Properly managing Local User Accounts is critical for both security and recovering a malfunctioning computer. Unfortunately many people aren’t even aware they exist and even fewer know what they should do with them.
Lets start by understanding what Local User Accounts are:
Most people are aware that they have to “login” when they use a computer that is connected to a network: Each person has a username and password that is controlled by the network and determines what you can and cannot access. Many people are not aware, however, that each individual Windows computer has its own usernames and passwords and must be “logged-in” whether it is connected to a network or not. These usernames on the individual computer are called “Local Users”.
Local User Accounts:
All Windows computers come with the “built-in” user accounts “Administrator” and “Guest.” In Windows 7 and higher these built-in user accounts are disabled by default. When you buy a computer and turn it on for the first time it will ask you for information about the user and ask you to create a password. The username you enter will become a Local User Account and have Admin Rights over the local computer (commonly referred to as a Local Admin Account). On a home computer or any computer that is not “joined” to a network this Local Admin Account is what you will login with in order to use the computer.
On a network with Windows Server where the computer is “joined” to the network, this Local User will be ignored and the person using the computer will login with a network username and password that was provided by the network administrator.
But here is the important thing: Local Users still exist even when the computer is connected to a business network. You may be logging in with your network username but the Local User account is still there and available for use. Many people do not understand the implications of creating this Local Admin Account when setting up Windows and the password created is often weak (or no password at all). This has a significant impact on the security of the individual computer and your entire network.
Having a weak password on a Local Admin Account is a huge security risk and can easily enable a hacker or malicious software to gain complete access to the computer.
You need a Local Admin Account:
This might lead you to believe that you don’t need any active Local Admin Accounts. Once the computer is joined to a Windows Network you can go back in and disable the Local Admin Account. This definitely makes things more secure but if something goes wrong and you can’t login to the network, you will be unable to access the computer at all. The same problem occurs of you forget the password for the Local Admin Account. The only way to recover the computer at this point will be to reformat it completely.
Manage Local Admin Accounts:
We recommend you keep one Local Admin Account but make sure you give it a complex password that you will remember. For computers that will be “joined” to a network it is fine to use the same username and password for the Local Admin Account on all of your computers as long as it is complex and you don’t forget it. The best way to do this is to create a good username and password when you first configure the computer.
If a computer has been around for a while it may have acquired multiple local user accounts. You only need one Local Admin Account. All other Local User Accounts should be disabled or deleted.
For security “Best Practices” you should periodically change all passwords (including passwords for Admin Accounts). Unfortunately this is not an easy task when it comes to Local User Accounts. Because they only exist locally on each PC you actually have to do this individually on each PC.
Managed Services from Willits Technologies:
Willits Technologies takes local user accounts very seriously. Our monitoring and management system gives us the ability to easily manage local user accounts. We can disable, create and delete local user accounts as well as change passwords via our WTI Service Agent installed on each computer. Customers who use our CompleteCare or Online Management services automatically have their local user accounts managed as part of our service.
If you would like more information about our Managed Services or if you just have more questions about how you should manage Local User Accounts please call or email us at 281-333-2505 or firstname.lastname@example.org.