You are here: FAQs > Windows user account privileges

Wizcrafts Computer Services

Specializing in Computer Networking, Security and Troubleshooting

User Account Privileges Explained:

In Windows operating systems NT, 2000, XP, Vista, 7, Windows Server 2003 and Microsoft operating systems to come, there are certain class privileges or restrictions that the operating system imposes on the logged-in user, depending on how the computer is configured.

  1. Computer Administrator, or Administrators Group accounts allow full unrestricted control over all computer functions including updating the operating system, adding/removing hardware and drivers, software installation, upgrading, or removal, viewing, altering, creating or deleting of other user accounts, establishing passwords and priviliges for other users, backing up files and folders and restoring backups to fix a corrupted system.
  2. Power Users have less privileges than Administrators and may be able to install, update and modify some programs, but cannot do anything that overwrites or deletes any files critical to the operating system; ie: cannot run Windows Update. (More details about Power Users)
  3. Standard Users are a new class of Windows Vista and 7 users that have similar privileges to W2k/XP Power Users, but can elevate to Administrator when needed, without logging off, or switching users. More info
  4. Users, or Limited Users have limited priviliges. They can run already installed programs, create and files and folders, then delete them, manage their own password, upgrade programs that do not impact operating system files, surf the Net and create email accounts in Outlook or Outlook Express to send and receive e-mail. They cannot run Windows Update, or apply manual program updates to some security programs, nor can they run Windows Defragmenter.
  5. Guests have the least privileges of all users. They can run games and programs, read and send browser-based email and surf the Internet.

All of these classes, except for "Standard User," are available under Windows NT 4, 2000, Server 2003 and XP Professional. Only the Administrator and User groups are available under XP Home Edition. XP Home labels these accounts as "Computer Administrator" and "Limited User."

Windows Vista and Windows 7 Standard Users

Until the development of Windows Vista, there was no built-in method within the Windows operating system for a user to “elevate” seamlessly from a standard user account to an administrator account without logging off, switching users, or using Run as. As a result, most people running XP continue to browse the Web and read e-mail as an administrator, which puts them at greater risk of hostile takeover from malware than less privileged users.

Beginning with Windows Vista, and continuing with Windows 7, a new user group was created, named "Standard User." A "Standard User" is almost the same thing as a "Power User" from the previous operating systems, but with the ability to do more things than a Power User could do and some new limitations. They can install most programs that are properly written to not require administrator rights. They can also use a new right-click option to "Run as Administrator" - when installing software requiring access to the system directories or Local Machine Branch of the Windows Registry. (More details about Power Users)

In Windows Vista there are two types of user accounts: Standard User accounts and Administrator accounts. Standard Users are equivalent to the Power User account in previous versions of Windows. Standard users have limited administrative privileges and user rights, such as they cannot install or uninstall applications that install into %systemroot%, change system settings, or perform other administrative tasks. However, standard users can perform these tasks if they are able to provide valid administrative credentials when prompted by a Windows UAC prompt box (the pop-up challenge box that so many people seem to hate).

With UAC enabled, Windows Vista and 7 either prompts for user consent or for credentials for a valid administrator account before launching a program or task that requires a full administrator privileges. This prompt ensures that no malicious application can silently install itself without the user's knowledge. However, a Standard user can still be tricked into allowing malware to be installed, if the program is a Trojan Horse pretending to be something useful instead (e.g. Flash update, required Codec, etc).

The damage that any Worm or exploit can do to your computer's operating system is directly related to the privileges granted to you when you logon. If you are logged on as an Administrator you can have total havoc wreaked upon your computer by a hostile program, or an unpatched exploit. On the other hand, if you logon as a plain User, only minimal damage will be done by the same threat (but damage nonetheless). In fact, many common spyware threats cannot install into a limited user account because they usually attempt to hide as rootkits, or as system files and services. This activity is not permitted for a limited user account.

If you want to restrict the damage that can be done to your computer by Worms, Trojans, Viruses or exploits, create a (Limited) User account for your everyday browsing, then use the Windows 2000 and XP "Run As" command to run as an Administrator for Windows Updates, or to install or update programs that require Administrator privileges.

Alternately, rather than creating a new Limited User (User) account for your daily browsing, you could create a new Computer Administrator level account, with a password. Log off your current default account and onto the new Administrator level account, using the password you chose when you created the account. Click on the Start Button (then on Settings in Windows 2000), then on Control Panel. When Control Panel opens double-click on User Accounts. Find your other default account name and double-click to open it. Change the account Type from (Computer) Administrator to (Limited) User, click on Apply, then OK. Exit the User Accounts and Control Panel, log off the Administrator level account and onto your other account. You will now be running with reduced user privileges, protecting your computer against most viruses, backdoors, rootkits, keyloggers, browser hijackers and spyware infections.

The Run As command is available as a right-click option for executable files under Windows 2000, XP and newer systems. To use it you would simply click the right mouse button on the setup or install file and left click on the "Run as" option. If "Run as" does not automatically appear as a right-click option, first hold the Shift key while you right click on the file. This will force the "Run as" command to appear.

When you click on the Run as option a small dialog box will appear asking you "Which user account do you wish to use to run this program?" Click on the bottom radio option labeled "The following user:" The default selection "Administrator" will be highlighted in the User input field. If you have another administrator level account it will also appear as a flyout option using the button on the right side of the input field. After you choose which "administrator" account to use you must type the password for that account in the Password field. Please note that in XP Professional you cannot use the secondary logon service (RunAs) to start a program as a local user with a blank password.

I have published more details about how running with limited user privileges protects you against malware infections, in this blog entry.

More details about the Power Users' privileges:

The Power Users group primarily provides backward compatibility for running non-certified applications. The default permissions that are allotted to this group allow this group's members to modify computerwide settings. If non-certified applications must be supported, then end users will need to be part of the Power Users group.

Members of the Power Users group have more permissions than members of the Users group and fewer than members of the Administrators group. Power Users can perform any operating system task except tasks reserved for the Administrators group. The default Windows 2000 and Windows XP Professional security settings for Power Users are very similar to the default security settings for Users in Windows NT 4.0. Any program that a user can run in Windows NT 4.0, a Power User can run in Windows 2000 or Windows XP Professional.

Power Users can:

Power Users do not have permission to add themselves to the Administrators group. Power Users do not have access to the data of other users on an NTFS volume, unless those users grant them permission.

Since Power Users can install or modify programs, running as a Power User when connected to the Internet could possibly make the system vulnerable to certain Trojan horse programs and other security risks. Therefore, Power Users should always maintain up-to-date anti-virus and anti-spyware protection and a software firewall, to further protect their user accounts.

Back to our main FAQs page

(back to top)