.

“Run with highest privileges” could not be checked.

And I don’t even know if that is the right task.

Reply | Quote

MFA wrote:

Same. I have never had any issues. Plus I do a lot of if-if and/or border line things on the net and never got a computer virus. For several years on Windows NT, I never even had an antivirus since it cost too much. Now because of the 99% clueless tech people, MS wants to change things.

Me two..three now.I always have admin account as main account and UAC turned off. Since I am poor, I took liberties with anitvirus and downloads. I never have gotten a viruses. Even after getting a free antivirus, i scanned and had nothing. There are too many programs that keep asking for changes etc with admin and UAC. I know what I click and what settings I am changing. I never can understand why people do not use admin account with UAC turn off. Now I will think like you said that they are clueless tech people.

Reply | Quote

Adam account wrote:

Since I am poor, I took liberties with anitvirus and downloads. I never have gotten a viruses.

Consider making a backup as perceptions and plans don’t always work as anticipated.

No one plans to get a virus.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

Even though @Rush2112 says it’s way over his head, I’m gonna try to paddle my way through.

I have some questions about what happens on my Win10/Pro 22H2 laptop after following Susan’s instructions. The questions are about accounts/account names, passwords, and a local, standard account that already exists.

BACKGROUND:
1)
Right now, in the Navigation Pane, in the section for Desktop, there is a folder that has my first name and my last name on it. See the blue arrow in the attached Navigation-Pane.jpg

–This Firstname Lastname (i.e., Name #1) shows up above the log-in field, when I power up and and use Password #1 to sign in. It was first created when I started using the laptop.
–It was was set up as a Microsoft Account. The password to log-in to the laptop is the same password that I use to log-in to my Microsoft Account.
–When I right-click on it in the Navigation Pane, there is no Properties option.
–This blue-arrowed folder shows up under Settings|Accounts|Your info, and it says ‘Administrator’. See Settings-Accounts-Your info.jpg

2)
Further down in the Navigation Pane, under OS (C:)\Users, there is a folder with my first name only (Name #2). See the red arrow in Navigation-Pane.jpg
–This name does NOT ever show up in the log-in field on the laptop, but,it too, seems to have been created when I first started using the laptop.
–When I right-click on it in the Navigation Pane, there IS a Properties option. See Properties.jpg for the Properties of the firstname folder (Name #2).
–This red-arrowed folder does not show up anywhere in Settings|Accounts.
–Is the red-arrowed folder Administrative, too (since it seems to be the same as the blue-arrowed folder since the contents of the two folders are the same)?

3)
Recently, I set up another account as a local, standard account. This is the one marked by the green arrow in Navigation-Pane.jpg. I sign into that one with Password #2. It has Name #3 (firstname2), associated with it.
— When I right-click on it in the Navigation Pane, there IS a Properties option. See Properties.jpg for the Properties of the firstname2 folder (Name #3).
–It shows up in Settings|Accounts|Family & other users with Name #3 (firstname2).
–When I check it there, it says that it’s a local account. See Settings-Accounts-Family-Other users.jpg
It doesn’t say anything about “administration”, so I presume that it is a standard account (i.e., not-administrative=no administrative rights).

MY QUESTIONS:
4)
The curious thing for me is that the subfolders listed under the blue-arrowed folder and subfolders under the red-arrowed folder are exactly the same.
a) Why do the same folder contents show up in two different places?
b) Is the red-arrowed folder Administrative, too? I ask because the contents of the two folders are the same and the blue-arrowed folder is “Administrator”, so I am thinking that the red-arrowed folder is also “Administrator”.

5)
So, let’s say that I follow Susan’s instructions, first adding a new account under Family and Other users | Other users as a user without a Microsoft Account and give this new account administrator rights. Will it have its own name (i.e., Name #4)? Will it have its own password (i.e., Password #3)? Will it be the account that I sign into when the laptop boots up? The old folder was connected to a Microsoft Account. The new one is being created without a Microsoft Account. What happens with the old administrative account, which was a Microsoft Account?

6) Then, let’s say I go to the next step in Susan’s instructions, logging out and logging back in to this new Administrative account that I just created. If I understand the directions, it is allowed to find the old administrative account and change the old account type to ‘Standard User’. And even though the type has been changed, can I log into this old administrative account (which is now standard)? Will it still have the Firstname Lastname designation (Name #1) it had before? Will I still use the password #1 that it had before? Will it still be a Microsoft Account? (I don’t think it will be since it was newly set up without a Microsoft account, but maybe it’s possible that when the account type was changed, it changed to standard account, but remained a Microsoft account??) So, do I still have an account that is connected to a Microsoft Account?

7) So what about the local account that I recently set up (the one marked by a green arrow)? Will the new administrative account display it as a local account under Settings | Family and Other Users | Others, even though it was originally set up under the old, administrative account?

Reply | Quote

I think this approach by MS is silly…but then that is coming from someone who is likely the worst of the bunch. I run as the built-in Super-Administrator(-500 SID) account with Group Policy set to UAC: Admin Approval mode for the built-in admin as DISABLED.

I started down this path because, like some of the other older people here, I hated UAC when it first arrived.
I have taken many steps to mitigate possible issues including using AppLocker to control where even that Super-Administraor account can launch things from (to help keep me in line while drunk or just being stupid)
In addition ALL internet facing apps, and some non-internet facing apps are run as a ‘standard user’. I try to avoid allowing services/drivers from said apps where possible.
Group Policy is set to Auto-Deny ‘standard users’ requesting elevated rights.
AppLocker only lets each of these standard users launch ‘specific path\apps.exe’ or ‘hashes’ or ‘from specific locations\*’ depending on the amount of control I want over each…this means no LoL bins outside of said programs path can be used by default at most. (One major exception being dllhost.exe)
I create shortcuts which in turn use bat files, in a particular location that Standard Users cannot read, much less write to alongside a neutered version of psecex to avoid having to manually answer a password prompt via runas each time I launch one while also ensuring it can’t be used remotely
Setting things up this way has allowed me to alter NTFS file permissions in a greatly expanded way.  I can restrict them from reading things I don’t think they need to be able to access by default even if windows would normally allow it by removing user read permissions. (Not saying I have covered all the bases here, particularlly with .dlls) I have also battened down the hatches via registry permissions and service permissions removing many User read rights.
Much of the above is handled by lgpo infs which I have set to auto-run when an update is detected upon login (via Group Policy) because sometimes those permissions are ‘reverted to default’ during an update.  I only use offline updates from the windows catalog alongside UWF while not enabling servicing mode so any update requires me to disable UWF then reboot then install the update which is normally followed by another reboot then i re-enable UWF and reboot again…blah blah blah
I’ve also enabled ‘LaunchProtected’ for many svchost instances (though I’ve had to un-protect a few over the years as MS changes/updates things)
Even after all the above I found a few potential security/privacy issues left between even that software which can only run under a standard user account.
Said ‘standard users’ can still read/write/terminate processes not under their control (run as another standard user[Medium Integrity], eg those NOT ‘Run as Admin'[High Integrity or SYSTEM] including those started by your administrator accounts logged in as Medium Integrity). This may sound like a strange nitpick as High or System Integrities can still interact with each others of the same or lesser integrities but I’m of the mind that my browser doesn’t need access to my doucment apps unless I deign it!
So I now use a kernel level driver to control which processes an app can access and have it set to block anything not covered in a rule by default. It took a while to collect enough rules [and lots of testing in VMs] to make this viable for MY daily usage patterns as it also blocks windows processes including svchost by default.
In addition, if one app running under medium integrity was to be exploited, it could in turn be used to monitor the keystrokes of another standard user. The same still applies for High Integrity to High Integrity or below and again with System to anything below its integrity level as mentioned above for the memory access….but why is this allowed for Medium Integrity?
So now I also use HitmanPro.Alert (On top of the Windows Anti-Exploit rules) with profiles that enable Anti-Keylogging where possible.
I’m not one for security through obscurity but that’s all I’ll mention here as it’s really all that I think is applicable for this topic.
Of course this means that if something slips through my current setup I am well and truly fudged but I suspect that if I had to contend with the UAC prompts to ‘Run as Admin’ multiple times each day I’d start to auto-click stuff without actually reading it so this just works better for me.

All that being said I think my daily usage of the Super-Administrator account has allowed me to both avoid UAC prompts and even enabled me to improve security/privacy in some cases. My rules are still the weak link, much like those that are fine with the UAC prompts are the weak link on their end. In that aspect nothing has changed even with my more convoluted setup ~ it simply lets me do it my way instead of Microsofts and I’m much happier for it.

2 users thanked author for this post.

Thaku2011, wavy

Reply | Quote

I don’t know about the rest of you, but as a new user of Windows 11 Pro 22H2, I was unable to set up a local account.  I tried the no@thankyou method, and another method I found, and both were unsuccessful.  I eventually set up a Microsoft account using the Microsoft account I already had from XBox.

Perhaps Microsoft has changed the registration process recently?

Mark

 

Reply | Quote

I’ll test it out again this weekend and report back.  We’re supposed to be 90+ this weekend so I’ll be inside in the A/C

Susan Bradley Patch Lady

1 user thanked author for this post.

Thaku2011

Reply | Quote

I think some people commenting here are missing the point: even if you haven’t had any problems to date without requiring an administrator login, that doesn’t mean this extra layer of protection to make it more difficult for ransomware or other malware to be installed on your system without your consent isn’t a really good idea.

I just followed Susan’s advice and switched two Win 10 PCs I use at home to a local user account (previously my administrator account) that I’ll use all the time and a new administrator account that is password protected.

The big difference, if you do this, is that you will need to login as the administrator every time you install new software (and for many apps, any time you update previously-installed software) on your local user account. So it’s a good idea to use a new unique password you can easily remember, can type quickly, but still would be hard to guess. On some occasion when booting up (I already encountered this), you may need to log in as administrator and  enter your administrator password when you do not have ready access on that PC to any password manager you use or stored password database you could copy and paste from; if so having to type in a password manager’s randomly-generated 20-cbaracter secure password would be a nuisance.

The only app/program I have that needs an administrator login to open is Macrium Reflect, which makes good sense anyway. But Macrium automatically runs scheduled backups without reentering the administrator password, which is what users would want.

2 users thanked author for this post.

cmar6, oldfry

Reply | Quote

teuhasn2 wrote:

Another more obvious way to signal yourself is to have a desktop background image you only use for the administrator account.

You misunderstand my issue.  I already have a different backgrounds for Admin user and Me user.  What I wish for is to have a visual clue when I am running Me with the account elevated to administrator instead of the normal standard.

The tip about adding an icon in the Notification area is intriguing although I prefer to keep it shrunk as small as possible.

1 user thanked author for this post.

teuhasn2

Reply | Quote

Maybe you might consider a tutorial on your techniques.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I attempted to message you directly but apparently my account isn’t fancy or old enough enough. I received an error stating that: You do not have permission to access message system

I suppose what I was going to say to you to start with can be said in front of others though I don’t want to hijack this thread in any way so perhaps we can find another way to communicate beyond this point if you are curious? I’ve setup a temporary email address you (or others) could contact me at via (email address removed) if you have specific questions or want more information on something in particular…but now back to what I had originally thought to send your way!

I doubt my setup would work for many others as it’s built around me. I certainly wouldn’t suggest all aspects of it being adopted and each part would require an understanding of its place on your system. Much of what I’ve done can still be used if you run with UAC active even on your admin account (Admin run as Medium Integrity by default and asking for permission or password depending on your policies) but at the same time parts of it will be impossible without normally running under High Integrity. Other parts, such as the memory protections, are not available commercially [though there might still be a product that can accomplish something close]

Sorry for the unrelated response but I wasn’t sure how else we could continue this as I can’t seem to send a DM on the forum atm. =(

Moderator Edit: Email address removed. Please do not post personal information on the Forums (Even temporary email addresses).

Reply | Quote

https://support.microsoft.com/en-us/topic/kb5026964-users-who-log-on-using-a-local-user-account-receive-a-notice-after-april-11-2023-windows-updates-are-installed-cbaf97b4-471e-4b0c-ba61-a42238810fa0

Now that’s interesting. There may be more going on with this local admin thing than we think. I think Chinese OS only?

Susan Bradley Patch Lady

3 users thanked author for this post.

fernlady, Alex5723, lmacri

Reply | Quote

Very interesting. I checked out your link but I haven’t seen that notice yet. I also did the March and April updates, and yes I have a local account.

 

Edition Windows 11 Pro
Version 22H2
Installed on ‎10/‎19/‎2022
OS build 22621.1702

1 user thanked author for this post.

WCHS

Reply | Quote

fernlady wrote:

Very interesting. I checked out your link but I haven’t seen that notice yet. I also did the March and April updates, and yes I have a local account.

I checked out the link,too. It says that it applies to certain editions of Windows 10 and 11 (and not Pro/Home editions), i.e.

We are aware that the notice is shown to users who log on to a device that is running Enterprise or Education versions of Windows 10 or Windows 11 by using a local user account.

It also says that it applies to Microsoft products that are specifically available in China, which seems to be saying, for example, that Windows 10 or Office purchased in China is not the same as Windows 10 or Office purchased in the U.S.

1 user thanked author for this post.

fernlady

Reply | Quote

teuhasn2 wrote:

Another more obvious way to signal yourself is to have a desktop background image you only use for the administrator account.

Another excellent idea which I had forgotten about, despite it staring me in the face.

I’ve been using BgInfo for years on all my devices to provide a bitmap with useful information to my desktop:

Hope this helps…

 

2 users thanked author for this post.

geekdom, Peobody

Reply | Quote

I had forgotten about BgInfo which surprises me considering it was on all of the office PCs and I’ve only been retired for 2.5 years.   Thank you for the reminder.

Edit:  I am happy with my customized BgInfo result.  I think this is the answer for me.

Reply | Quote

If you ever need additions to the basic capabilities of BgInfo then I can perhaps suggest more functionality:

Hope this helps…

2 users thanked author for this post.

geekdom, Peobody

Reply | Quote

Thanks for the offer but I actually impressed myself by creating the “OS Producte Name” and “OS Sub Version” fields from registry entries and the “User Group” field from a script found online, which I modified to fit my needs.  The “User Group” field was the important one to me.  The others were just for fun.

Reply | Quote

Rick Corbett wrote:

I’ve been using BgInfo for years on all my devices to provide a bitmap with useful information to my desktop:

Thanks for mentioning BgInfo. I’ve had SysInternals for a long time, but never tried BgInfo until now. It should prove very useful.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

Reply | Quote

Susan Bradley wrote:

I don’t consider it suffering at all.

If you could include who you are quoting then it would be helpful. Just my 2 cents…

Reply | Quote

It’s indented under #2554423, so it is a reply to the anon MFA.

Reply | Quote

Simon_Weel wrote:

But we all know where this is going – one day you simply need to use a Microsoft account.

And that’s what Microsoft telemetry will confirm… the number of Windows users who ‘sign in’ to Windows using a local account or not.

I assume Microsoft will ‘up its ante’ to force users to sign in with an MSA, step by step. I guess it’s up to us all to push back against that encroaching enforcement and all that it entails.

How much do you want to completely lose the desktop market, Satya?

2 users thanked author for this post.

TechTango, Cybertooth

Reply | Quote

Rick Corbett wrote:

How much do you want to completely lose the desktop market, Satya?

Most Windows home users already sign in with a Microsoft account.

Millions more sign in with a work or school account.

Local accounts are a small minority.

Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

Reply | Quote

References? Supporting data?

3 users thanked author for this post.

Thaku2011, Cybertooth, Microfix

Reply | Quote

I only have info I’ve personally gathered from dealing with clients.  It’s older geeks that want the non Microsoft account.  Businesses typically are on a domain, or using some sort of Microsoft account.  Which is why this annoys me, given how hard it is to have a local account on a Windows 11 home, this is overreach.

Presentations/David Weston – Windows 11 Security by-default – Bluehat IL 2023.pdf at master · dwizzzle/Presentations · GitHub

I get it that admin is a big thing for businesses, but I think they should knock it off for home users.

Susan Bradley Patch Lady

3 users thanked author for this post.

oldfry, lmacri, DrBonzo

Reply | Quote

On one of my systems, I have three local user accounts: ABC (admin) with password, which I don’t know;  xyz (standard user) with password, which I know; and fgh (standard user) with no password.   Nevertheless the system boots into ABC as it automatically puts password in on bootup. I must have set it up that way originally.

If I boot into either xyz or fgh, I won’t have my usual Windows settings or desktop, so what good is that?  Or I could change xyz account to admin and ABC to Standard user. But then will I be able to boot into ABC (with my desktop and all my settings) since I don’t know the password?

 

Reply | Quote

The System-wide settings are common to all users and can be set by an Admin account.
But most of the personalization settings (Desktop, app settings, email, browser, etc) are common to each individual User, not device wide. So unless you make the same settings on each ID, the accounts won’t look or act alike.

Reply | Quote

PK, thanks for the warning. The real question is whether, if I change my main admin account which has all the correct personalization settings, to Standard user, will I still be able to boot into that ABC account automatically, as I do now, considering I don’t know the password (but Windows does.)

Reply | Quote

You have to have at least ONE Admin account in the OS. Usually it’s the account created at first install of the OS. In my opinion, it’s best to leave that one alone because it the the owner of the initial installs. Just don’t use it.

If you need another Standard account, create one using the Admin account. If you want a Standard account to look like the Admin account, go through the Settings App while in the Admin account and make a listing of all the settings. Then use the list to make the Standard account look the same. It’s a PITA of a job! 🙂

3 users thanked author for this post.

Chris B, WCHS, cmar6

Reply | Quote

One thing I noticed years ago is some of the settings you make as a standard user don’t always “stick” after a reboot. Not sure if that’s still the case as I always create the user as an admin, make my settings, then switch it back to standard.

Never Say Never

Reply | Quote

b wrote:

Most Windows home users already sign in with a Microsoft account.

Because they know no different or are not allowed at OOBE.

It’s not a genuine choice, just a vile strong-arm tactic.

2 users thanked author for this post.

oldfry, Cybertooth

Reply | Quote

“go through the Settings App while in the Admin account and make a listing of all the settings. Then use the list to make the Standard account look the same. It’s a PITA of a job.”

That’s what I figured. I’ll have to think long and hard about it.

 

Reply | Quote

PKCano wrote:

If you need another Standard account, create one using the Admin account. If you want a Standard account to look like the Admin account, go through the Settings App while in the Admin account and make a listing of all the settings. Then use the list to make the Standard account look the same.

PK, your answer here is helping me understand things a bit better. I never rec’d any answer to my post in this thread (#2554480 — perhaps too long, too hard to follow, and should be its own topic.

So, let me ask here. If you create a Standard account and you want it to look like the Admin account (except that it’s Standard), do you copy the Desktop (with all of its files and folders) to the Standard account (and them delete it under the Admin account)? Same question for other folders like the “personalfoldername” folder. If so, sounds like a LOT of work, and subject to error.

Do you have to take special measures in making the created Standard account like the Admin account, if that Admin account is the only existing Admin account, is the one that was automatically created at the get-go, and is tied to a MS account? And let’s say that the created Standard account was created as a local account?

Reply | Quote

In a presentation given some days ago by Microsoft’s David Weston
He said that Microsoft is to migrate away from users with admin rights in favor of users with standard rights (4:40)

1 user thanked author for this post.

Cybertooth

Reply | Quote

Later in the presentation David Weston calls the new Windows 11 feature ‘AdminLess’.

Reply | Quote

So if he is going to do that, where does that leave the consumer, where I must have access to an admin account?

Chris
Win 10 Pro x64 Group A

Reply | Quote

I haven’t done a clean install since Windows 7 Ultimate (with the singular exception of when I setup my NAS).  I have four Retail Windows 10/11 Pro licenses.  In setting up a clean install I did the following:

Once the installation routine gets to the account name, I use the name “Admin”, knowing that this first account will be a member of the administrators group.  I setup a password for this account and finish the setup routine.  I DO NOT install anything during this setup phase.  I go no farther than choosing an avatar for the Admin account, and in 10/11, create a PIN.

Once Windows has fully loaded and ready for use, I open User Accounts and create a Standard user account.  This is my “bbearren” account.  From this account, I do my personalizations, install my programs/apps acknowledging UAC when necessary, and get this account setup to my liking.

In my experience, very few programs/apps actually require that one be signed in as a member of the administrators group in order to be installed.  By far, acknowledging the UAC is the only invocation of Admin privileges necessary to do everything one wants to do on the Windows platform.

My Admin account is a bare bones desktop, no email access, sparse of icons.  I choose a unique background for this account.  With that unique background and a sparse desktop, it’s easy to tell when I’m signed into my Admin account, which I do from time to time for some maintenance that requires being signed into an account in the administrators group.

I never have to make settings transfers or anything of the sort in order to get full use of my Standard user account, since I don’t create any settings in the Admin account during the installation of Windows.

Some folks just make things harder than they need to be, it would appear.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

3 users thanked author for this post.

LPKing, cmar6, oldfry

Reply | Quote

OK, so you did that right off the bat.

But, what if you were unaware of this procedure and went ahead with the OOBE that you were presented with when you first opened Windows 10/Pro?

I need some basic understanding of User Accounts — Microsoft accounts, standard accounts, administrative accounts, local accounts, and other types of accounts (if there are any): how they are related to one another (there must be some kind of structured way {like an outline} to describe them), what you can and can’t do with each type.

I set up my laptop OOBE with a Microsoft account that is an administrative account (MSA), and then later I set up a standard, local account (SLA). Each has its own password, the two show up in the left-hand corner of the log-in screen, and I can switch between these two accounts.

The MSA has all of my files, data, programs, downloads, etc. The SLA account is very sparse (a minimal Desktop with icons that the Users\Public\Public Desktop put there and NO other files in any other Users\Public\Publicfolders), only a few files in the Documents folder and otherwise, no data or programs in this SLA).

I had originally thought that the MSA and the SLA each had a fence around it so that if I were working in one of them, I would not be able to access anything in the other. But, I’ve discovered that I can freely view/move/copy any data file from one account to the other and even set up shortcuts in the MSA to SLA data files and shortcuts in the SLA account to MSA data files. So, it’s clear that don’t have the slightest grasp on how accounts work. Not that I want the fences, just that this how I understood it.

Do you have a good idea of where I can start reading up (not in technospeak) to understand this?

Reply | Quote

Here is some information that might be important:

The difference between Copy/Paste (make a Copy) and Cut/Paste (Move):
In NTFS file permissions are contained in each file – Files you created under your ID (documents, downloads, pictures, etc) belong to you. Same for files with other IDs.
If you Copy/Paste a file from one place to another, it makes a copy where it’s pasted and it  takes on the permissions of the destination. If you Cut/Paste a file from one place to another, it moves the file to where it’s pasted but the permissions from the source location are not changed. So depending on sharing options, you may (or may not) be able to view/change/save the moved file.

Copy/Paste makes a duplicate.
Cut/Paste moves something.
Drag/Drop (on the same drive) moves something.
Drag/Drop (to a different drive) makes a copy.

1 user thanked author for this post.

WCHS

Reply | Quote

WCHS wrote:

OK, so you did that right off the bat.

I’ve known about that since Windows 3.11.

WCHS wrote:

Do you have a good idea of where I can start reading up (not in technospeak) to understand this?

You can try this one.  There are many different types of users in Windows.  In my experience the only accounts that are of any consequence for non-business users are the Administrator account and the Standard user account.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

This seems by far the best way to go but few know of this method and you have to get it right from the initial installation.  What is the reason for creating a PIN and how do you do it?

Reply | Quote

The only benefit I know of is that login requires entering a 4 digit number rather than typing in a password.  If you have a keyboard with a number pad, getting numlock to be enabled at that point can be a challenge.

To do it (Win 10), select “Settings” from a Windows orb right-click, select Accounts, click “Sign-in Options” in  left pane, then click “Windows Hello PIN”.  I don’t know what “Windows Hello” refers to but I use a local account so have stayed away from this.  I have a finger scanner on my HP laptop so that is my preferred login method.

1 user thanked author for this post.

cmar6

Reply | Quote

cmar6 wrote:

What is the reason for creating a PIN

It’s to simplify acknowledging UAC when selecting Run as administrator.  It can be more than four numbers; four is the minimum.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

cmar6

Reply | Quote

Hey Y’all,

Alex posted a video link which is well worth listening to, even though very technical, and very germane to this thread.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

Alex5723, TechTango

Reply | Quote

Alex posted a video link which is well worth listening to, even though very technical, and very germane to this thread.

Agree.  I watched the entire video.  It’s deep dive into Windows 11 security.  I found it a helpful perspective VS Windows 10.

Reply | Quote

From Susan’s article:
“Most of you probably use a Microsoft account to log in to your PC, but I know quite a few of you still prefer the ultimate control a local administrator account brings. You prefer it because it does not demand logging in via the cloud and may not even require a password.
For someone who doesn’t travel, always has their PC at hand, and doesn’t save passwords in browsers, I don’t think this is a horrible thing to do. Risk is not absolute. Sometimes there are other factors important to you that make the absence of a password an acceptable risk.”

This is me. Have always used a local account since I learned how to do it at Ask Woody when I set up my first Windows7 OS.
I also never sign in. Used this work around:
https://www.youtube.com/watch?v=jXQ7Aj5uBe4

I also use an Administrator account. I have always done that too. I didn’t know that was bad. I am afraid I will just make a mess and possibly sign myself out and not get back in if I mess with what I have.
I am not getting badges. But I am getting Notifications to sign in to my Microsoft Account. I just flick them away. I don’t know how to turn them off without turning off all Notifications.
I use Microsoft Office Home and Business 2019. I am not signed in to my Microsoft Account for that either and all the aps work just fine without signing in.
I have one desktop computer. It lives in my house. All my files live there inside it. (I have backups on an external hard drive and some flash drives backing up the backups) I don’t want my stuff in the cloud. I have no other devices to share info with.
I do not understand most of this thread. My life is simple and I am going to keep it that way as long as I can.

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.2965
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2303(Build 16227.20258 C2R)

1 user thanked author for this post.

Cybertooth

Reply | Quote

We have always used a local account and an Administrator account all the way back to Windows 98? I forget the number but its been a long time.  We do not get notifications to sign in though, maybe its because we don’t use MS office or anything else.

We use Firefox, OpenOffice, AVG Free, Malware bytes Free plus a few more free programs from File-hippo.

No passwords are saved, they are all in my head. lol The cloud scares the wits out of me especially when it also could get hacked.

 

Edition Windows 11 Pro
Version 22H2
Installed on ‎10/‎19/‎2022
OS build 22621.1702

1 user thanked author for this post.

Cybertooth

Reply | Quote