Создание учетной записи локального пользователя или администратора в Windows 10

Вы можете создать локализованную учетную запись пользователя (автономную учетную запись) для всех пользователей, которые часто используют ваш компьютер. Однако в большинстве случаев рекомендуется создать для всех пользователей компьютера учетные записи Майкрософт.

При необходимости учетная запись локального пользователя может иметь разрешения администратора; однако лучше по возможности просто создать учетную запись локального пользователя.

Внимание: Пользователь с учетной записью администратора может получить доступ ко всем данным в системе, а любые вредоносные программы, с которыми они сталкиваются, могут использовать разрешения администратора для потенциального заражения или повреждения любых файлов в системе. Предоставляйте этот уровень доступа только при абсолютной необходимости и только людям, которым вы доверяете.

При создании учетной записи помните, что выбор пароля и его сохранение являются очень важными шагами. Поскольку мы не знаем вашего пароля, если вы забудете или потеряете его, нам не удастся его восстановить для вас.

Если вы используете Windows 10 версии 1803 или более поздней, можно добавить секретные вопросы, как описано в шаге 4 раздела Создание учетной записи локального пользователя. С помощью ответов на секретные вопросы можно сбросить пароль к вашей локальной учетной записи Windows 10. Все еще не знаете, какая версия вам нужна? Проверьте, какая версия у вас сейчас.

Создание учетной записи локального пользователя

Выберите Пуск > Параметры > Учетные записи и щелкните Семья и другие пользователи.(В некоторых версиях Windows вы увидите пункт Другие пользователи.)

Выберите Добавить пользователя для этого компьютера.

Выберите пункт У меня нет учетных данных этого пользователя и на следующей странице нажмите Добавить пользователя без учетной записи Майкрософт.

Введите имя пользователя, пароль, подсказку о пароле или выберите секретные вопросы, а затем нажмите Далее.

Изменение учетной записи локального пользователя на учетную запись администратора

Выберите Пуск > Параметры > Учетные записи .

В разделе Семья и другие пользователи щелкните имя владельца учетной записи и нажмите Изменить тип учетной записи.

Примечание: Если вы выбрали учетную запись, в которой указан адрес электронной почты или не помечено «Локализованная учетная запись», вы даете разрешения администратора для учетной записи Майкрософт, а не локальной учетной записи.

В разделе Тип учетной записи выберите Администратор, и нажмите OK.

Войдите в систему с новой учетной записью администратора.

Create a local user or administrator account in Windows 10

You can create a local user account (an offline account) for anyone who will frequently use your PC. The best option in most cases, though, is for everyone who uses your PC to have a Microsoft account.

If needed, the local user account can have administrator permissions; however, it’s better to just create a local user account whenever possible.

Caution: A user with an administrator account can access anything on the system, and any malware they encounter can use the administrator permissions to potentially infect or damage any files on the system. Only grant that level of access when absolutely necessary and to people you trust.

As you create an account, remember that choosing a password and keeping it safe are essential steps. Because we don’t know your password, if you forget it or lose it, we can’t recover it for you.

If you’re using Windows 10, version 1803 and later, you can add security questions as you’ll see in step 4 under Create a local user account. With answers to your security questions, you can reset your Windows 10 local account password. Not sure which version you have? You can check your version.

Create a local user account

Select Start > Settings > Accounts and then select Family & other users. (In some versions of Windows you’ll see Other users.)

Select Add someone else to this PC.

Select I don’t have this person’s sign-in information, and on the next page, select Add a user without a Microsoft account.

Enter a user name, password, or password hint—or choose security questions—and then select Next.

Change a local user account to an administrator account

Select Start > Settings > Accounts .

Under Family & other users, select the account owner name (you should see «Local Account» below the name), then select Change account type.

Note: If you choose an account that shows an email address or doesn’t say «Local account», then you’re giving administrator permissions to a Microsoft account, not a local account.

Under Account type, select Administrator, and then select OK.

Sign in with the new administrator account.

Local Accounts

Applies To: Windows Storage Server 2008 R2, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an ActiveВ Directory domain controller.

Did you mean…

About local user accounts

Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.

This topic describes the following:

For information about security principals, see Security Principals Technical Overview.

Default local user accounts

The default local user accounts are built-in accounts that are created automatically when you install the Windows Server operating system on a stand-alone server or member server. The Applies To list at the beginning of this article designates the Windows operating systems to which this topic applies.

After the Windows Server operating system is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.

Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see How to manage local user accounts later in this topic.

The default local user accounts that are provided include the Administrator account, Guest account and HelpAssistant account. Each of these default local user accounts is described in the following sections.

Administrator account

The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.

For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. The Administrator account can also be used take control of local resources at any time simply by changing the user rights and permissions.

The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.

The default Administrator account is initially installed differently for Windows Server operating systems, and the Windows client operating systems. The following table provides a comparison.

Windows Server operating systems

Windows client operating systems

Administrator account is disabled on installation

Administrator account is set up on first sign-in

No, keep disabled

Administrator account is used to set up the local server or client computer

No, use a local user account with Run as administrator to obtain administrative rights

Administrator account requires a strong password when it is enabled

Administrator account can be disabled, locked out, or renamed

In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the Remote control and Remote Desktop Services Profile settings. You can also disable the Administrator account when it is not required.

In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use Run as administrator. For more information, see Security considerations.

Account group membership

By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.

The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed or disabled.

Security considerations

Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to to the server or client computer.

You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see Disable or activate a local user account and Rename a local user account.

As a security best practice, use your local (non-Administrator) account to sign in and then use Run as administrator to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see Using Run as.

In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.

In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see Group Policy Overview and Group Policy.

Blank passwords are not allowed in the versions designated in the Applies To list at the beginning of this topic.

Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.

Guest account

The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.

Account group membership

By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.

Security considerations

When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.

When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the Shut down the system user right.

In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.

HelpAssistant account (installed by using a Remote Assistance session)

The default HelpAssistant account is enabled when a Windows Remote Assistance session is run. The Windows Remote Assistance session can be used to connect from the server to another computer running the Windows operating system. For solicited remote assistance, a user initiates a Windows Remote Assistance session, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance.

After the user’s invitation for a Windows Remote Assistance session is accepted, the default HelpAssistant account is automatically created. The HelpAssistant account provides limited access to the computer to the person who provides assistance. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. The HelpAssistant account is automatically deleted after there are no Remote Assistance requests are pending.

The security identifiers (SIDs) that pertain to the default HelpAssistant account include:

SID: S-1-5-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled.

SID: S-1-5-14, display name Remote Interactive Logon. This group includes all users who sign in to the computer by using Remote Desktop Connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.

For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.

In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default. For more information about remote desktop connections for those client operating systems designated in the Applies To list at the beginning of this topic, see Enable Remote Desktop.

Default local system accounts

The system account and the Administrator account of the Administrators group have the same file rights and permissions, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The system account was designed for that purpose. It is an internal account that does not show up in User Manager, it cannot be added to any groups, and it cannot have user rights assigned to it.

On the other hand, the system account does appear on an NTFS file system volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted Full Control permissions to all files on an NTFS volume. Here the system account has the same functional rights and permissions as the Administrator account.

To grant the account Administrators group file permissions does not implicitly give permission to the system account. The system account’s permissions can be removed from a file, but we do not recommend removing them.

How to manage local user accounts

The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see Manage Local Users.

You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.

You cannot use Local Users and Groups to view local users and groups after a member server is used as a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.

You use Active Directory Users and Computers to manage users and groups in Active Directory.

Restrict and protect local accounts with administrative rights

An administrator can use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called «lateral movement».

The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor. When you want to perform an administrative task, for example, to install a new program or to change a setting that affects other users, you don’t have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.

The other approaches that can be used to restrict and protect user accounts with administrative rights include:

Enforce local account restrictions for remote access.

Deny network logon to all local Administrator accounts.

Create unique passwords for local accounts with administrative rights.

Each of these approaches is described in the following sections.

These approaches do not apply if all administrative local accounts are disabled.

Enforce local account restrictions for remote access

The User Account Control (UAC) is a security feature in Windows that has been in use in Windows ServerВ 2008 and in WindowsВ Vista, and the operating systems to which the Applies To list refers. UAC enables you to stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change how often UAC notifies you.

UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator’s user session to perform occasional administrative tasks without having to switch users, sign out, or use the Run as command.

In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator’s user session.

For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.

For summary information about UAC, see User Account Control. For detailed information about special conditions when you use UAC, see User Account Control.

The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.

No.

Setting

Detailed Description

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options