Do not use administrator accounts for daily work

Updated: August 21, 2008

Applies To: Windows SBS 2008

Windows SBS 2008 includes three user roles: Standard User, Network Administrator, and Standard User with administration links.

Because user accounts that are based on the Network Administrator user role are very powerful, you should not base user accounts on the Network Administrator user role. Using the Network Administrator user role increases the chance that the user will inadvertently delete important files or gain unintended access to an account with administrative permissions.

If a user on your network wants administrative permissions, but does not need them for daily tasks, you can assign the user two accounts:

  • A typical user account that is based on the Standard User user role for daily tasks.

  • An account that is based on the Network Administrator user role that provides the user with unrestricted access to the domain.

You should then instruct the user to use the account with administrator permissions only to complete specified tasks.

The Network Administrator account is a well-known and powerful account. Users who are assigned this user role must adhere to the following procedures to help reduce unauthorized access to your network and the misuse of access privileges:

  • Use strong passwords at all times.

  • Log on with a user account that is based on the Standard User role to perform daily tasks.

  • Never leave a computer unattended while logged on to a Network Administrator account.

  • Do not give others the password for a Network Administrator account.

  • Never leave a written record of the password for the Network Administrator account near the computer.

For instructions on creating a new user account, see Add a user account later in this document.

Community Additions