2021-11-22

Windows 10/11 Administrative Accounts

How To:  Build a Windows 10 / Windows 11 Administrative Account - demote your normal account to a "loser account."

This article replaces an older Windows 7 article:  Secure PCs from Offspring.
A more succinct version of these steps can be found here:
Widows 11 Tuneup
https://keyliner.blogspot.com/2021/11/windows-11-tuning.html


Synopsis:
Steps to convert your normal, daily Windows 10/11 User Account from an "Administrative" account to a "Standard Account"  (a non-administrative, non-elevated, "loser" account).  This helps prevent malware from installing, and protects the machine from inadvertent changes from other family members.

Use administrative credentials for system-wide changes and use your "loser" account for day-to-day work.  This follows best practice at Microsoft, at most corporations, and at schools.  I use this technique on all of my computers, even on my own account.  I would especially do this on children's computers.

Viruses present themselves by enticing the victim with a game or some other program of interest.  When malware installs, Windows intercepts the install, asking for permission, prompting for a password - this is called the UAC prompt.  Most people see the nag screen and click "Allow," without thinking.   You've probably done this yourself.  In other words, you have given the virus permission to install.  Slow this down with a deliberate password.


Administrator vs Standard Users

With a non-administrative account, attempts to install software, or change system settings, are "challenged" with a user-id and password (credentials).  This slows-down the automatic click "ok."  If they does not know the administrative password, they cannot make the change without assistance (my children, my parents).  This essentially locks the PC from most changes.  Score!


The Setup

Follow these steps to enable an Administrative account.

Important:  A new Administrator account must be built before converting your existing account to a "loser" account.

1. Build an Administrator Account

Using your current (presumably) Administrator Account (using your normal login-credentials):

a.   Windows 10:  In the Start Menu's Search box, search for "Control Panel"
      Open "User Accounts"
      Select "Manage another Account"

Click for larger view

     Windows 11: Click Start, Type "Settings" (the Gear icon)
     Select left-nav, "Accounts"
     In "Other Users", "Add account"

b.  Click "Add a user account".  Windows 10 illustrated:

c.  at the "How will this person sign-in"

    ! Do not enter an email address

Instead, click "Sign in without a Microsoft account (not recommended)"
or in Windows 11, "I don't have this person's sign-in information."
   
Then, "Add a user without a Microsoft Account"
If this works, and looks as-described, jump to step d (password)
 

Update: As of 2020.02, Microsoft hid the "Sign in without a Microsoft Account" 
option, depending on which Microsoft Update has been applied. 

If this option is not available, do one of the following to disconnect from the Internet while this account is being built:

* If a laptop on Wireless, switch to Airplane Mode before building this account
* If Desktop on Wired, unplug the Ethernet cable
* If Desktop on Wireless, click lower-right Wireless icon and disable Wireless.  Then retry these steps.




At the second prompt, again select "Local Account".  (Microsoft really wants a login account, synchronized with the Internet, but in this case a local account is all that is needed.)



d.  Build the Account Name and Set the password.

Use account name "Admini" 
(This is a recommended name, Microsoft no longer allows "admin" or "administrator')
Set the password, *
Set the password hint(s)

*If this is your personal machine, consider setting the password to the same password used for your normal login - one less thing to remember.  It goes without saying, don't forget this password

Once the account is built, and password set, change the account's "type", next.

f.   Click the new Admini / Administrator account.
 Click "Change the account type"

 Change the Account Type from "Standard" user to an "Administrator User"


Important: You must change Admini to an administrative account before doing the next step.

2.  Logout from your normal account, then Login as Administrator:

a.  Logout steps: 
Windows 10:  Click Start, (Shutdown: submenu); Select "Log off" or right-mouse-click the profile-picture icon halfway up the start menu.

Windows 11:  Click Start and on the bottom-edge, right-click your profile picture, "Sign Out".  Illustrated:



b. Log back in as Admin

Windows 10 and 11: 
At the banner / desktop login screen, notice two icons in the lower-left.  Find your existing user and the new Admini account.

Click the Admini account icon to login.

This builds the Administrator's profile.  This takes a few moments.
The screen and icons will look different; Do not worry. This account will only be used for installing software and system changes.


3.  Change the original (child's) account:

While logged in as Administrator,

a.  Windows 10: Click Start, type/search, "USERS",

find "Manage another account", then "Change User Account Settings"

Windows 11: Click Start, type/search, "USERS", selecting "Add, edit, or remove other users."  In the center of the screen, see your user account.

b.  Select your original account  (this is your account's name (or your child's account, etc.)

c. "Change the account type";

Change from Administrator to a Standard user. 
Close and save the changes.

In other words, demote yourself to a "loser" account.

d.  Logout as Admin. 
(Start, Shutdown-sub-menu, Log off)

e.  Re-login as your normal account.

You are done.

Results:
You will be running as a "Standard" (non-administrative, non-elevated account).  All programs will run normally, but system changes and installing software requires credentials -- commonly called a UAC prompt.  This helps keep the bad guys out.

Using Elevated Credentials:
To test in Windows 11:  Right-mouse-click the Start Menu, choose "Device Manager". 
Note the prompt, "you are logged in as a standard user.... read only". 

To run Device Manager as administrator, search "Control Panel".  Right-mouse-click "Device Manager", and "Run as Administrator".   Similarly, administrative credentials are now required to install software or viruses, and installs prompt for UAC permission. 

To run a Setup.exe as an elevated user, shift-right-mouse-click the .exe, and "Run as Administrator".

When you get a UAC prompt, it asks for an account-name and password.  Hesitate.  Decide if the install is safe.  Ask yourself this question:  Did I demand this action or did it magically appear. 

Wise people do not tell the children or non-computer-literate parents the administrative password. 

Windows system updates will run as-before (and will install on their normal schedule with their normal system account).  Applications, such as Acrobat Reader, will prompt for permission before updating.  This is a good thing. 

Closing note:
Having a backdoor administrative account -- even if it is different than your own personal administrative account, is useful as a side-door into the system should your normal profile become corrupted. 

-end

Related Articles:
Corrupted Profile?  See this article for hints on how to build a new administrator login from a damaged profile:
https://keyliner.blogspot.com/2020/06/windows-10-command-prompt-black.html

Raspberry Pi-Hole - A DNS SinkHole for security

Posted by traywolf

No comments:

Post a Comment

Comments are moderated and published upon review. (As an aside, not a single spam has been allowed through; why bother?)

Subscribe to: Post Comments (Atom)