Administrator account is just like any other standard user account, but with higher (unrestricted) privileges. When a user account is created in an operating system, by default the operating system adds it to Users group which provides the account least privileges, and because of which the account is referred to as a Standard User account. Once the user account is created, the administrator of the computer must add the account to the Administrators group in order to grant it administrative privileges.
Since an administrator account has unrestricted privileges on the computer, by default the built-in Administrator account in Microsoft Windows Vista and Windows 7 operating systems is kept disabled. It is strongly recommended that the built-in Administrator account must not be enabled whatsoever. The reason behind this is that the built-in Administrator account has complete unrestricted privileges and the User Account Control is by default disabled for it. Because of this, if the administrator tries to perform any elevated task, no User Account Control confirmation box is displayed. This makes the operating system highly vulnerable to risks as the malicious applications and unwanted scripts can automatically get installed on the computer without coming into the notice of the administrator.
Access Tokens for Administrator and Non-Administrator Accounts
In pre-Windows Vista operating systems, for example Microsoft Windows XP, Administrator accounts had single access tokens that granted the accounts the administrative privileges. In these operating systems, standard user accounts also had single access tokens that granted them restricted privileges which allowed the logged on users to perform non-administrative tasks only.
With the release of Microsoft Windows Vista, User Account Control feature was introduced which is now carried forward to all the latest Microsoft operating systems. Because of User Account Control, the user account that belongs to Administrators group is provided with two access tokens. One access token grants the account restricted privileges and this access token is normally used when the administrator performs any non-administrative task on the operating system. When the administrator tries to perform any administrative task, the operating requests the user account to use the access token with administrative privileges, which the administrator must provide to the operating system. Because of this background process, while performing administrative tasks on Windows Vista and above operating systems, administrators are prompted by User Account Control confirmation boxes on which they must click Yes button in order to allow the operating system to use the access token with administrative privileges to accomplish the elevated task.
As a default configuration, when User Account Control confirmation box is displayed to the account that has elevated privileges, the box just requires the approval through the confirmation box and it does not require the password. This is called Prompt for Consent. On the other hand, when a standard user account tries to perform administrative task, the operating system displays a box in which the user must provide administrative credentials (password for the administrator account), before the operating system allows the account holder to accomplish the task. This is known as Prompt for Credentials.
Promoting a Standard User Account to the Administrator Account
Although it is strongly recommended that administrators must take utmost care while adding a standard user account to the Administrators group because of security reasons, if they want to do so, they can follow the steps given as below:
- Log on to Windows 7 computer with administrator account.
- Click Start, and from the menu click Control Panel.
- On the opened window, under User Accounts and Family Safety category, click Add or remove user accounts.
- On Choose the account you would like to change window, click to select the name of the standard user account that has to be granted elevated privileges.
- On the next window, click Change the account type and on the displayed window, click to select Administrator radio button to change the account type from Standard to the Administrator.
- Once selected, click Change Account Type button to promote the account.
- Restart the computer to allow the changes to take effect.