Honestly, just a password.
Windows includes two types of accounts:
- Administrator
- Standard User, sometimes called Limited User
There’s also a third account which is also referred to as “administrator”.
But the administrator account isn’t really the administrator account, and all the accounts can do administrator things. The difference between them all is how easy it is to do those administrative things.
Become a Patron of Ask Leo! and go ad-free!
Administrator account and a Limited User account
Windows includes three types of accounts:
- Administrator-capable accounts that prompt for UAC (User-account Control pop-up alerts) approval.
- Standard (or Limited) User accounts that require an admin password for privileged actions.
- The (hidden) true Administrator account that has full privileges but is disabled by default for security reasons.
Administrator accounts
I prefer to call these “Administrator-capable” accounts. The first account you create when setting up a Windows machine is usually administrator-capable.
What this means is that you’re normally running without administrative privileges. If you try to do something requiring administrator rights, you’ll:
- Be notified via a UAC prompt
- Only need to click on OK to proceed
This is why I call it “administrator capable”: you’re not running with administrator privileges all the time, but when you need them, they’re just a click away.
Why? This alerts you that something happening right now requires administrative access. If that’s something you’re doing, great! Click OK. If it’s not, however, it requires further investigation because it might be malware.
Standard User accounts
Standard User accounts are often referred to as Limited User accounts because what they’re allowed to do by default is, well, limited. But they’re “limited” only by the user’s knowledge of an administrator password. If a Standard User tries to do something requiring administrator privileges, they will:
- Be notified via a UAC prompt
- Need to provide the password to an administrator-capable account.
This allows you to control who is authorized to make administrator-level changes to the computer.
- People who may make changes are given the administrator password.
- People who may not make changes are not.
In practice, there’s really no difference between the first and just letting them have an administrator-capable account to begin with. Standard User accounts are great for those who shouldn’t be making changes, period.
The “real” administrator account
In addition to the initial account and any you create later, there’s an additional account that is disabled by default.
This account’s username is “administrator”. When enabled, signing into this account gives you administrator privileges at all times. There’s no UAC prompt.
This is dangerous since malware will have little to stop it and any mistakes you make while running as administrator could be catastrophic.
This is why the account is disabled by default. If you understand the ramifications and want to enable it, see How to Enable the Administrator Account in Windows.
Do this
The default administrator account you set up when installing Windows is probably all you need. You can perform administrator tasks while still having the safety of UAC notifications along the way.
This isn’t limited: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
I’m very glad you wrote this tip today, because I realized that an Adobe tech had activated the hidden administrator account while troubleshooting a problem, but of course, had not set a password. I just went in and set a password for the hidden admin account, but I was wide open for weeks…
That sounds like a good argument to enable the hidden Administrator account. I always enable it. I’ve used it access files that I had a hard time accessing otherwise.
I remember in the old days, I could use most display computers in shops bu activating the Administrator account. It didn’t require a password to set up. In those days, anybody could get into almost any computer.
If I’m using Microsoft Account, it’s just administrator-capable so it prompts me if I have UAC activated but if not. It will be similar to the true administrator account where is no UAC prompt or the risk is mitigated due to existing Microsoft password?
PS First time here and I’m not sure my comment is sent so i’m trying 2-nd time. Please delete this.