Improve Computer Security – Remove Administrator Rights
by TUCU Managed IT Services in Toronto
Today we're going to tell you why, and how to remove Administrator rights from your computer. The process has many steps, however they are simple to do. We have outlined them in text below and made a video for you to follow.
Understanding The Administrator Profile On Computers
An administrator of a computer is someone who can control system settings, install software, and change how the computer operates at its most basic levels.
A user of a computer is someone who can change their own personal settings, use the installed software, but is mostly restricted when it comes to affecting other users.
By default and for convenience, your computer manufacturer ships your computer to you without any users created. When you begin to setup your computer, part of the Windows setup process involves creating the first user on a computer. By default and out of necessity this user is an administrator of the computer. If the default profile was not an administrator account, you would not be able to change the system or install any software that isn't part of a walled garden "app store".
A common computer security mistake is to use the default Administrator profile forever.
Chances are that when you bought your computer you began using the default profile and haven't thought about it since. You probably installed your favourite programs, maybe set up Microsoft Office, installed Chrome, a few games, etc. and went on with life. But the power to perform these functions also leaves you open to unnecessary risk.
Many common computer problems such as accidentally installing malware, viruses, or accidentally breaking parts of your computer can be avoided by not using the administrator profile and instead setting yourself up with a standard user profile.
A standard computer user profile cannot install software (or malware) or affect system wide changes. As a result, risk is significantly reduced.
For this reason IT administrators ensure users have standard profiles and admin profiles are reserved for making changes by IT staff. This improves security, accountability, risk mitigation and compliance requirements, while still allowing all team members to perform their jobs unhindered.
If you do not have IT staff or a Managed IT Services Company to take care of your technology, you can still create a standard user profile for your day to day use. Switching to a standard user profile in Windows comes with some adjustments.
After making the switch from an administrator profile to a standard user profile, there will be a few things that may be irksome for you during your daily computer use, such as updating Java or Adobe Flash, as these software installations can only be done by an administrator, but, the benefits greatly outweigh the minor annoyances.
It only takes a few clicks to log out of your standard user profile and into your administrator profile to install your desired software, then switch back to continue regular computer use, internet browsing etc - all while staying safer from attack vectors.
You can also opt to "run as administrator" and then enter the administrator credentials when prompted during any software installation.
For greater security, you might consider outsourced IT services to not only setup and manage all your secure technology, but also to vet software before installation. It is now common place to have hackers post fake ads and download pages to attempt to trick people into downloading virus infected version of software we all know and trust, such as Microsoft Teams or Excel. Also, your staff may search for quick ways to edit a PDF or a JPG, and unknowingly install a virus infected software. It's best practice to have your outsourced IT company, also known as a Managed Services Provider, vet everything for you.
That said, let's get started on removing administrative control from a computer.
Ready to stop scrolling and get support?
Get IT Support in Toronto
Schedule a Discovery Call with TUCU today. Tell us your techaches. We'll provide options and an estimate.
Video Tutorial To Remove Administrator Rights In Windows
The example is a a Windows 7 computer, but the procedure is almost identical for Windows 8 and Windows 10. The biggest difference being how you get to the control panel.
Referencing the video (sorry it is a little blurry - I'll do better next time) we see that this computer is configured with a single administrator user profile, exactly how factory shipped computers are sent out. We will be:
- creating a new user account
- assigning administrator privileges to it
- and then revoking our own
This will make for a smoother transition if you've been using your computer for a while and do not wish to set everything up again from scratch.
- Click start.
- Select Control Panel.
- Click Add or remove user accounts under the User accounts and Family Safety" parent group.
- You'll see that just under my name I am listed as an administrator, we will change this in a later step.
- You'll also see that there is a guest account that is disabled by default. Best to leave it that way.
- Click "Create new account".
- Enter the new username in the "new account name" field. This can be anything you like, it is best to use a name that is easy to identify as the administrator account. Lets call it admin, since the word administrator is reserved for a hidden account in windows.
- You'll notice the radio buttons for the two options below that.
- The first is for a standard user and the description is "Standard account users can use most software and change system settings that do not affect other users or the security of the computer".
- The second is "administrators" and reads; "Administrators have complete access to the computer and can make and desired changes. Based on the notification settings, administrators may be asked to provide their password or confirmation before making changes that affect other users".
- We want the new account to be the administrator, so we will select that radio button.
- Click "Create account".
- You'll notice a second icon beside my name in the account window. This is our new user "admin".
- Lets now log out of our own account and into the new admin account.
- Click start, then hover your mouse on the small triangle on the shutdown button.
- Select logoff.
Note: If you were used to your computer going straight into Windows previously, you'll now be greeted by this screen which is a list of the user accounts on this computer.
- Click on Admin. The computer will create your admin profile which involves setting up a home folder for you and several behind the scenes tasks that aren't important to the task at hand. When this is complete, you'll be greeted with a new profile without any customizations.
Note: We haven't yet set a password for this account, so let's do that now.
- Click start
- Click control panel
- Click on User accounts and Family safety
- Click on Change your windows password
- Then, click create a password for your account.
Note: You'll need to enter the new password twice here. Use a strong password, but one that you'll remember, and then enter a hint that will only be relevant to you.
Finally, click the create password button. This will take us back to the previous screen that shows us our new account name "admin" with our account privileges "Administrator" and that the account is password protected.
Note: Now it is time to revoke our original account's administrative control of the computer. Since this type of change is something that only an administrator can do, it will be done from within our new "admin" account that we are presently logged in to.
- Click on "Manage another account" select your original account name. My user account is labeled Adam. Yours could be your own name, or it could be one that your computer manufacturer decided was appropriate, but it will probably be the only other account listed aside from the guest account. Click on the account you wish to change.
- Click "change the account type".
- Click the "standard user" radio button if it isn't automatically selected, because we don't want our regular account to be an administrator any more. Then click the change our account type button.
- You'll now see under my account name that it says "standard user" instead of Administrator.
- Lets go back into that account now.
- Click start, then hover your mouse on the small triangle on the shutdown button.
- Select logoff.
- Click on your account - whatever you named it - NOT the administrator account.
We are done, you are now in a restricted user account that will have a much more difficult time accidentally damaging your Windows installation with malware.
Testing Our Work
Let's see what happens when we try to perform a system change that would affect another user now. For example, let me try to remove the password for the "admin" account.
- Click start, control panel, user accounts and family safety.
- Click user accounts.
- Click manage another account.
You'll see that we are now asked for the password for the admin account. We can either enter this password if we are certain that we want to proceed with the operation that prompted the dialog popup, or cancel the process if this is not what we had intended to do with our computer. If a malicious software was attempting to install itself, it would almost certainly be blocked by this password dialog and only be able to install itself if you entered the password.
Another benefit of multiple user accounts is added protection for each user, and custom settings for each user. Multiple user accounts are helpful in a business environment where a computer has staff rotation (reception desk, kiosk) or a home computer that your kids use for games and homework. You can use this process to block their ability to accidentally or intentionally make changes that could damage the operating system of the computer. Keep that administrator password safe!
I hope that you've found this tutorial helpful. Go ahead and give it a try.
Not a DIY type? Our Toronto IT Support Company is here to help.
Say goodbye to techaches!
We understand that you need a reliable IT company you can trust. Join our long list of happy clients dating back to 2003.
Reach out now to schedule your Discovery Call to learn how we can help you.