Skip to Main Content

You are here:

Local Administrative Account Policy

Summary

Admin accounts can only be used for temporary elevation of privileges on CSBS Supported machines. The temporary account used to elevate privileges will be provided upon request. Use of this account requires non-interference with CSBS Computing’s Workstation Management Functions.

 

Introduction

CSBS Computing has instituted a login system where you can temporarily gain administrative access to your computer. This login is designed to allow you to make the changes you may need to make on your computer while also maintaining high levels of protection for your computer security. The only distinction between the local administrative account and making a person’s regular account an administrative one is its temporary nature – the local administrative account should only be used when needed. Both Microsoft and Apple state that having individuals use non-administrative accounts as the primary way to log into the computer alleviates most dangers to computer security. This limits the controls in which an invasive program might be able to corrupt the computer. The administrative account is thus designed to give you administrative rights only when you need them.

It is important to note that there are no limits as to what changes can be made to your computer while logged into the administrative account. This means that it is possible to install software, alter settings and much more. Since CSBS Computing provides a number of services to your computers, it is important that several administrative settings are left unchanged. These are listed in the table below. Use of the administrative account must comply with all University and College Policies and Regulations – see Responsibilities below.
It is also worth noting that software and updates can sometimes cause conflicts on computers leading to data corruptions, slow-downs, and system crashes. It is CSBS Computing’s policy to test all software updates for compatibility before installing them on a computer. For this reason, CSBS Computing recommends that the administrative account be a last resort and used with caution.
 

What is a local administrative account?

When you log into your computer with a username and password, you are using a specific account. The type of account determines what privileges you have on the computer, such as whether you can install new software or change system settings.
The local administrative account is a full administrative account local to your workstation/laptop. This differs from your UNID account in that this account can affect system changes such as installing new software.

When to use a local administrative account?

In the event that a task requires the use of elevated privileges and where you cannot obtain assistance from a College Computing Professional, the administrative account can be utilized to elevate privileges.

Why use a local administrative account?

A standard user account restricts the changes you can make to your computer; it also limits what an attacker can do. Executing actions using the administrative account allows processes to run as a full administrator. Granting full administrative access to everyday use accounts is expressly not recommended by Microsoft and Apple.
Security and Best Practices - Microsoft and Apple:

"To help secure your network, assign the least amount of permissions to user accounts that allow users to perform their required tasks. This is known as the principal of least privilege. This reduces the capability and impact of malware if it does run on a user's computer. The principal of least privilege is employed in Windows 7 by restricting non-administrative users to standard user accounts."

https://technet.microsoft.com/en-us/library/dd919180(v=ws.10).aspx 

"An administrator should create a standard user to work in when administrator privileges are not needed. If the security of a standard user is compromised, the potential harm is far more limited than if the user has administrator privileges. "

https://support.apple.com/kb/PH18668?locale=en_US

 

What if I don’t remember my administrative account password?

College computing staff members can provide or reset your administrative account password if needed.

Responsibilities

Use of your local administrative account must comply with all University Policies and Regulations at http://it.utah.edu/policies/ as well as adhere to CSBS Policies and responsibilities.
You must not use the local administrative account to make changes that interfere with the management functions of the workstation or laptop, see table below.

Workstation Management Functions (subject to change):

Management Function Tools/Practices Used for Managed Workstations User Responsibilities

Account Management

Active Directory

Do not create local accounts

Do not grant additional right to other accounts

Do not modify domain membership

Anti-Virus/Malware/Spyware Trend Micro Officescan

Do not install additional/conflicting malware detection software.

Do not uninstall Officescan.

Do not modify or interfere with Officescan’s ability to obtain pattern or software updates.

Change Management Microsoft System Center Configuration Manager, Teamviewer, Scripts Do not uninstall or modify Microsoft Configuration Manager, Teamviewer, or administrative scripts.
Data Backup Network storage (N: drive via samba or Secure File Transfer Protocol), Symantec Ghost, Backblaze

Store, copy, or sync your data to your network storage to ensure backup protection.

Do not install software that prevents access to network storage

Data and Research Security Active Directory, Network Storage, (Bitlocker/PGP if necessary) Do not modify encryption settings
Intrusion Detection/Forensics Eventlog, Trend Micro Officescan Do not disable or empty the system eventlogs
Inventory Management OCS Inventory Do not uninstall or disable OCS Inventory
License Auditing Keyserver, OCS Inventory Do not uninstall or disable Keyserver
License Management Vendor License Servers Do not modify the licensing configuration of the relevant packages (e.g. SPSS).
Network Management Cisco Netowrk Access Control, PacketFence, DHCP

Do not modify the hardware MAC address.

Do not configure static IP addresses (some exceptions allowed for traveling laptops)

OS Security Patching Microsfot System Center Configuration Manager Do not apply Operating System patches unless instructed to do so by CSBS Computing
Power Management Verdiem Surveyor PC, VPro

Do not modify desktop power profiles (laptop power profiles can be changed)

Do not uninstall Verdiem Surveyor.

Printing Central Print Servers
Updates/Modifications to printer drivers should be done by Computing staff members. Some user modification is allowed but should be done with caution as to not disrupt network printing.
Remote Support Teamviewer Do not uninstall Teamviewer
Security Management (e.g. prevent skype supernode, workstation firewalls, workstation authentication, etc.) Active Directory (Group Policies), Microsoft Certificate Authority, Scripts

Do not remove domain managed certificates.

Do not modify domain membership.

Software Deployment Microsoft System Center Configuration Manager Manually updating managed software packages can cause corruption. Do not upgrade/update existing software packages without checking with CSBS Computing for potential conflicts.
Software Security Patching Microsoft System Center Configuration Manager Manually updating managed software packages can cause corruption. Do not upgrade/update existing software packages without checking with CSBS Computing for potential conflicts.

 

Admin Account Use

Windows 7/10 instructions

  1. Log into your computer using your UNID (e.g. u0173261).
  2. Right-click the program or task that you want to run with elevated privileges, select “Run as Administrator”
  1.  
  2. If “Run as administrator” is not available, simply run the program like normal. It should prompt you for administrative credentials if necessary.
  1. Select “Use another account”.

 

  1. Enter the local administrative account username (provided when you request this account type).
  2. Must include the ‘.\’ before the name of the local administrative account.
  3. Enter your local administrative account password.
  1. Continue through the prompts of the program.
  2. Finished.

 

Mac Instructions

  1. Log into your computer using your UNID.
  2. Click to run the program or task you want to run.
  3. When prompted for an administrator’s username and password:

 

  1. Enter the username for the local administrative account (provided when you request this account type)..
  2. Enter the password for the account
    1. Local administrative account credentials are provided by CSBS Computing.
  1. Click OK and continue with the prompts

 

Last Updated: 10/13/16