Why You Shouldn’t Use an Admin Account as Your Main Account

Just about everyone uses an administrator account for the primary computer account. But there are security risks associated with that. If a malicious program or attackers are able to get control of your user account, they can do a lot more damage with an administrator account than with a standard account. You can protect yourself by using a standard account as your primary account and then temporarily elevating permissions when you need to make administrator changes.

admin-account-standard-account-security-1

Administrator accounts (or admin accounts) are basically the most powerful account type on a computer. They have permission to do just about everything on a machine – think of the I.T. guys at the office that you have to ask before certain operations. Every computer needs to have at least one admin user somewhere.

Standard accounts are more limited. The ways in which they are limited can vary depending on operating system and OS type. Typically, standard accounts can’t install new software or access critical system files. They can access user files and do most day-to-day work, but as a rule, standard accounts are prohibited from making serious or permanent changes to the computer.

Non-admin accounts can be locked down in a variety of ways. With user controls, administrators can place much more severe restrictions on user accounts. This runs the gamut from prohibiting certain applications and URLs to setting a daily time limit.

admin-account-standard-account-security-2

Admin accounts have absolute permission to do pretty much whatever they want with a machine. And as the owner or primary user of a hardware device, it might make sense to use an admin account as your main account. But this has some security risks associated with it. If malware is installed under your user account, the malware can do anything that you can do. So the more permissions your user account has, the greater damage the user account can do.

Standard accounts don’t have as much flexibility. Malware installed under a standard account can’t make any damaging changes to system files. And attackers that gain access to a standard account can only access that user’s files. As a result, the restrictions of standard accounts work in your favor should an adversary or malicious program gain access to your account.

If you want to try out using standard accounts, it’s pretty easy. If you’re dealing with a personal machine, you’ll first want to create a new administrator account. Your computer needs at least one administrator to make system changes. Then, you’ll want to change your primary user account to a standard user account. If you already have a secondary administrator account for some reason, you can skip creating the new account.

Windows

1. Open the “Settings” app.

my-people-settings

2. Click on the “Accounts” icon.

create-standard-user-account-windows-2

3. Choose “Family & other people” from the sidebar.

create-standard-user-account-windows-3

4. Click “Add someone else to this PC” under “Other people.”

create-standard-user-account-windows-4

5. Click “I don’t have this person’s sign-in information” and then “Add a user without a Microsoft account” to skip the Microsoft account search. You can add this later. Windows Home users may not see this step.

create-standard-user-account-windows-5

create-standard-user-account-windows-6

6. Enter the username, password and password hint for your new administrator account. Click “Next” to complete the account creation.

create-standard-user-account-windows-7a

7. Click on the account name and click the “Change account type” button.

create-standard-user-account-windows-10

8. Chose “Administrator” from the dropdown menu. You may need to restart your computer for this change to take full effect.

create-standard-user-account-windows-11

9. Log into your new administrator account.

10. Navigate to the “Family & other people” pane again. Click on your user account and change the account type to “Standard User.”

create-standard-user-account-windows-12

create-standard-user-account-windows-13

11. When you see a UAC prompt, enter the username and password of your new administrator account’s credentials to proceed.

macOS

1. Open System Preferences.

2. Choose “Users & Groups” from the bottom row.

create-standard-user-account-macos-1

3. Click the lock and enter your password to unlock the pane.

create-standard-user-account-macos-2

4. Click the “+” button to create a new account.

create-standard-user-account-macos-3

5. Choose “Administrator” from the “New Account” dropdown menu.

create-standard-user-account-macos-4

6. Set the username and password as you like. Make sure “Allow user to administer this computer” is checked at the bottom.

create-standard-user-account-macos-51

7. Log out of your current user, then log into your new user.

create-standard-user-account-macos-6

create-standard-user-account-macos-7a

8. Select your previous account in the sidebar, and uncheck the box that says “Allow user to administer this computer” to convert your admin user to a standard user.

create-standard-user-account-macos-8

9. When prompted, restart your computer to downgrade your account.

create-standard-user-account-macos-9

10. Log back into your user account and use it as normal. Enter your new admin user’s username and password when you need to perform administrator tasks.

create-standard-user-account-macos-11

While using a standard user account might be slightly more annoying, it does provide security benefits that can protect you in the event of a security failure.

Image credit: Designed by Freepik

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.