Windows Security

Local admin vs standard user accounts

Practical Windows guide: local admin vs standard user accounts without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Understand the difference between local administrator and standard user accounts, and run daily work as standard while keeping an admin account for changes.

1) What each account type can do

  1. Administrator can install software, change system settings, and modify other users — UAC prompts appear but the account can consent.
  2. Standard user can run apps and change personal settings but cannot install system-wide software or alter security without an admin password.
  3. Malware running as standard user has fewer privileges to compromise the whole system.

2) Check your current account type

  1. Open Settings → Accounts → Your info.
  2. Under your name, read Administrator or Standard user.
  3. Or run net user %username% in Command Prompt — look for Local Group Memberships.

3) Create a standard account for daily use

  1. Settings → Accounts → Other users → Add account (Windows 11) or Family & other users (Windows 10).
  2. Create a local or Microsoft account, then change its type to Standard User.
  3. Keep one separate admin account with a strong password — sign into it only for installs and system changes.

4) Manage groups with lusrmgr (Pro)

Press Win + R, type lusrmgr.msc:

  1. Open Groups → Administrators — only trusted accounts should appear.
  2. Remove daily-use accounts from Administrators and add them to Users.

5) UAC behaviour per account type

  1. Admins see consent prompts; standard users see credential prompts requiring admin username/password.
  2. Run specific installers as admin without logging into admin desktop: right-click → Run as administrator while signed in as standard.

6) Rename default Administrator

  1. lusrmgr.msc → Users → rename Administrator account on servers and shared PCs to reduce brute-force target.

7) Admin Approval Mode

  1. Split token behaviour: even admins run most processes as standard until elevation — do not confuse with pure standard accounts.

8) Fast User Switching and admin tasks

  1. Standard user can elevate per-task without switching accounts if admin credentials known — UAC credential box accepts separate admin account.
  2. Shared family PC: one admin, multiple standard child accounts with Microsoft Family controls.

Verification checklist

Verify daily account cannot install software without UAC credential prompt. Attempt Settings change requiring elevation — should prompt, not silently succeed.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Related guides

admin local standard vs windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
Windows Defender exclusions (when safe)
Practical Windows guide: windows Defender exclusions (when safe) without the usual guesswork.
Read guide
Security
Disable Remote Desktop when not needed
Practical Windows guide: disable Remote Desktop when not needed without the usual guesswork.
Read guide