ARCHIVED: In Windows, what are administrators and administrative rights?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.
Security of Information Technology Resources (IT-12) requires that you normally refrain from running your Windows computer as an administrator. For more, see About the principle of least privilege.

On a computer, an administrator is a local account or a local security group that has complete and unrestricted access to create, delete, and modify files, folders, and settings on that computer. This is in contrast to other types of user accounts that have only been granted specific permissions and levels of access. An administrator account is used to make system-wide changes to the computer, such as:

  • Creating or deleting user accounts on the computer
  • Creating account passwords for other users on the computer
  • Changing others' account names, pictures, passwords, and types

Administrative rights are permissions granted by administrators to users which allow them to create, delete, and modify items and settings.

Without administrative rights, you cannot perform many system modifications, such as installing software or changing network settings. It is important that you know the administrative password to your computer; otherwise, you won't have the ability to modify files and settings, install programs, or fix problems.

Windows NT, 2000, and XP

In Windows NT, 2000, and XP, the account named "Administrator" has all possible rights, as does everyone in the Administrator local security group. Normal users have some minor administrative rights, e.g., they can modify anything in their home directories, but rights that affect the computer as a whole are normally withheld. (Earlier versions of Windows have no privileged or unprivileged accounts; any user can modify anything on the computer.)

Computer administrators cannot change computer administrator accounts to a less-privileged type unless there is at least one other user with a computer administrator account type on that computer. This ensures that there is always at least one user with administrative rights.

Ideally, the computer administrator account should only be used to:

  • Install, upgrade, repair, or back up the operating system and components
  • Install service packs (SPs)
  • Configure critical operating system parameters (e.g., password policy, access control, audit policy, kernel mode driver configuration)
  • Take ownership of files that have become inaccessible

This is document army in the Knowledge Base.
Last modified on 2018-01-18 15:16:57.