Create a Secure Admin Account + Use UAC the Right Way in Windows 10/11
Difficulty: Intermediate | Time Required: 20 minutesRunning day-to-day as an administrator is one of the most common (and most avoidable) Windows security mistakes. The problem: many apps, installers, and scripts will silently inherit admin-level access if you’re logged in as an admin—meaning malware gets the same privilege. User Account Control (UAC) helps, but it works best when you combine it with a separate, locked-down admin account and a standard daily-use account.
This guide walks you through a practical setup used by many IT pros: keep a dedicated “break glass” admin account for system changes, and let UAC do its job for everything else.
Prerequisites
- Windows 10 or Windows 11 (Home, Pro, or higher)
- You can sign in to Windows with an account that currently has administrator rights (at least temporarily)
- You should know your current password (or have access to reset options)
- Optional but recommended: a Microsoft account for your daily-use login (better recovery options and sync)
Note on editions: Windows 10/11 Home includes UAC settings and user management, but it does not include Local Security Policy (secpol.msc). Pro/Enterprise/Education have more granular policies.
Step-by-Step: Create a Dedicated Secure Admin Account
1) Decide on the model (recommended)
The safest common setup is:- Daily account: Standard user (no admin rights)
- Admin account: Local admin used only when prompted by UAC or for maintenance
Why this works: Even if something runs in your daily session, it won’t have admin rights unless you explicitly approve and enter admin credentials.
2) Create a new local admin account (the “maintenance” admin)
Windows 11
- Open Settings → Accounts → Other users.
- Next to Add other user, click Add account.
- In the prompt, click I don’t have this person’s sign-in information.
- Click Add a user without a Microsoft account.
- Enter a username like
PC-Maintenance(avoid “Admin” as a name), set a strong password, and add security questions.
Windows 10
- Open Settings → Accounts → Family & other users.
- Under Other users, click Add someone else to this PC.
- Choose I don’t have this person’s sign-in information → Add a user without a Microsoft account.
- Create the account with a strong password.
- Back in Other users, select the new account.
- Click Change account type.
- Set Account type: Administrator → OK.
Warning: Do not reuse passwords from your email or online accounts. If you can, use a password manager to generate a long random password.
3) Keep your daily account, but remove admin rights (most important step)
If your current account is your daily driver and it’s an Administrator, convert it to Standard.Settings method (Windows 10/11)
- Open Settings → Accounts → Other users.
- Select your daily account.
- Click Change account type.
- Set it to Standard User → OK.
Important: Before downgrading your daily account, confirm the newPC-Maintenanceadmin account works (you can sign into it and open Settings).
4) (Optional) Disable the built-in “Administrator” account if it’s enabled
Some systems have the hidden built-in Administrator enabled (common on older upgrades or custom setups). It’s a high-value target and should generally remain disabled.- Right-click Start → Windows Terminal (Admin).
- Run:
net user administrator
If it says “Account active: Yes”, disable it:
net user administrator /active:no
Note: This built-in account behaves differently with UAC and is often exempt from some prompts. Keeping it disabled reduces attack surface.
Step-by-Step: Configure UAC the Right Way
UAC isn’t just a pop-up; it’s a security boundary that helps prevent silent elevation. The goal is to keep it enabled and configured to stop background elevation.5) Set UAC to a strong, practical level
- Press Win + R, type:
UserAccountControlSettings
Press Enter. - Set the slider to:
- Recommended: Always notify me when apps try to install software or make changes to my computer
(top level) - Balanced (still good): Notify me only when apps try to make changes to my computer (default)
- Recommended: Always notify me when apps try to install software or make changes to my computer
- Click OK and confirm.
Tip: If you’re serious about security (or you install lots of random utilities), use Always notify. It also forces the secure desktop more consistently.
6) Confirm UAC prompts ask for credentials (not just “Yes”)
With a standard daily account, UAC prompts should require you to enter the admin account password when elevation is needed.Test it:
- Sign in with your daily (standard) account.
- Try opening an elevated tool:
- Click Start, type cmd
- Right-click Command Prompt → Run as administrator
- You should see a UAC credential prompt. Enter the credentials for
PC-Maintenance.
If you only see “Yes/No” without needing a password, you’re still running as an administrator. Go back and verify your daily account is Standard.
7) Use “Run as administrator” the safe way (best practice)
When Windows asks for admin:- Read the prompt (app name + verified publisher)
- If it’s unexpected, click No and investigate first
- Installers: download from vendor site, then right-click → Run as administrator only if needed
- Admin tools: open them only when required, then close them after the change
Warning: If UAC appears when you weren’t trying to do anything admin-related (no install, no settings change), treat it as suspicious.
Tips, Notes, and Troubleshooting
Tip: Use Windows Security to reduce prompts without weakening UAC
UAC prompts can feel frequent if you’re constantly installing. A more secure approach is to install less, and use:- Microsoft Store or winget (Windows Package Manager) for reputable sources
- Windows Security → App & browser control → Reputation-based protection (helps block sketchy downloads)
Tip: Keep your admin account “cold”
For your dedicated admin account:- Don’t browse the web
- Don’t read email
- Don’t game or install random apps while signed into it
- Use it only when prompted (enter credentials) or for planned maintenance
Tip: Add recovery options
- Ensure you have a working password reset method (Microsoft account recovery or local security questions)
- Consider creating a password reset disk (local accounts) if you’re prone to forgetting
Troubleshooting: “I can’t change account type” or “Change account type is greyed out”
- Make sure you’re currently signed in with an administrator-capable account (like
PC-Maintenance) - On a work/school PC, policies may restrict changes—contact your administrator
Troubleshooting: UAC prompts don’t appear at all
- Check UAC slider isn’t set to “Never notify”
- Some “tweak tools” disable UAC via registry—avoid those
- Reboot after changing UAC settings to ensure full effect
Troubleshooting: An app fails without admin
That’s often a sign the app is poorly designed or trying to write into protected folders (likeC:\Program Files).- Try installing the app properly (it may need one-time elevation)
- Use per-user install options where available
- Avoid running your whole account as admin “just for one app”
Conclusion
A separate admin account plus properly configured UAC is one of the simplest security upgrades you can make in Windows 10/11. You’ll dramatically reduce the damage malware can do, while still keeping admin access available when you genuinely need it. The workflow change is small—approve fewer things, approve them more intentionally—and the security payoff is huge.Key Takeaways:
- Use a standard account for daily work and a dedicated local admin account for maintenance.
- Keep UAC enabled and set it to a strong notification level (preferably Always notify).
- Treat unexpected UAC prompts as a red flag and verify the app/publisher before approving.
- Disable the built-in Administrator account if it’s enabled, and keep your admin account “cold.”
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
