Sad Windows sysadmin

Why You (unfortunately) need a Local Administrator account on Windows 🙃

This post was most recently updated on August 30th, 2024.

3 min read.

This article explains why having a local (non-AD) user account with administrator user rights on Windows is a must.

I know, I know – this is horrible design from security perspective. You shouldn’t use local accounts in the first place, let alone ones with unlimited admin powers! Microsoft has been trying to stop users from creating local accounts on their machines for years now, and in theory, for understandable reasons.

But Microsoft is as Microsoft does, and due to their architectural decisions, should you want to have a functional machine you need to make some compromises in regards to security.

So let’s get to it, shall we?

Background

Certain Windows recovery options specifically require a local administrator account (not a domain account) to function properly. Here are a few key ones, and the reasons why:

  1. System Restore: This option allows you to revert your system to a previous state. It requires a local admin account to ensure that the user has the necessary permissions to make significant changes to the system
  2. Startup Repair: This tool attempts to fix issues that prevent Windows from starting correctly. A local admin account is needed to access and execute the repair processes, as these can involve modifying system files and settings
  3. Command Prompt: Accessing the Command Prompt from the recovery environment requires a local admin account because it allows you to execute powerful system commands that can alter the system configuration
  4. System Image Recovery: This option lets you restore your computer using a system image you created earlier. Admin privileges are needed to perform this recovery to ensure that the user has the authority to overwrite the current system state

These recovery options require a local admin account for different reasons, ensuring that only authorized users can make significant changes to the system. Perhaps understandably so, as I assume connecting to a Domain Controller or a Cloud Identity Provider might be tricky when you’re in the Windows Startup Recovery screen after a string of BSODs.

Solution

In short: if you either (1) trust Microsoft to never break your computer, or (2) your ability to always recover everything from backups, you’re good to go. You won’t need a local account – heck, you won’t need admin credentials at all! And you’re probably better off without them anyway. *

But if you happen to use apps that are trickier to back up and have had your computers bricked by Microsoft (my “daily driver bricked by Windows Update” count is now at 3 – for Windows 8 and later), then you will need a way to use the recovery tools in Windows – System Restore, Startup Repair, Recover from Image and such.

So, to make that compromise, here’s how to create a new local user account with unlimited admin powers and set a complex password. Please store that password in a safe somewhere, or perhaps a password manager (should you find one that can’t be hacked in 5 minutes).

$Username = "LocalUser"
$Password = Read-Host -AsSecureString
$u = New-LocalUser $Username -Password $Password -FullName "Local User" -Description "Local admin user needed for Microsoft reasons"
Add-LocalGroupMember -Group "Administrators" -Member $u

And that’s it. Off to the sunset you ride with your newfound admin powers!

References

  • https://pureinfotech.com/create-local-administrator-account-windows-11/
  • https://superuser.com/questions/1120601/windows-10-recovery-without-local-administrator
  • https://answers.microsoft.com/en-us/windows/forum/all/recovery-mode-says-no-administrator-account/f942bb11-ae89-490e-acc1-381ac212ea99

Footnotes

* : Most of us would be. If we just somehow could get there.

mm
0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments