Change user account type | Business Information Technology Services

Microsoft vulnerability report for 2014 is available from Aveco. The report evaluation centered on critical vulnerabilities, 240 of them in 2014. Subjectively selected statistics from the referenced report:

Of the 240 vulnerabilities in 2014 with a Critical rating, 97% were concluded to be mitigated by removing administrator rights

98% of Critical vulnerabilities affecting Windows OS could be mitigated by removing admin rights

99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights

80% of all Microsoft Vulnerabilities reported by us in 2014 could be mitigated by removing admin rights vs 60% in 2013

That’s right, just by removing admin rights for your user account, you’d be immune to 232.8 while remaining vulnerable to 7.2 critical vulnerabilities in 2014. The statistics for 2014 vs. 2013 is impressive, Microsoft Security is moving in to the right direction. 20% increase for security just for removing admin rights is a great improvement.

This blog had been emphasizing the importance of removing the admin rights for your daily user account in this pervious blog. The short version is that any programs, scripts, etc., that gets on your system will be executed under local administrator access rights. Weather you know this or not, it does not matter for the malware, it just wants to take a hold of your system on the easy way.

Microsoft does not make it easy for the end users not to have admin rights for your user account. Quiet the opposite, the Windows installation routine assigns local administrator access to the first account created during the setup. Instead of asking the end user for creating two accounts, one user account for daily use and the other for local administrator access if and when necessary.

Microsoft is missing an opportunity to provide end user training during the Windows installation routine. Instead of all of the “mumbo-jumbo” about the necessity of using your Microsoft account for creating your user ID, Microsoft should provide briefing about the importance of the two different accounts and their overall impact for the system security.

If you feel compelled to change your user account type, this blog provides instruction for removing the admin right for your daily user account. After reading the referenced report, there’s really no reason for not changing the account type…

In my previous blog, I’ve emphasized the importance of not using administrator account for everyday tasks, such as reading your email, browsing the web, running your programs etc. In this blog, we’ll look at how to remove the administrator access from the first account that you have created during the Windows installation process.

By default, Windows installation proceeds with the administrator account, amply named “Administrator”. This is the initial account that has full access to the system and installs all the necessary drivers, programs, etc. When the installation is about to be completed, Windows will force you to create a user account with a password. This account name cannot be the name of existing accounts, but other than that, you’re free to choose a name. This first account created is assigned “Administrator” rights by the installation routine and the initial “Administrator” account is disabled. This installation routine first appeared in Windows Vista and continued with Windows 7, Windows 8.x, and presumable will be the same in Windows 9.

Back to the subject on hand and let’s remove administrator access for the first user account created in Windows…

The process is simple enough and the basic steps are:

Create a new administrator account
Login with the new administrator account
Change account type for the “%Default first user%”

There’s no way to know the name of the first account that you’ve assigned on your system. For the purpose of this blog, the name of the first account is indicated by the variable of:

“%Default first user%”

Please substitute this name with your first account you’ve created during Windows installation.

Step 1:
Open up the “Control Panel” and you should see this, if you have “Category” listing selected:

Select “Add or remove user accounts”, note the little shield front of it, under the “User Account and Family Safety” category. The little shield indicates, that using this step will require local administrator access, if your system had not been modified since installation. In which case, the User Access Control (UAC) warning like this will pop up first:

The UAC window on your system will have your first account’s name prepopulated, instead of the shown “%Default first user%” variable. You will not see this warning, if the UAC is disabled.

Enter your password for the account, click “OK”, to see the current accounts on your system:

In this window, click on “Create a new account”:

Choose a name for the new account that is meaningful for you. it can be anything you’d want. For the purpose of this blog, the account is named “Test admin”; substitute this name with your choice. Select “Administrator” for the account type and click on “Create account”, that brings up the current user accounts listing window, with the new account:

There’s no requirements for creating a password for the new account and it is created by the system with no password. In the computer world, no password is a password. Depending on the password policy on the system, you could:

Logon with the new account without password
The first logon will force you to change the password

You have couple of choices for setting a password for the new account:

Set the password using the Control panel
Change password at time of first logon with the new account
Login with no password and change it

In either case, you should set a password that is 6-8 character long, non-dictionary word, include a number, and/or special character.

Log off your account and proceed to the next step…

Step two:
This is a simple step, just select the newly created account, type in the password, and hit “Enter” to login with the new account. Initially, Windows will set up the new account and starts up the new profile.

Step three:
In this step, you’ll remove administrator access from the “%Default first user%”, again, please substitute the this name with your account’s name. As explained earlier, open Control Panel, under the “User Account and Family Safety” category, click on “Add or remove user accounts”:

Click on the “%Default first user%”, substitute this variable with the name of your account to show the available options:

The options include “Create a password” that you could use in “Step one” for setting the password for the new account created.

Click on change the account type:

Select “Standard user” and click on “Change Account Type”:

You’re pretty much done, logoff from the new administrator account. Test the modified account without local administrator access to the system, logon with this account. Your personalization of desktop, shortcuts, etc., did not change. Most if not all programs will run just fine with standard user access to the system. For programs that require administrator level access, the system will popup a UAC warning. You really should consider replacing this program, but that might not be an option. In which case, just enter the password for the administrator account and the program will run.

If removing the administrator access from the “%Default first user%” causing issues with your system and/or limits your productivity, reverse the process in “Step three”.

Category Archives: Change user account type

Why you should read reports…

How to change user account type in Windows…