You’re probably already using one. Sort of.
Unfortunately, in my experience, they’re also effective at reducing what you can do with your computer.
Besides, for all intents and purposes, you’re probably already using one. Sort of.
Become a Patron of Ask Leo! and go ad-free!
Limited user accounts
You can add new accounts to Windows with limited privileges, called Standard accounts, using the Settings app. This can be useful for granting access to people whom you don’t completely trust to be secure. For average users, the “administrator-capable” account set up by default is secure enough as long as you pay attention to UAC prompts.
The concept behind Limited User Accounts (LUA) is this: you don’t need every privilege on your machine in order to do most day-to-day things. Surfing the web, sending email, writing documents, or balancing your checkbook do not and should not require anything other than the most basic of permissions.
Restricting certain permissions — for example, the ability to write to certain folders — makes it more difficult for malware to do those things. Since a lot of malware relies on those types of operations, it’s an effective strategy.
Even though I have my own frustrations with it, which I’ll discuss below, I do recommend trying it as a step towards increasing the security of your system. I particularly like the idea of families setting up their children’s accounts on a shared computer with LUA.
Setting up LUA
Let’s look at how to set up a LUA, and then I’ll tell you my experience with using them.
You must have one Administrator-capable account on your machine. Typically, it’ll be the one you created when you initially installed or set up Windows.
While signed into that account, create a new user account. Start by visiting the Settings App, and clicking on Accounts.
On the resulting page, click on Family & other users, and then Add someone else to this PC.
On the next page, enter the email address of the Microsoft account1 belonging to the new user.
Click on Next, and you’re done. The new account will appear in the list of accounts on the machine.
To confirm that the account is a Standard Account, click on the account and then on Change account type.
You should see it listed as Standard User.
My LUA frustrations
Every time I’ve tried setting up a LUA for my own use, I’ve become frustrated. Eventually, I ended up reverting that account to full administrative privileges.
My frustration is not with LUA itself, but with other software.
I keep running into things I can’t do. For example, installing software is an issue using an LUA. You’ll generally need to run “as” administrator or respond to a UAC prompt with password to complete the install.
There are workarounds. You could temporarily change the Limited account to Administrator just long enough to install whatever needs installing. But there are other complications, and it’s an additional, cumbersome step to what’s already a complicated process.
There is a fundamental conflict here: you want to prevent installation of malware while allowing the installation of trusted applications. Unfortunately, there’s no easy way for your computer to distinguish between malware and an application you trust, so LUAs must put up a barrier to both, usually in the form of a User Account Control (UAC) prompt — those boxes that ask if you’re sure you want this software to make changes to your computer.
A more fundamental problem is that while some applications need it, too many demand administrative privileges when they don’t. As a result, you can’t install or run them from a LUA.
Besides, you’re already limited
Do you ever try to do something and get a notification that you have to be the Administrator to take that action? We think the account we create when we set up our computer is an Administrator account. It’s often the only account on the machine — how could it not have Administrator privileges?
It’s not. Not really.
I think of that account as administrator-capable.
Even though you’re logged into what you consider to be, and everyone calls, an administrator account, you’re really running with limited privileges.
That means if you attempt to do something that requires administrative privileges, you’ll2 be faced with a UAC prompt asking you to confirm you really want to do what you’re trying to do.
- Administrator-capable accounts need only click OK in order to proceed.
- Standard (LUA) accounts also get a UAC prompt, but it requires an administrator’s password before you can click OK.
That’s 90% of the difference: whether or not you need to specify a password. Give the kids their own LUA account, but don’t give them the administrator password, and they can’t do administrator things like downloading apps. Using your own administrator-capable account, all you need do is click OK.
As long as you pay attention to the UAC prompts and don’t OK anything you don’t expect, you’re as safe as an LUA.
About security software
The good news here relates to your question about security software.
This software is installed at the system level and works on the entire machine, regardless of what user you are signed in as or even whether you’re signed in at all.
Similarly, Windows Update runs regardless of the accounts you have on your machine.
Unless you have people using your computer that you don’t trust, do nothing. Use your administrator-capable account and pay attention to UAC prompts.
If you have kids or other individuals using your computer that you don’t feel comfortable trusting, give them their own LUA account, and you’ll know they can’t do much damage.
Subscribe to Confident Computing and get free unlimited access to my weekly newsletter! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.