newsletter banner

ISSUE 20.17.F • 2023-04-24 • Text Alerts!Gift Certificates
The next free edition of our newsletter will be published on May 8, 2023.
You’re reading the FREE newsletter

Susan Bradley

You’ll immediately gain access to the longer, better version of the newsletter if you make a donation and become a Plus Member. You’ll receive all the articles shown in the table of contents below, plus access to all our premium content for the next 12 months. And you’ll have access to our complete newsletter archive!

Upgrade to Plus membership today and enjoy all the Plus benefits!

In this issue

ON SECURITY: The problem with local administrator accounts

Additional articles in the PLUS issue • Get Plus!

PUBLIC DEFENDER: Windows 11 screws up Print Screen — here’s how to fix it

ONENOTE: My favorite OneNote tricks

FREEWARE SPOTLIGHT: RoboMirror — robocopy’s fancy cousin

VideoProc Converter

Free Up Space on Your iPhone
with a Free Licensed Copy of DearMob

Running out of space on your iPhone due to excess photos and videos? Don’t worry. Try DearMob iPhone Manager to transfer them to your computer and make room for essential files and apps:

  • Ultra-fast to transfer photos, videos, music, apps, etc. between iPhone & computer
  • Back up and restore iPhone/iPad, and encrypt your data with a password
  • Add non-iTunes music, manage music library, and create iPhone ringtones
  • Convert iOS-unfriendly formats such as MKV to MP4/MOV, HEIC to JPG
  • Manage data wirelessly or via USB-connection without the risk of data loss

With DearMob iPhone Manager, you can enjoy a clutter-free experience and free up space on your iPhone. So grab your free licensed copy now and take control of your iPhone’s storage.


The problem with local administrator accounts

Susan Bradley

By Susan Bradley

Microsoft doesn’t want you to use a local administrator account, whether in a consumer or a business edition of Windows.

But depending upon which sort of user you are, the company is taking two different approaches to “encourage” you to stop using local accounts.

Be aware that if the account you use with your computer on a day-to-day basis is configured with administrator rights, you are putting your machine and your data at risk. It doesn’t matter whether you are a home user, a work-at-home user logging into a more secure environment, or a work user — an administrator has access to everything on your computer, from the operating system to the data. Attackers love to piggyback on that right and install anything or encrypt everything, as is the case with ransomware.

The goal in keeping yourself safe is making your machine a bit more hardened than the machine down the block. Make it so that an attacker gives up on you — and goes elsewhere.

In business, this is even more true. Attackers are trying their hardest to target you with phishing attacks. Upon my most recent cyber-insurance renewal, the underwriter explicitly required us to have:

Multi-factor authentication protection on all network administrator accounts and any other user accounts with elevated permissions within your network.

At the end of this article, I’ll go into more detail about what I’ve done to meet this requirement.

Recently, Microsoft launched a new offensive in its attempt to thwart our love of absolute control over our own machines — by bullying us into making a choice it prefers but that we might not. I’m talking about, of course, the local administrator account. Most of you probably use a Microsoft account to log in to your PC, but I know quite a few of you still prefer the ultimate control a local administrator account brings. You prefer it because it does not demand logging in via the cloud and may not even require a password.

For someone who doesn’t travel, always has their PC at hand, and doesn’t save passwords in browsers, I don’t think this is a horrible thing to do. Risk is not absolute. Sometimes there are other factors important to you that make the absence of a password an acceptable risk.

Urging you to use a Microsoft account

In a recent blog post, Microsoft described (in the Insiders Preview for Windows 11 build 23435) a new “badging” mechanism on the Start menu. I’d call it a “badgering” scheme. Microsoft characterizes it thusly:

We are continuing the exploration of badging on the Start menu with several new treatments for users logging in with local user accounts to highlight the benefits of signing in with a Microsoft account.

In Figure 1, you can see how this might work.

Windows 11 badging of the local administrator account
Figure 1. Windows 11 badging of the local administrator accountSource:

The messages in these Insiders tests, which might be hard to see in this smaller image, read “Sign in to your Microsoft account,” “Use Microsoft 365 for free,” “Keep your account safer,” and “Access your files from anywhere.” A Get started button is provided. Looks like an ad to me.

I call it bullying. And misguided. That’s especially true due to the hoops you must jump through to get a local account in the first place. I’ve described it several times in recent months — using the bogus email account to bypass Microsoft’s efforts to force you to use a Microsoft account. If you’re someone who has done this, I assume you’ve done it for a good reason. It’s not Microsoft’s place to interfere with the way you’ve chosen to run your own PC, including your decision to operate offline. I may live on the Internet 18 hours per day, but you’re not me.

I can describe at least one very good reason for avoiding a Microsoft account — security research. It’s a situation in which a pristine testing environment is necessary and for which it should be possible to create virtual machines without using a Microsoft account and getting the cloud involved.

Needless to say, I’m hoping that Microsoft will do one or the other — back down from this badgering and bullying, or provide the option “Don’t show this to me again” so the pop-up goes away. “Don’t show” is not a new thing; it’s been used elsewhere in the Microsoft environment, so why not use it here, too?

Administrator recommendations for consumer and home users

Rather than urging you to use a Microsoft account, Microsoft should be urging anyone still using an account with administrator rights as their daily, primary account to instead use one with fewer rights. If administrator rights are needed for some purpose, it’s a simple matter to log out and back in. Therefore, I continue to recommend that every home computer have two accounts — one with administrator rights, and the other with ordinary user rights.

If I already have a user account set up on a computer, and it’s been there for a while — meaning that there are files in the documents and downloads folders and applications already installed — I will then set up a second account that will be my administrator account.

Head to Windows 10 Settings | Accounts | Family and other users | Other Users and click  Add someone else to this PC. If the person doesn’t have an email (for an administrator account, they typically will not), click I don’t have this person’s sign-in information, then Add a user without a Microsoft Account. Enter the information required, after which you will return to the Other users panel. Click on the added user and click the button Change account type. Give the new account administrator rights. (See Figure 2.)

Dialog to change account type in Windows Settings
Figure 2. The dialog to change account type in Windows Settings

Log out and then log back in with your newly created administrator account. Go back into Settings, navigate to the Other users panel, click your original account, click Change account type, and convert the account from administrator to user. Log out and back in with your original account.

Now for the fun part. Check every application you use to see whether any of them has trouble running without administrator rights. You may be surprised — most will probably run. That doesn’t mean you won’t have outliers. For example, Intuit QuickBooks was notorious for demanding administrator rights. The workaround was to change the permissions for just the folders and registry keys that the software wanted to use, but this was just lazy programming on the part of the company, which could have handled the matter itself. Most software does the right thing today, but there still may be some older software that balks.

For you über-geeks, a tool called LUA Buglight can isolate and identify the folders and registry keys that need greater permissions for older software to run. You can also press WinKey, type the name (or portion of the name) of the app you want to run, and click Run as administrator to launch it.

I’ll admit that this might not always be sufficient. If you have too many apps that are locked in to administrator rights, continuing to use an administrator account to run them may be the only practical option available — as long as you understand and accept the risks involved.

Administrator recommendations for business users

For many years, those of us in businesses who set up laptops or desktops would set up the PC’s first account with the same username and password. The first account would default to administrator rights. Subsequently, we could walk up to any PC in the company and instantly access an account with full administrator rights. Today, of course, we recognize how vulnerable a solution this is — but it sure was convenient, and a big timesaver.

Enter the Local Administrator Password Solution (LAPS) toolkit (download). This solution set up random local-administrator passwords and stored them in Active Directory. You would then use a command to expose the password to the administrator should you need that password for servicing the computer. There were even tools, such as OVERLAPS from Int64 Software, to add a Web interface to expose the passwords to the administrator in a GUI. The price was installing the software on every PC in your business.

Microsoft’s major change

The April updates include this LAPS ability. The good news is that you no longer need to install LAPS. The bad news is that the newly included LAPS cannot coexist with the old version. Here’s what Microsoft had to say in its recent blog post By popular demand: Windows LAPS available now!:

Note: We have verified a reported legacy LAPS interop bug in the above April 11, 2023 update. If you install the legacy LAPS GPO CSE on a machine patched with the April 11, 2023 security update and an applied legacy LAPS policy, both Windows LAPS and legacy LAPS will break. Symptoms include Windows LAPS event log IDs 10031 and 10032, as well as legacy LAPS event ID 6. Microsoft is working on a fix for this issue. You can work around this issue by either: a) uninstalling legacy LAPS, or b) deleting all registry values under the HKLM\Software\Microsoft\Windows\CurrentVersion\LAPS\State registry key.

In short:

  • If you are deploying a new PC with the April updates to Windows, do not attempt to install the legacy LAPS app.
  • If you are deploying the April updates to an existing PC, remove the old LAPS app first.

If you still need the legacy LAPS admin UI, you can install by using the following command:

  • msiexec /i LAPS.x64.msi ADDLOCAL=Management.UI /qn

This installs only the LAPS UI, which is used to obtain the legacy LAPS passwords from Active Directory. It will not install the CSE (client-side extension, the part you no longer need). If you still want to use the legacy LAPS app, ensure that you uncheck AdmPwd GPO extension, PowerShell module, and GPO Editor templates. Check only the Fat client UI option (Figure 3).

LAPS installation dialog
Figure 3. The LAPS installation dialog

In new deployments where the April 2023 update is installed with Windows LAPS built in, the Windows LAPS is happy to read your legacy GPO and act in a legacy “emulation mode.” This is why you have lots of time to plan migration to a new policy. The most important thing right now is to stop installing legacy LAPS CSE on new builds that have April 2023 Cumulative Update installed. Existing machines with LAPS already installed are fine — no action needed. You will need to plan a later migration with a new policy if you want. Coming in the future will be integration with Azure Active Directory, as well as integration into Intune.

If you noticed, the one Server SKU that is still supported — but not included in that list of operating systems with native support for LAPS — is Windows Server 2016. For that platform, you will still need to use the legacy installation. If you have only older servers, you will have different features available to you. If you want to have password encryption, you must have a 2016 domain-functional level; then, in order to use the DSRM password backup feature, you will need Server 2019.

Note you can see only the most recent password via the new LAPS tab in the Active Directory Users and Computers module. If you want to see any of the older passwords, use the following command in PowerShell:

  • Get-LapsADPassword -IncludeHistory

Microsoft didn’t feel that reviewing older passwords was an action that many administrators would do, so it didn’t build that experience into ADUC.

Microsoft anticipates that the fix for the legacy/new interoperability will be in the forthcoming April preview for Windows 11 and then in the May releases for all other versions. As long as you plan for this slight hiccup, I honestly don’t see this side effect as a blocking issue for deploying the April updates (once I give the go-ahead, of course). Just be aware to pick one method or the other for deployment at this time.

I see this as a sign that testing with older operating systems wasn’t done well at all. Overall, Microsoft’s changes in this respect are a good thing, because security is strengthened and the risk of ransomware attacks is reduced.

Dealing with mandates

Many businesses are starting to be regulated by our cyber-insurance requirements for more secure settings. As mentioned earlier, my underwriter indicated that multifactor authentication was not optional. Fortunately, I already deployed appropriate authentication methods. For example, my users need administrator rights on occasion to install updates to certain business software, but not to run that software. (Note that Windows updates do not require administrator access to install; typically, this is only for line-of-business applications.)

I found that the best and easiest solution was deploying Cisco’s product, Duo. I use it to force an authentication prompt when installing updates for certain software and for authenticating remote access to our network. My state requires that we reimburse our users for the cost of using such solutions on their personal phones, unless we provide them with a business phone.

I was prepared when the underwriter sent us the “prequalification” checklist: I was able to say “Yes, we do that.” I anticipate that in the coming years, many of us will be pushed into tighter security for our networks (and, no doubt, our entire computing environments) by our insurance companies.


Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.


Here are the other stories in this week’s Plus Newsletter


Brian Livingston

Windows 11 screws up Print Screen — here’s how to fix it

By Brian Livingston

The behavior of the reliable old Print Screen button on your keyboard, affectionately known as PrtScr or PrtScn, has been radically changed in a preview build of Windows 11, which is almost certain to become the version we will all eventually have to live with.

If and when this is rolled out to all users in the world as an update, the Print Screen key by default will no longer place a copy of your screen onto the Clipboard. Instead, the key will launch a version of Redmond’s Snipping Tool, which has several new controls to learn.



My favorite OneNote tricks

By Mary Branscombe

Once you get all your useful information into OneNote, there are some ways to make things go faster.

For a long time, one of the most common feature requests for OneNote was already in the product — being able to have more than one window open at once. It just wasn’t easy to find. There are useful tricks like that in OneNote. Here are my favorites.


Deanna McElveen

RoboMirror — robocopy’s fancy cousin

By Deanna McElveen

The ability to mirror two folders has been a Windows feature for about 26 years, using the robocopy command at a command prompt.

Now, you can use robocopy with a graphical user interface (GUI), thanks to Martin Kinkelin’s open-source project, RoboMirror.

Know anyone who would benefit from this information? Please share!
Forward the email and encourage them to sign up via the online form — our public newsletter is free!

Enjoying the newsletter?

Become a PLUS member and get it all!

RoboForm box

Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice.

PLUS, these exclusive benefits:

  • Every article, delivered to your inbox
  • Four bonus issues per year, with original content
  • MS-DEFCON Alerts, delivered to your inbox
  • MS-DEFCON Alerts available via TEXT message
  • Special Plus Alerts, delivered to your inbox
  • Access to the complete archive of nearly two decades of newsletters
  • Identification as a Plus member in our popular forums
  • No ads

We’re supported by donations — choose any amount of $6 or more for a one-year membership.

Join Today buttonGift Certificate button

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.