This article explains why having a local (non-AD) user account with administrator user rights on Windows is a must.
I know, I know ā this is horrible design from security perspective. You shouldnāt use local accounts in the first place, let alone ones with unlimited admin powers! Microsoft has been trying to stop users from creating local accounts on their machines for years now, and in theory, for understandable reasons.
But Microsoft is as Microsoft does, and due to their architectural decisions, should you want to have a functional machine you need to make some compromises in regards to security.
So letās get to it, shall we?
Background
Certain Windows recovery options specifically require a local administrator account (not a domain account) to function properly. Here are a few key ones, and the reasons why:
- System Restore: This option allows you to revert your system to a previous state.Ā It requires a local admin account to ensure that the user has the necessary permissions to make significant changes to the system
- Startup Repair: This tool attempts to fix issues that prevent Windows from starting correctly.Ā A local admin account is needed to access and execute the repair processes, as these can involve modifying system files and settings
- Command Prompt: Accessing the Command Prompt from the recovery environment requires a local admin account because it allows you to execute powerful system commands that can alter the system configuration
- System Image Recovery: This option lets you restore your computer using a system image you created earlier.Ā Admin privileges are needed to perform this recovery to ensure that the user has the authority to overwrite the current system state
These recovery options require a local admin account for different reasons, ensuring that only authorized users can make significant changes to the system. Perhaps understandably so, as I assume connecting to a Domain Controller or a Cloud Identity Provider might be tricky when youāre in the Windows Startup Recovery screen after a string of BSODs.
Solution
In short: if you either trust Microsoft to never break your computer, or you trust your ability to always recover everything from backups, youāre good to go. You wonāt need a local account ā heck, you wonāt need admin credentials at all! And youāre probably better off without them anyway.
But if you happen to use apps that are trickier to back up and have had your computers bricked by Microsoft (my ādaily driver bricked by Windows Updateā count is now at 3 ā for Windows 8 and later), then you will need a way to use the recovery tools in Windows ā System Restore, Startup Repair, Recover from Image and such.
So, to make that compromise, hereās how to create a new local user account with unlimited admin powers and set a complex password. Please store that password in a safe somewhere, or perhaps a password manager (should you find one that canāt be hacked in 5 minutes).
$Username = "LocalUser"
$Password = Read-Host -AsSecureString
$u = New-LocalUser $Username -Password $Password -FullName "Local User" -Description "Local admin user needed for Microsoft reasons"
Add-LocalGroupMember -Group "Administrators" -Member $u
And thatās it. Off to the sunset you ride with your newfound admin powers!
References
- https://pureinfotech.com/create-local-administrator-account-windows-11/
- https://superuser.com/questions/1120601/windows-10-recovery-without-local-administrator
- https://answers.microsoft.com/en-us/windows/forum/all/recovery-mode-says-no-administrator-account/f942bb11-ae89-490e-acc1-381ac212ea99
- āDestination Path Too Longā when copying files in File Explorer? Easy workaround(s)! - August 27, 2024
- Where does NetSpot (wifi heatmapping tool) store its project files? - August 20, 2024
- How to fix Bitlocker failing to activate? - August 13, 2024