Admin accounts can only be used for temporary elevation of privileges on CSBS Supported machines. The temporary account used to elevate privileges will be provided upon request. Use of this account requires non-interference with CSBS Computing’s Workstation Management Functions.
CSBS Computing has instituted a login system where you can temporarily gain administrative access to your computer. This login is designed to allow you to make the changes you may need to make on your computer while also maintaining high levels of protection for your computer security. The only distinction between the local administrative account and making a person’s regular account an administrative one is its temporary nature – the local administrative account should only be used when needed. Both Microsoft and Apple state that having individuals use non-administrative accounts as the primary way to log into the computer alleviates most dangers to computer security. This limits the controls in which an invasive program might be able to corrupt the computer. The administrative account is thus designed to give you administrative rights only when you need them.
It is important to note that there are no limits as to what changes can be made to
your computer while logged into the administrative account. This means that it is
possible to install software, alter settings and much more. Since CSBS Computing provides
a number of services to your computers, it is important that several administrative
settings are left unchanged. These are listed in the table below. Use of the administrative
account must comply with all University and College Policies and Regulations – see
It is also worth noting that software and updates can sometimes cause conflicts on computers leading to data corruptions, slow-downs, and system crashes. It is CSBS Computing’s policy to test all software updates for compatibility before installing them on a computer. For this reason, CSBS Computing recommends that the administrative account be a last resort and used with caution.
What is a local administrative account?
When you log into your computer with a username and password, you are using a specific
account. The type of account determines what privileges you have on the computer,
such as whether you can install new software or change system settings.
The local administrative account is a full administrative account local to your workstation/laptop. This differs from your UNID account in that this account can affect system changes such as installing new software.
When to use a local administrative account?
In the event that a task requires the use of elevated privileges and where you cannot obtain assistance from a College Computing Professional, the administrative account can be utilized to elevate privileges.
Why use a local administrative account?
A standard user account restricts the changes you can make to your computer; it also
limits what an attacker can do. Executing actions using the administrative account
allows processes to run as a full administrator. Granting full administrative access
to everyday use accounts is expressly not recommended by Microsoft and Apple.
Security and Best Practices - Microsoft and Apple:
"To help secure your network, assign the least amount of permissions to user accounts that allow users to perform their required tasks. This is known as the principal of least privilege. This reduces the capability and impact of malware if it does run on a user's computer. The principal of least privilege is employed in Windows 7 by restricting non-administrative users to standard user accounts."
"An administrator should create a standard user to work in when administrator privileges are not needed. If the security of a standard user is compromised, the potential harm is far more limited than if the user has administrator privileges. "
What if I don’t remember my administrative account password?
College computing staff members can provide or reset your administrative account password if needed.
Use of your local administrative account must comply with all University Policies
and Regulations at http://it.utah.edu/policies/ as well as adhere to CSBS Policies and responsibilities.
You must not use the local administrative account to make changes that interfere with the management functions of the workstation or laptop, see table below.
Workstation Management Functions (subject to change):
|Management Function||Tools/Practices Used for Managed Workstations||User Responsibilities|
Do not create local accounts
Do not grant additional right to other accounts
Do not modify domain membership
|Anti-Virus/Malware/Spyware||Trend Micro Officescan||
Do not install additional/conflicting malware detection software.
Do not uninstall Officescan.
Do not modify or interfere with Officescan’s ability to obtain pattern or software updates.
|Change Management||Microsoft System Center Configuration Manager, Teamviewer, Scripts||Do not uninstall or modify Microsoft Configuration Manager, Teamviewer, or administrative scripts.|
|Data Backup||Network storage (N: drive via samba or Secure File Transfer Protocol), Symantec Ghost, Backblaze||
Store, copy, or sync your data to your network storage to ensure backup protection.
Do not install software that prevents access to network storage
|Data and Research Security||Active Directory, Network Storage, (Bitlocker/PGP if necessary)||Do not modify encryption settings|
|Intrusion Detection/Forensics||Eventlog, Trend Micro Officescan||Do not disable or empty the system eventlogs|
|Inventory Management||OCS Inventory||Do not uninstall or disable OCS Inventory|
|License Auditing||Keyserver, OCS Inventory||Do not uninstall or disable Keyserver|
|License Management||Vendor License Servers||Do not modify the licensing configuration of the relevant packages (e.g. SPSS).|
|Network Management||Cisco Netowrk Access Control, PacketFence, DHCP||
Do not modify the hardware MAC address.
Do not configure static IP addresses (some exceptions allowed for traveling laptops)
|OS Security Patching||Microsfot System Center Configuration Manager||Do not apply Operating System patches unless instructed to do so by CSBS Computing|
|Power Management||Verdiem Surveyor PC, VPro||
Do not modify desktop power profiles (laptop power profiles can be changed)
Do not uninstall Verdiem Surveyor.
|Printing||Central Print Servers||
Updates/Modifications to printer drivers should be done by Computing staff members. Some user modification is allowed but should be done with caution as to not disrupt network printing.
|Remote Support||Teamviewer||Do not uninstall Teamviewer|
|Security Management (e.g. prevent skype supernode, workstation firewalls, workstation authentication, etc.)||Active Directory (Group Policies), Microsoft Certificate Authority, Scripts||
Do not remove domain managed certificates.
Do not modify domain membership.
|Software Deployment||Microsoft System Center Configuration Manager||Manually updating managed software packages can cause corruption. Do not upgrade/update existing software packages without checking with CSBS Computing for potential conflicts.|
|Software Security Patching||Microsoft System Center Configuration Manager||Manually updating managed software packages can cause corruption. Do not upgrade/update existing software packages without checking with CSBS Computing for potential conflicts.|
Admin Account Use
Windows 7/10 instructions
- Log into your computer using your UNID (e.g. u0173261).
- Right-click the program or task that you want to run with elevated privileges, select “Run as Administrator”
- If “Run as administrator” is not available, simply run the program like normal. It should prompt you for administrative credentials if necessary.
- Select “Use another account”.
- Enter the local administrative account username (provided when you request this account type).
- Must include the ‘.\’ before the name of the local administrative account.
- Enter your local administrative account password.
- Continue through the prompts of the program.
- Log into your computer using your UNID.
- Click to run the program or task you want to run.
- When prompted for an administrator’s username and password:
- Enter the username for the local administrative account (provided when you request this account type)..
- Enter the password for the account
- Local administrative account credentials are provided by CSBS Computing.
- Click OK and continue with the prompts