Lock down your Windows PC with a dedicated local administrator account

Microsoft Windows security  >  Windows laptop + logo with binary lock and keyImage: Microsoft / Gerd Altmann

To protect your Windows 10 PC from hackers, try this: Creating a local user account to be your Administrator account. Many Windows 10 users make the mistake of using the Administrator account as their everyday user account, which makes your PC more vulnerable if your user account is hacked. 

One of the advantages of Linux PCs is that by default users don’t have “always-on” administrator accounts. Instead, authorized users elevate their privileges to act as an administrator for brief periods of time. It’s a good system that can help thwart attackers and keep the PC more secure.

Technically, we have the same situation on Windows 10, where we temporarily elevate our user privileges to install a program or carry out other privileged tasks. The difference is that in Linux you have to enter a password to elevate privileges, but in Windows 10 most of us just have to click Yes inside a User Account Control (UAC) dialog box. 

uacexample IDG

An example of a User Account Control dialog box in Windows 10.

The UAC is a little more robust than that description suggests. Nevertheless, we can improve the situation by removing administrator privileges from our everyday account. Then we create a separate local user account to act as administrator. You’ll still be able to authorize almost all the actions you do now from your everyday account, but you’ll have to enter a separate password each time instead of just clicking Yes or using your current account password.

The argument for doing this is pretty straightforward. If malicious software ever got onto your PC or it was hacked remotely there’s the potential for bypassing the UAC and using your account’s elevated privileges. Acting as an administrator an attacker could install more malicious software, run a command line program with elevated rights, delete user accounts, and more.

Restricting admin privileges to a separate account helps mitigate, but does not entirely remove, these threats. A key logger installed on your system could easily snap up your administrator password, for example, and a UAC pop-up can trick you into doing something you didn’t intend. Still, removing administrator rights adds a little more security than leaving them intact on your everyday account.

Windows 10 does come with a built-in administrator account that we could activate, but we’re not going to do that. Most experts caution against using the built-in administrator account, because it has free rein on your PC in a way that other account types don’t. For that reason we’ll leave the built-in account alone.

Creating a dedicated admin

The first thing we need is a new local account, which we’ll call “Admin.” We can’t call it Administrator, as that name is reserved for the hidden administrator account on the PC. We’re also not going to use a regular Windows 10 account connected to an Outlook or Hotmail address, because that increases the potential of getting hacked. Plus, there’s no good reason to connect it to the cloud like a regular account.

microsoftaccountwindow IDG

Select “I don’t have this person’s sign-in information.”

Open the Settings app in Windows 10 by tapping the Windows key + I. Then go to Accounts > Family & other users, and under “Other users” click Add someone else to this PC. A new window will open asking for the new user’s email address. We don’t want this, so click the link underneath entitled I don’t have this person’s sign-in information.

Microsoft is nothing if not determined, so another window will appear offering to create a Microsoft account. We have to insist on going local by clicking Add a user without a Microsoft account.

createuserforthispc IDG

Now we’re cooking. In the next window, under “Who’s going to use this PC?” enter the name “Admin” or whatever you want. Then choose a password and enter it a second time to confirm. You’ll also have to answer several security questions so that you can access this account should you forget the password. Once that’s done, click Next.

adminisadministrator IDG

A local account called Admin with administrator rights.

Now we’ve got a new account called “Admin,” which you’ll see under the “Other users” section in the primary settings window (pictured). However, this is just a regular account right now. To give it administrator rights select the account, and when it’s highlighted select Change account type.

Another window appears. In this one click the drop-down box under “Account type,” select Administrator, and then click OK.

Now that we’ve given our new account elevated privileges it’s time to switch accounts so that we can make sure the local account works.

Login to the new Admin account, and then try to do something that requires admin approval like installing a program such as a web browser like Chrome, Firefox, or Opera. 

If you installed the program in the Admin account by clicking Yes inside a UAC dialog then the account is ready, and it’s time to remove our everyday account’s administrator super powers.

To do that, log out of the administrator account, because we want to log into this account only when necessary. Now log into your everyday account again and tap the Windows Key + R. In the run dialog box that appears, type netplwiz and click OK.

This calls up the User Accounts window. Select your account under “User Name” (it uses your Microsoft account email address), and select Properties.

standarduser IDG

This operation removes administrator rights from an account in Windows 10.

Yet another window will appear. Here select the Group Membership tab and then the Standard user radio button (pictured). Hit OK to dismiss that window, then OK again to dismiss the original User Accounts window.

The operating system will require you to sign out of the account to bring the changes into effect. You now have a regular user account, and all the power lies with the newly created Admin account.

For the most part, whenever you want to do something that requires administrator privileges, you’ll just need to enter the administrator account password inside your everyday account. There will be times, however, when you’ll have to log into the administrator account to carry out advanced actions, such as using the Disk Management utility. Those instances are pretty rare, but that is a downside to this system.

Finally, be sure to put that new administrator account password somewhere so you don’t forget it. In fact, using a password manager would be an excellent way to ensure you never lose it.

Leave a Response