Accounts Enable or Disable Built-in Administrator Account in Windows 11


  • Staff
Administrator_banner.png

This tutorial will show you how to enable or disable the built-in Administrator account in Windows 11.

Windows 11 includes a hidden built-in Administrator account that serves as the local system administrator with elevated rights by default without needing Run as administrator or UAC (User Account Control) for elevation approval.

The built-in Administrator is not protected by a password by default, but you can add a password to the account to help prevent unauthorized users from signing in to the account.

The built-in "Administrator" account is basically the same as a normal administrator account with UAC turned off. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.

The built-in Administrator account cannot be deleted or locked out, but it can be renamed, enabled, or disabled.

References:

Anything that runs while signed in to this built-in Administrator account will also have the same full access elevated rights as the Administrator. This can be a security risk if you have malware or a virus while signed in to the built-in Administrator.

It is not recommended to use the built-in Administrator account as an everyday account.

It is recommended to only enable and use the built-in Administrator account as needed and disable it when finished.



Contents

  • Option One: Enable or Disable Built-in Administrator in Elevated Command Prompt
  • Option Two: Enable or Disable Built-in Administrator in Elevated PowerShell
  • Option Three: Enable or Disable Built-in Administrator in Local Users and Groups
  • Option Four: Enable or Disable Built-in Administrator in Local Security Policy
  • Option Five: Enable or Disable Built-in Administrator in Command Prompt at Boot


EXAMPLE: Administrator enabled on Sign in screen

Administrator_sign-in.jpg





Option One

Enable or Disable Built-in Administrator in Elevated Command Prompt


You must be signed in as an administrator to use this option.


1 Open an elevated Windows Terminal, and select Command Prompt.

2 Copy and paste the command below you want to using into the elevated command prompt, and press Enter. (see screenshots below)

(Enable)
net user Administrator /active:yes

OR

(Disable)
net user Administrator /active:no

If you had previously renamed the built-in "Administrator" account's name, then you will need to substitute Administrator in the command above with the new name instead.

If your Windows uses a different language than English, then you would need to substitute Administrator in the command above with the translation for your language instead.


3 When finished, you can close the elevated command prompt if you like.

Enable_Administrator_in_command_prompt.png

Disable_Administrator_in_command_prompt.png





Option Two

Enable or Disable Built-in Administrator in Elevated PowerShell


You must be signed in as an administrator to use this option.


1 Open an elevated Windows Terminal, and select Windows PowerShell.

2 Copy and paste the command below you want to using into the elevated PowerShell, and press Enter. (see screenshots below)

(Enable)
Enable-LocalUser -Name "Administrator"

OR

(Disable)
Disable-LocalUser -Name "Administrator"

If you had previously renamed the built-in "Administrator" account's name, then you will need to substitute Administrator in the command above with the new name instead.

If your Windows uses a different language than English, then you would need to substitute Administrator in the command above with the translation for your language instead.


3 When finished, you can close the elevated PowerShell if you like.

Enable_Administrator_in_PowerShell.png

Disable_Administrator_in_PowerShell.png





Option Three

Enable or Disable Built-in Administrator in Local Users and Groups


You must be signed in as an administrator to use this option.

Local Users and Groups is only available in the Windows 11 Pro, Enterprise, and Education editions.


1 Open Local Users and Groups (lusrmgr.msc).

2 Click/tap on the Users folder in the left pane, and double click/tap on Administrator in the middle pane. (see screenshot below)

Administrator_in_lusrmgr-1.png

3 In the General tab, check (disable) or uncheck (enable) the Account is disabled box for what you want, and click/tap on OK. (see screenshot below)

Administrator_in_lusrmgr-2.png

4 You can now close Local Users and Groups if you like.




Option Four

Enable or Disable Built-in Administrator in Local Security Policy


You must be signed in as an administrator to use this option.

Local Security Policy is only available in the Windows 11 Pro, Enterprise, and Education editions.


1 Open Local Security Policy (secpol.msc).

2 Expand open the Local Policies folder in the left pane, click/tap on the Security Options subfolder in the left pane, and double click/tap on Accounts: Administrator account status in the right pane. (see screenshot below)

Administrator_in_secpol-1.png

3 In the Local Security Setting tab, select (dot) Enabled or Disabled for what you want, and click/tap on OK. (see screenshot below)

Administrator_in_secpol-2.png

4 You can now close Local Security Policy if you like.




Option Five

Enable or Disable Built-in Administrator in Command Prompt at Boot


This option is good to use when you do not have another administrator account to sign in with, or unable to sign in to Windows 11.


1 Open a command prompt at boot.

2 Type regedit into the command prompt at boot, and press Enter. (see screenshot below)

Administrator_in_command_prompt_at_boot-1.png

3 Click/tap on the HKEY_LOCAL_MACHINE key in the left pane of Registry Editor. (see screenshot below)

Administrator_in_command_prompt_at_boot-2.png

4 Click/tap on File on the menu bar, and click/tap on Load Hive. (see screenshot below)

Administrator_in_command_prompt_at_boot-3.png

5 In the Load Hive dialog, open the drive (ex: C: or D:) that Windows 11 is installed on, and navigate to the location below. (see screenshot below)

The drive letter (ex: C) will not always be the same at boot as it is from within Windows 11.

It will not be the Boot (X:) drive.


C:\Windows\System32\config

Administrator_in_command_prompt_at_boot-4.png

6 Select the SAM file inside the config folder, and click/tap on Open. (see screenshot below)

Administrator_in_command_prompt_at_boot-5.png

7 In the Load Hive dialog, type REM_SAM, and click/tap on OK. (see screenshot below)

Administrator_in_command_prompt_at_boot-6.png

8 Navigate to and open the key below the left pane of Registry Editor. (see screenshot below)

HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4

Administrator_in_command_prompt_at_boot-7.png

9 In the right pane of the 000001F4 key, double click/tap on the F binary value to modify it. (see screenshot above)

10 Do step 11 (Enable) or step 12 (disable) below for what you want.


11 Enable Built-in Administrator Account

A) In the first column of row line 00000038, change 11 to 10, click/tap on OK, and go to step 13 below. (see screenshot below)​

You would do this by clicking to the left of 11 to place the cursor there, press the Delete key, then type 10.


Administrator_in_command_prompt_at_boot-8.png


12 Disable Built-in Administrator Account

A) In the first column of row line 00000038, change 10 to 11, click/tap on OK, and go to step 13 below. (see screenshot below)​

You would do this by clicking to the left of 10 to place the cursor there, press the Delete key, then type 11.


Administrator_in_command_prompt_at_boot-9.png


13 Close Registry Editor and the command prompt at boot.

14 Click/tap on Continue to startup back in Windows 11. (see screenshot below)

Administrator_in_command_prompt_at_boot-10.png


That's it,
Shawn Brink


 
Last edited:
Great tutorial Shawn. Question: Would password protecting my disabled built-in Admin account prevent someone attempting to re-enable it using Option Five?
 

My Computers

System One System Two

  • OS
    Win 11 Pro 23H2 22631.3737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel® Core™ i7-14700F
    Motherboard
    ASUS TUF GAMING Z690-PLUS WIFI
    Memory
    G.SKILL Ripjaws S5 Series 64GB (2 x 32GB) DDR5
    Graphics Card(s)
    RTX 4070 Super OC 12 GB
    Sound Card
    Sound Blaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming 27" 2K HDR Gaming
    Screen Resolution
    2560 x 1440
    Hard Drives
    Samsung 990 Pro 1TB NVMe (Win 11)
    SK hynix P41 500GB NVMe (Win 10)
    SK hynix P41 2TB NVMe (x3)
    Crucial P3 Plus 4TB
    PSU
    Corsair RM850x Shift
    Case
    Antec Dark Phantom DP502 FLUX
    Cooling
    Noctua NH-U12A chromax.black + 7 Phantek T-30's
    Keyboard
    Logitech MK 320
    Mouse
    Razer Basilisk V3
    Internet Speed
    350Mbs
    Browser
    Firefox
    Antivirus
    Winows Security
    Other Info
    Windows 10 22H2 19045.4291
    On System One
  • Operating System
    Win 11 Pro 23H2 22631.3737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel Core i7-11700F
    Motherboard
    Asus TUF Gaming Z590 Plus WiFi
    Memory
    64 GB DDR4
    Graphics card(s)
    EVGA GeForce RTX 3050 XC Black Gaming
    Sound Card
    SoundBlaster X-Fi Titanium
    Monitor(s) Displays
    Samsung F27T350
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 980 Pro 1TB
    Samsung 970 EVO Plus 2TB
    Samsung 870 EVO 500GB SSD
    PSU
    Corsair HX750
    Case
    Cougar MX330-G Window
    Cooling
    Hyper 212 EVO
    Internet Speed
    350Mbps
    Browser
    Firefox
    Antivirus
    Windows Security
Great tutorial Shawn. Question: Would password protecting my disabled built-in Admin account prevent someone attempting to re-enable it using Option Five?

Hello Scott, :-)

They would still be able to enable the built-in Administrator using option 5, but would need to know the password to sign in to the account.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
YES, I need to enter my password in the box. However, it says above it... To continue enter an admin username and password edit security will also be installed for the administrator. AND, do I use slash ( / or \ ) and or dash ( - )?
 

My Computer

System One

  • OS
    Windows 11
YES, I need to enter my password in the box. However, it says above it... To continue enter an admin username and password edit security will also be installed for the administrator. AND, do I use slash ( / or \ ) and or dash ( - )?

I'm not sure what you are referring to. Please post a screenshot showing this to help. :-)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
I'll try to send a better image if you cant see this one. No matter what I try to do on the PC, this window pops up.
 

Attachments

  • UserAcountMicrosoft.jpg
    UserAcountMicrosoft.jpg
    26.8 KB · Views: 139

My Computer

System One

  • OS
    Windows 11

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Hi, if using the built-in Administrator account is not recommended for everyday use then the default behavior of Windows 11 which needs us to sign in using our Microsoft account in Windows and use it as everyday account, is not recommended either, right? since our Microsoft account is also an Administrator account.

so I think the best method in terms of security is, after clean installing Windows, sign in with Microsoft account (which is Administrator account by default), then activate built-in Administrator account, convert our Microsoft account to a Standard account and use it as every day account.
 

My Computer

System One

  • OS
    Windows 11
Hi, if using the built-in Administrator account is not recommended for everyday use then the default behavior of Windows 11 which needs us to sign in using our Microsoft account in Windows and use it as everyday account, is not recommended either, right? since our Microsoft account is also an Administrator account.

so I think the best method in terms of security is, after clean installing Windows, sign in with Microsoft account (which is Administrator account by default), then activate built-in Administrator account, convert our Microsoft account to a Standard account and use it as every day account.

Hello, :-)

There's a difference between the built-in "Administrator" account, and a "local account" or "Microsoft account" set up or added as an administrator type of account.

The built-in "Administrator" account has native elevated rights all the time without restrictions since it's not prompted by UAC to get those elevated rights. The danger is that anything running while signed in to this account will also have those same unrestricted rights.

A "local account" or "Microsoft account" administrator account will get prompted by UAC by default to approve any actions that require elevated rights.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
Hello, :-)

There's a difference between the built-in "Administrator" account, and a "local account" or "Microsoft account" set up or added as an administrator type of account.

The built-in "Administrator" account has native elevated rights all the time without restrictions since it's not prompted by UAC to get those elevated rights. The danger is that anything running while signed in to this account will also have those same unrestricted rights.

A "local account" or "Microsoft account" administrator account will get prompted by UAC by default to approve any actions that require elevated rights.

Hi, thank you :-)
found the way to enable UAC prompts for the built-in Administrator account too if anyone reading this wants to do it
 

My Computer

System One

  • OS
    Windows 11

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
which is Administrator account by default
MSAccounts are not Admin by default.
The account you create when you first install Windows is an Admin account.

You can use that initial account's Admin status to create an additional, local, password-protected Admin account to do Admin things with.
Write its password down somewhere secure yet accessible.
Test the account works by, say, opening an elevated Terminal window.
I have two such Admin accounts in case the first one ever gets corrupted.

convert our Microsoft account to a Standard account and use it as every day account.
Then, yes, you can change your initial account from being an Admin account to being a Standard account.

The Built-in Admin is not involved in any of this. You can leave it disabled throughout.
If, like me, you keep a spare local Admin account in case of user profile corruption then you will never need to enable the Built-in Admin.

found the way to enable UAC prompts for the built-in Administrator account
Correct but why do it?
Leave that account alone unless you need to do anything using it.


All the best,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
MSAccounts are not Admin by default.
The account you create when you first install Windows is an Admin account.

You can use that initial account's Admin status to create an additional, local, password-protected Admin account to do Admin things with.
Write its password down somewhere secure yet accessible.
Test the account works by, say, opening an elevated Terminal window.
I have two such Admin accounts in case the first one ever gets corrupted.


Then, yes, you can change your initial account from being an Admin account to being a Standard account.

The Built-in Admin is not involved in any of this. You can leave it disabled throughout.
If, like me, you keep a spare local Admin account in case of user profile corruption then you will never need to enable the Built-in Admin.


Correct but why do it?
Leave that account alone unless you need to do anything using it.


All the best,
Denis

Hi,
thank you, I have a question,
I have modified my UAC settings to be the strongest, now I wanna know if there is any security benefit of using standard account instead of administrator account for everyday usage.

please check it out:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

1663349957945.png



Reference:
 

My Computer

System One

  • OS
    Windows 11
Hi,
thank you, I have a question,
I have modified my UAC settings to be the strongest, now I wanna know if there is any security benefit of using standard account instead of administrator account for everyday usage.

The security benefit it that a standard user and anything running while signed in to the stander user account will not have access to anything other than when a stander user normally does. Anything requiring elevated rights would require providing the password of an administrator to do so.

Basically, it helps to prevent anything from getting elevated rights by mistake or hidden behind the scenes.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
The security benefit it that a standard user and anything running while signed in to the stander user account will not have access to anything other than when a stander user normally does. Anything requiring elevated rights would require providing the password of an administrator to do so.

Basically, it helps to prevent anything from getting elevated rights by mistake or hidden behind the scenes.

You mean the modifications that I applied won't prevent elevation by mistake or hidden behind the scenes executions?
can you explain more about it please
 

My Computer

System One

  • OS
    Windows 11
You mean the modifications that I applied won't prevent elevation by mistake or hidden behind the scenes executions?
can you explain more about it please
Yes, it will help for that.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    HP Spectre x360 2in1 14-eu0098nr (2024)
    CPU
    Intel Core Ultra 7 155H 4.8 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Graphics card(s)
    Integrated Intel Arc
    Sound Card
    Poly Studio
    Monitor(s) Displays
    14" 2.8K OLED multitouch
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 TB PCIe NVMe M.2 SSD
    Internet Speed
    Intel Wi-Fi 7 BE200 (2x2) and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender and Malwarebytes Premium
I wanna know if there is any security benefit of using standard account instead of administrator account for everyday usage
Well, sort of.

There is malware that can infiltrate & gain elevation without any prompt appearing if the account in use is an Admin one.
But I have found no reported malware that can do this if UAC is set to its highest level.
So that points to the answer being, "Not if UAC is at maximum".

But an Admin user has extended access rights around the system & can grant itself additional access.
So, once infiltrated, more damage can be done by malware in an Admin account whereas an infiltrated standard account can only damage its own accessible areas of the system.
So that points to the answer being , Yes.

So the answer is, "Well, sort of.".

please check it out
You mean the modifications that I applied won't prevent elevation by mistake or hidden behind the scenes executions
UAC at its highest setting is the only preventative measure I am aware of.
I imagine that "by mistake" refers to clicking the OK button in an Admin prompt ["ElevationUI", "ConsentUI" or "CredentialUI"] without first checking what is asking for that permission.

All the best,
Denis
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Well, sort of.

There is malware that can infiltrate & gain elevation without any prompt appearing if the account in use is an Admin one.
But I have found no reported malware that can do this if UAC is set to its highest level.
So that points to the answer being, "Not if UAC is at maximum".

But an Admin user has extended access rights around the system & can grant itself additional access.
So, once infiltrated, more damage can be done by malware in an Admin account whereas an infiltrated standard account can only damage its own accessible areas of the system.
So that points to the answer being , Yes.

So the answer is, "Well, sort of.".



UAC at its highest setting is the only preventative measure I am aware of.
I have no idea what you mean by "by mistake".

All the best,
Denis

I was quoting Brink when I said "elevation by mistake",
I think he meant accidentally clicking accept on UAC prompt, but the way I modified mine is to ask for admin credentials instead of a simple accept/deny, substantially reducing the chance of accidentally accepting the prompt by mistake.

the control panel slider for UAC, even on highest level, still doesn't apply some settings, the extra security settings can only be done from registry.

they are:
1. ValidateAdminCodeSignatures set to 1
2. ConsentPromptBehaviorUser set to 1
3. ConsentPromptBehaviorAdmin set to 1

in

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

but I agree, people should use standard account whenever possible, just like non-rooted Android phones.
 

My Computer

System One

  • OS
    Windows 11
ValidateAdminCodeSignatures
This applies equally to both Standard & Admin user accounts so does not affect the question you posted, "any security benefit of using standard account instead of administrator account for everyday usage".
ConsentPromptBehaviorUser set to 1
With UAC set to its highest level, this is a redundant setting. It happens anyway.
ConsentPromptBehaviorAdmin
This would not have any effect on "hidden behind the scenes executions" and also does not affect the question you posted, "any security benefit of using standard account instead of administrator account for everyday usage".


I was quoting Brink when I said "elevation by mistake"
Yes. I'd already noticed that. I had also qualified my remark.
I imagine that "by mistake" refers to clicking the OK button in an Admin prompt ["ElevationUI", "ConsentUI" or "CredentialUI"] without first checking what is asking for that permission.


I agree, people should use standard account whenever possible
I had thought that you were asking questions because you had a decision to make.


Best of luck,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3447
Is the built in administrator account functionally equivalent to a local admin with UAC disabled (registry entry EnableLUA to 0) ?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Myself
    CPU
    AMD 7800X3D
    Motherboard
    Aorus Master X670E
    Memory
    32GB DDR5 Gskill 6000
    Graphics Card(s)
    Gigabyte RTX 4090 Gaming OC
    Sound Card
    what is this 1995?
    Monitor(s) Displays
    ASUS XG27UQ
    Screen Resolution
    4k
    Hard Drives
    14 of them
    PSU
    EVGA 1600w Gold G+
    Cooling
    Arctic Liquid Freezer II 360
Back
Top Bottom