Sad Windows sysadmin

Why You (unfortunately) need a Local Administrator account on Windows šŸ™ƒ

2 min read.

This article explains why having a local (non-AD) user account with administrator user rights on Windows is a must.

I know, I know ā€“ this is horrible design from security perspective. You shouldnā€™t use local accounts in the first place, let alone ones with unlimited admin powers! Microsoft has been trying to stop users from creating local accounts on their machines for years now, and in theory, for understandable reasons.

But Microsoft is as Microsoft does, and due to their architectural decisions, should you want to have a functional machine you need to make some compromises in regards to security.

So letā€™s get to it, shall we?

Background

Certain Windows recovery options specifically require a local administrator account (not a domain account) to function properly. Here are a few key ones, and the reasons why:

  1. System Restore: This option allows you to revert your system to a previous state.Ā It requires a local admin account to ensure that the user has the necessary permissions to make significant changes to the system
  2. Startup Repair: This tool attempts to fix issues that prevent Windows from starting correctly.Ā A local admin account is needed to access and execute the repair processes, as these can involve modifying system files and settings
  3. Command Prompt: Accessing the Command Prompt from the recovery environment requires a local admin account because it allows you to execute powerful system commands that can alter the system configuration
  4. System Image Recovery: This option lets you restore your computer using a system image you created earlier.Ā Admin privileges are needed to perform this recovery to ensure that the user has the authority to overwrite the current system state

These recovery options require a local admin account for different reasons, ensuring that only authorized users can make significant changes to the system. Perhaps understandably so, as I assume connecting to a Domain Controller or a Cloud Identity Provider might be tricky when youā€™re in the Windows Startup Recovery screen after a string of BSODs.

Solution

In short: if you either trust Microsoft to never break your computer, or you trust your ability to always recover everything from backups, youā€™re good to go. You wonā€™t need a local account ā€“ heck, you wonā€™t need admin credentials at all! And youā€™re probably better off without them anyway.

But if you happen to use apps that are trickier to back up and have had your computers bricked by Microsoft (my ā€œdaily driver bricked by Windows Updateā€ count is now at 3 ā€“ for Windows 8 and later), then you will need a way to use the recovery tools in Windows ā€“ System Restore, Startup Repair, Recover from Image and such.

So, to make that compromise, hereā€™s how to create a new local user account with unlimited admin powers and set a complex password. Please store that password in a safe somewhere, or perhaps a password manager (should you find one that canā€™t be hacked in 5 minutes).

$Username = "LocalUser"
$Password = Read-Host -AsSecureString
$u = New-LocalUser $Username -Password $Password -FullName "Local User" -Description "Local admin user needed for Microsoft reasons"
Add-LocalGroupMember -Group "Administrators" -Member $u

And thatā€™s it. Off to the sunset you ride with your newfound admin powers!

References

  • https://pureinfotech.com/create-local-administrator-account-windows-11/
  • https://superuser.com/questions/1120601/windows-10-recovery-without-local-administrator
  • https://answers.microsoft.com/en-us/windows/forum/all/recovery-mode-says-no-administrator-account/f942bb11-ae89-490e-acc1-381ac212ea99
mm
0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments