Skip to main content

How to make Windows 10 more secure by using a standard user account

On Windows 10, users with administrator privileges have complete control over the OS and their apps have unrestricted access to the computer. Although you may proactively keep up with system and antivirus updates, follow the best security practices, and be careful using the internet and checking email attachments, there is still a chance that malicious programs, such as malware, could gain access to your device.

Running as administrator, an exploit can more easily gain control of your system. It can install rootkits, keyloggers, and other suspect services without you knowing. A malicious program can also modify and delete files, and even prevent devices from booting. However, using a user account with fewer privileges can block most attacks.

Although it's usually recommended to use a standard user account for nontechnical users, in general, it's also good practice to make everyone (including you) use a limited account to make your device more secure. Then when it becomes necessary to perform a task that requires elevation, you can set a separate account to use the "Run as administrator" option.

In this Windows 10 guide, we walk you through the steps to use your computer without administrator privileges to protect your system from malicious programs and accidental changes, while still remaining in control.

How to create a new administrator account on Windows 10

In order to make your account more restricted but still make sure it is possible to perform administrative tasks, you need to configure a separate account that will only be used to authorize tasks that require elevation.

One way you can do this is by creating a new local account using these steps:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Family & other people.
  4. Under "Other People," click the Add someone else to this PC option.

  1. Click the I don't have this person's sign-in information link.
    • Note: Typically, you'd want to create a new Windows 10 account using a Microsoft account, but in this case it's not a requirement because the account will only be used for administrative tasks.

  1. Click the Add a user without a Microsoft account link.

  1. Type the username and password you want to use. For example, admin or root.
  2. Click Next.

  1. Select the newly created account, and click Change account type.

  1. In the "Account type" drop-down menu, select Administrator.
  2. Click OK.

Once you've completed these steps, the last thing left to do is to change your account type to a Standard User account.

How to change your account type on Windows 10

In Windows 10, an Administrator account is a member of the Administrators and Users groups, which means that to make the account a Standard User, you only need to remove your account from the Administrators group.

You can sign-in to the newly created account to change your account type to Standard User using the Settings app, but you can also use the Computer Management console, and simply remove the account from the Administrators group.

To switch your account type to a Standard User, do the following:

  1. Open Start.
  2. Search for Computer Management and click the result to open the console.
  3. Browse the following path:System Tools > Local Users and Groups > Users
  4. Double-click your Windows 10 account — the one you want to switch to a Standard User account.

  1. Click on Member Of tab.
  2. Select Administrators from the list.
  3. Click the Remove button.

  1. Click Apply.
  2. Click OK.
  3. Sign out and sign back in to apply the changes.

After completing these steps, your account will have fewer privileges and apps won't be allowed to make system changes, making your system more secure against malware.

When the time comes that you need to perform a task that requires administrator rights, you can always right-click the app and use the Run as Administrator option with the credential of the administrator account. Or you can temporarily sign into the administrator account to make system changes, and then sign back into your personal account.

If you want, it's also possible to keep the new account hidden from the lock screen.

How to go back to the previous settings

If you no longer want to use a Standard User account, you can quickly roll back the changes using these steps:

  1. Open Start.
  2. Search for Computer Management.
  3. Right-click the result, and select Run as administrator.
  4. Browse the following path:System Tools > Local Users and Groups > Users
  5. Double-click your account.

  1. Click on Member Of tab.
  2. Click the Add button.

  1. Type administrators in the object field.
  2. Click the Check Names button.
  3. Click OK.

  1. Click Apply.
  2. Click OK again.
  3. Sign out and sign back in to apply the changes.
  4. Open Settings.
  5. Click on Accounts.
  6. Click on Family & other people.
  7. Under "Other people," select the administrator account you created earlier.
  8. Click the Remove button.

  1. Click the Delete account and data button.

You'll find that using this approach is similar to using the User Account Control with its highest level, but switching to a more restrictive account can make your computer even less vulnerable to malicious programs.

Remember that sometimes depending on the environment and apps requirements, it's not always possible to use a more restricted account. However, whenever possible, if you're just using the device to create and consume content, you should consider making the switch.

While this guide is focused on Windows 10, the same concept can also be applied to Windows 8.1, Windows 7, and previous versions.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources:

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

20 Comments
  • I did all of the above, when removing my account from the admin group, clicking apply, logging out and logging in again my account had disappeared!! - I reversed the process via new admin account and thank god its back! - am on 10 Pro, worked by logging into admin and changing daily acc to standard though.
  • You don't need to use an admin account for your everyday tasks. By default, Windows 10 logs in with an admin account. I converted my admin account to a standard account. Also, Windows 10 comes with a built-in admin account which is hidden
  • Whenever possible, you want to avoid to use that built-in Administrator account.
  • Because....?
  • Because no one person should have that much power.
  • Built-in admin vs manually created admin have the exact same privileges.
  • That's what I thought :)
  • When you use the built-in Administrator account by default you won't get a UAC prompt when trying to run something elevated, but if you create a new account with admin right, you will see a UAC prompt, which makes things a bit more secure.
  • You can change the UAC prompt settings.
  • That's because the built-in Administrator is the true administrator of the system. All other Administrators in the group utilize the least priveleged user execution model, which makes this article useless btw.
  • This seems rather pointless; just keep the User Account Control settings at the default setting.  Even if you login with an account that is in Administrators, since UAC was introduced you don't have the admin token tied to your account.  When you try to do something that needs admin, the UAC prompt appears (on a secure desktop, so apps can automate clicking it) and you can click Yes.   If you're worried about walking away for a minute, get in the habit of using WIN+L to lock your screen (and require a password to unlock).  
  • Did you mean "on a secure desktop, so apps can't automate clicking it"?
  • Yes, that's what he meant.
  • Unfortunately there are still badly coded programs around which ask continuously for Admin rights. And if you run them "run as Admin", then they have their settings and data stored under the Admin account, and not yours. I almost went crazy with the Fotobook Program from Fuji because of that. Since then, i upgraded back to Admin. And py attention not to click blindly YES on the UAC prompt.
  • When I setup a new PC, I always do this. You would never dream of logging into Linux as Root and working like that. Why do it in Windows?
  • Because Windows has used the least priveleged user execution model since Windows Vista.  It's been refined in every release since. Might want to head to technet and read up on it. 
  • UAC is not a security boundary and MS has said so since 2007. You can google those words and check. The only real secure method is to not run as admin. 
  • You'll find that using this approach is similar to using the User Account Control with its highest level
    This is the better path to take. From my observation, Windows generally expects the owner, administrator, and primary user of a machine to be the same person unless you're on an Enterprise edition. I could definitely see this causing headaches with permissions and whatnot down the road. It may be slightly more effective, but I don't see where the hassle is worth it. Max the UAC setting, patch your PC, keep Windows Defender or whatever 3rd party AV you have up to date and you should be just fine.
  • I've been using a standard account for years; when questioned why, I've mentioned for security yet no one understood.  Thank you Windows Central for re-surfacing this security alternative.  Now I can direct those who question with why; to this page. It's wise to be a smart Windows User.
  • like a pen with no ball ....pointless to be secure isnt about doing whats already done 1st step after system install is to get rid of Administrator and all other default users and to assign all these privilege to your fresh new account , one real Admin to rule them all. 2nd step is to play with the folders privilege and give proper credentials to the one u dont want to mess around with 3rd Step educate yourself , no tricks or softwares can save your (3 letters) from being stupid and infected The rest is written just to harvest clicks and milk you as a cow. GL.