Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Best Practices for User Account Type and UAC?

17 Jan 2015   #1

7 64
Best Practices for User Account Type and UAC?

I feel the amount of reading I've done on these two (acct types & UAC) is disproportionate to the understanding I've gained regarding best practices.

Does anyone have a good, distilled recommendation or link?

My System SpecsSystem Spec
17 Jan 2015   #2

Windows 7 Enterprise 64bit

My System SpecsSystem Spec
17 Jan 2015   #3

7 64

I don't consider myself to be a dumb person, but i seriously need the super-simplified version on this issue. It just seems way too convoluted. MS's interpretation just made it worse, and I don't trust their recommendations.

I need super-distilled (but not the version as if I was mildly-retarded). Anyone?
My System SpecsSystem Spec

17 Jan 2015   #4

64-bit Windows 10 Pro

Hello iron7,

It all really depends on your needs and environment for what may be best for you.

I like to keep by UAC settings at "Always notify" (top level), and I use a password protected administrator account (not the built-in elevated Administrator account) for everyday usage.
My System SpecsSystem Spec
17 Jan 2015   #5
Lady Fitzgerald

Win 7 Ultimate 64 bit

I agree with Brink on where to set UAC; I also keep my UAC settings at the top level. Having to click on "Yes" on the little pop-up every time is a pain in the...neck but the safety it affords is well worth that comparatively minor annoyance.

The purpose behind UAC is to notify you when you, someone else, or a program tries to start a program. That way, if a hacker takes control of your computer or a virus gets on it, neither can start up any of your programs without your approval. It's another layer of protection for your computer.
My System SpecsSystem Spec
17 Jan 2015   #6

Windows 7 Ultimate x64

Besides keeping it at the highest level always, another important tip is to always use a standard account instead of the bad-practice administrator account that Windows always creates by default.
My normal installation is to create two user accounts, one admin and the other standard. I always login and use the standard, and in case of a program that legitimally requires full admin access I can simply fill the UAC prompt with the user/password of the admin account. That makes a clear separation of admin/non-admin and is far more secure that the default Windows configuration.

Another tip I like it to fine tune the UAC options using the local policy applet that MS hides by default (and only available in professional and higher editions). That provides a lot more options than that slider everyone knows, which is in fact eye candy to 4 sets of preconfigured settings.
This link shows how to access the real UAC settings: Use Local Security Policy to customize UAC behavior

A more complete set of recommendations is also available here: User Account Control in Windows 7 Best Practices

Note that most options you can change imply a compromise between security and convenience. Making the system more safe most times make it a little more difficult to use, and making it easy to use sacrifises security in some way. It's important to know that the default, clean install that MS ships favors convenience over security in many aspects (that's why Windows tends to be insecure by default). You need to decide whether you like one or the other, and balance your choices accordingly.
My System SpecsSystem Spec
17 Jan 2015   #7

7 64

I finally found something related to UAC that I can identify with:

UAC, UAC, go away, come again some other day

I was reading Mark Russinovich’s latest UAC article and Long Zheng’s latest scribblings and… developed quite the headache. Honestly, I’m tired of trying to sort out what UAC really is and don’t care anymore. UAC has become this gigantic undocumented blob of an idea that is explained (differently) on-demand every single time, to fit some marketing agenda du jour, and I’m sick of it. Mark jumps up and down about how UAC isn’t a security boundary and how we’re stupid for thinking such, yet Microsoft’s own sites pitch otherwise. Whatever, guys.

Here’s my million dollar question: If UAC wasn’t designed to ultimately protect us from anything, why does its icon resemble a damn shield?

UAC, UAC, go away, come again some other day ‚

I'll take a stab here. Run as std user with no UAC is the most secure/least annoying setup for everyday use (i.e. not tweaking system settings, or adding dropping apps and the like)
My System SpecsSystem Spec
17 Jan 2015   #8
Microsoft MVP


If MS really thought it waa important to run a Standard Account, then it wouldn't issue an Admin account during install to the assumed owner.

Running under Standard Acct is unnecessary if you keep UAC set to Always Notify, which is important to be notified if something tries to makes changes to your PC while you remain unaware.

The only difference is that if you operate under a Standard Account, you will be prompted before making changes to insert the Admin password, which is unnecessary inconvenience compared to simply being notified with the UAC prompt that something wishes to make changes.
My System SpecsSystem Spec
18 Jan 2015   #9
Lady Fitzgerald

Win 7 Ultimate 64 bit

Quote   Quote: Originally Posted by iron7 View Post
...Hereís my million dollar question: If UAC wasnít designed to ultimately protect us from anything, why does its icon resemble a damn shield?...
UAC does protect you. Go back and read my previous post.
My System SpecsSystem Spec
18 Jan 2015   #10

7 64

Thanks Greg.

Well, it seems for users who know what they're doing on windows, running as admin with UAC maxed makes sense as it's less annoying and provides protection from malware running wild. (as I understand, the main difference between admin and std user, both with UAC maxed, is that w/ admin no pass is required for the same events)

Now the second possible circumstance: users who don't know what they're doing...

I read somewhere that some obscene percentage of users mindlessly click "okay" when prompted with UAC windows. For the Windows novice, it seems best practice would be to run standard accounts with UAC maxed, and explain that the password should never be entered unless they are attempting to remove or install software they trust (at least this would probably work well for the novice users I have in mind, who aren't doing much more than surfing and using MS office or Acrobat).

Perhaps the least annoying solution, for the most advanced users, would be to have admin account(s) with UAC off, and to have internet-facing apps launch without Admin priv. by default (perhaps using dropmyrights?)

My System SpecsSystem Spec

 Best Practices for User Account Type and UAC?

Thread Tools

Similar help and support threads
Thread Forum
User Account Type - Change
How to Change a User Account Type in Windows 7 This will show you how to change a already created user account to be either a guest, standard user, or administrator type in Windows 7. Guests - A guest account allows people to have temporary access to your computer. People using the guest...
Change user account type from System Recovery
Hello, thanks for looking, I have a Windows 7 Home Premium 64 laptop with a single user on it. This user recently got changed to a guest account type from admin account type and I can't fix it. I have read all the guides to "enable hidden administrator account" using "net user...
Backup and Restore
Account type: Standard user
hello, I have created a standard user. my requirements: 1. standard user can install programs, which is saved for future uses (i have seen pcs where the programs are deleted/uninstalled as soon as the user log out) 2. standard user CANNOT re-install windows by inserting a windows disc...
General Discussion
Change Account Type button is not enabled even as administrator user
Friends, i have windows 7 x64 in my dell precision notebook. i have administrator user and tommy user. tommy user is in admin group. but not able to execute any program but its account type is standard. then i logged in as administrator and went to UAC there i try to change the account type...
General Discussion
Best Practices for Creating a Secure Guest Account
Best Practices for Creating a Secure Guest Account In some environments, you might need to set...
General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:46.
Twitter Facebook Google+