Are you the network administrator for your household or family? At some point, one of your nearest and dearest will install something nefarious or break something without meaning to, and that’s why the type of Windows User Account used makes the difference.
If everyone on your network is using an Administrator account, you’re going to have a bad time. That said, there’s a lot of confusing information regarding what Standard accounts can and cannot do. Here’s what you need to know.
What Are Windows User Accounts?
Every time you use your Windows 10 computer, you log in to a User Account. If you are the only user on your computer, it is likely you have an Administrator account. Administrator accounts are privileged, meaning they can perform any action on the system, with minimal restriction (usually requiring a password for confirmation).
Standard accounts can use the computer in the literal sense: browsing the internet, sending emails, playing games, using software, and so on. Standard accounts can also make some system changes, with restrictions, and nothing that affects the other users on the same system.
There is also an option for a dedicated Child account in Windows 10. These accounts come with a range of limitations as well as integrated monitoring for overseeing parents. Windows also has a range of integrated parental controls.
The real consideration is to the account type in conjunction with the User Account Control (UAC) setting.
Understanding UAC and User Accounts
The default setting for both Standard and Administrator accounts is to use UAC. This is the first thing that some users switch off, deeming it unnecessary and time-consuming.
But look at it another way: every time you have to enter your password, you know a malicious process must do the same. And if the malicious process doesn’t know the password, you instantly save yourself from a world of computing-hurt, plus save a boat-load of time in the process.
Let’s consider how UAC works with both accounts.
Both Standard and Administrator accounts access resources and run programs in the security context of a standard user. When you enable UAC, each app requires the go-ahead using an administrator access token.
This means your account, Administrator or Standard, is protected using the same security mechanisms. What differs is the permissions available to each account which in turn are moderated using User Account Controls.
User Account Control Prompts
So, when UAC is enabled, a Standard account receives different levels of prompts to maintain security. The prompts ensure the user is validating each significant change to the system, rejecting anything unknown or unexpected (in theory, at least).
You can set UAC to one of four levels:
- Always notify me: The highest UAC level, requests validation for every application, every piece of software, and every change to Windows settings.
- Notify me only when applications try to make changes: The default UAC level, requests validation for new applications, but not Windows settings.
- Notify me only when applications try to make changes: This is the same as the default UAC level but does not dim the desktop when the validation prompt appears.
- Never notify me: The lowest UAC level, you receive no notifications for any system changes, at any time for the specified user account.
The default setting is fine for the majority of users. Of course, that depends on the user. The difference comes in the type of prompt the user receives, which depends on the account.
An Administrator account will receive a consent prompt. This prompt appears for the three levels of UAC that require validation. The administrator only needs to click through the consent prompt to confirm the changes to the system.
A Standard account instead receives a credential prompt. Unlike the logged-in Administrator account consent prompt, a credential prompt requires the administrator password to validate the system changes.
UAC verification prompts are color-coded, too. This allows both Standard and Administrator accounts to understand the risk posed to the system immediately.
- Red background with a red shield icon: The app is blocked by Group Policy or is from a publisher that is blocked.
- Blue background with a blue and gold shield icon: The application is a Windows 10 administrative app, such as a Control Panel item.
- Blue background with a blue shield icon: The application is signed by using Authenticode and is trusted by the local computer.
- Yellow background with a yellow shield icon: The application is unsigned or signed but is not yet trusted by the local computer.
Should I Use an Administrator Account?
An Administrator account is important. Every system has one as you’d be unable to install software and make other changes without one. But should your primary account be an Administrator?
The answer actually lies in your system users.
For instance, I am the only person that uses this system. Therefore, I run a password protected Administrator account. But on the family laptop, I have a password-protected Administrator account and a Standard account with UAC enabled. UAC is what makes the difference, for both Standard and Administrator accounts.
In that, you do not necessarily need to use an Administrator account as your default. Sure, it speeds up certain things, but entering your password only takes a second. I wouldn’t go as far as entirely disabling the Administrator account, as some other guides suggest.
But again, this depends on who is using the system. It is possible to hide an account, rather than completely disable it (Windows has a hidden Administrator account for technical use).
Furthermore, turning UAC notifications off isn’t a great idea. It simply removes a basic level of system security that at times will save your system from a malicious process.
And even if you turn the notifications off, UAC is still running. It just means every validation request is immediately approved. For Standard accounts, however, it means all validation requests are immediately denied.
TL;DR: A Standard account with the correct UAC settings is just as useful as an Administrator account, and perhaps even a little more secure.