On Windows 10, users with administrator privileges have complete control over the OS and their apps have unrestricted access to the computer. Although you may proactively keep up with system and antivirus updates, follow the best security practices, and be careful using the internet and checking email attachments, there is still a chance that malicious programs, such as malware, could gain access to your device.

Running as administrator, an exploit can more easily gain control of your system. It can install rootkits, keyloggers, and other suspect services without you knowing. A malicious program can also modify and delete files, and even prevent devices from booting. However, using a user account with fewer privileges can block most attacks.

Although it's usually recommended to use a standard user account for nontechnical users, in general, it's also good practice to make everyone (including you) use a limited account to make your device more secure. Then when it becomes necessary to perform a task that requires elevation, you can set a separate account to use the "Run as administrator" option.

In this Windows 10 guide, we walk you through the steps to use your computer without administrator privileges to protect your system from malicious programs and accidental changes, while still remaining in control.

How to create a new administrator account on Windows 10

In order to make your account more restricted but still make sure it is possible to perform administrative tasks, you need to configure a separate account that will only be used to authorize tasks that require elevation.

One way you can do this is by creating a new local account using these steps:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Family & other people.
  4. Under "Other People," click the Add someone else to this PC option.

  5. Click the I don't have this person's sign-in information link.

    • Note: Typically, you'd want to create a new Windows 10 account using a Microsoft account, but in this case it's not a requirement because the account will only be used for administrative tasks.
  6. Click the Add a user without a Microsoft account link.

  7. Type the username and password you want to use. For example, admin or root.
  8. Click Next.

  9. Select the newly created account, and click Change account type.

  10. In the "Account type" drop-down menu, select Administrator.
  11. Click OK.

Once you've completed these steps, the last thing left to do is to change your account type to a Standard User account.

How to change your account type on Windows 10

In Windows 10, an Administrator account is a member of the Administrators and Users groups, which means that to make the account a Standard User, you only need to remove your account from the Administrators group.

You can sign-in to the newly created account to change your account type to Standard User using the Settings app, but you can also use the Computer Management console, and simply remove the account from the Administrators group.

To switch your account type to a Standard User, do the following:

  1. Open Start.
  2. Search for Computer Management and click the result to open the console.
  3. Browse the following path:

    System Tools > Local Users and Groups > Users

  4. Double-click your Windows 10 account — the one you want to switch to a Standard User account.

  5. Click on Member Of tab.
  6. Select Administrators from the list.
  7. Click the Remove button.

  8. Click Apply.
  9. Click OK.
  10. Sign out and sign back in to apply the changes.

After completing these steps, your account will have fewer privileges and apps won't be allowed to make system changes, making your system more secure against malware.

When the time comes that you need to perform a task that requires administrator rights, you can always right-click the app and use the Run as Administrator option with the credential of the administrator account. Or you can temporarily sign into the administrator account to make system changes, and then sign back into your personal account.

If you want, it's also possible to keep the new account hidden from the lock screen.

How to go back to the previous settings

If you no longer want to use a Standard User account, you can quickly roll back the changes using these steps:

  1. Open Start.
  2. Search for Computer Management.
  3. Right-click the result, and select Run as administrator.
  4. Browse the following path:

    System Tools > Local Users and Groups > Users

  5. Double-click your account.

  6. Click on Member Of tab.
  7. Click the Add button.

  8. Type administrators in the object field.
  9. Click the Check Names button.
  10. Click OK.

  11. Click Apply.
  12. Click OK again.
  13. Sign out and sign back in to apply the changes.
  14. Open Settings.
  15. Click on Accounts.
  16. Click on Family & other people.
  17. Under "Other people," select the administrator account you created earlier.
  18. Click the Remove button.

  19. Click the Delete account and data button.

You'll find that using this approach is similar to using the User Account Control with its highest level, but switching to a more restrictive account can make your computer even less vulnerable to malicious programs.

Remember that sometimes depending on the environment and apps requirements, it's not always possible to use a more restricted account. However, whenever possible, if you're just using the device to create and consume content, you should consider making the switch.

While this guide is focused on Windows 10, the same concept can also be applied to Windows 8.1, Windows 7, and previous versions.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources: