Using User Accounts
Each user account is like its own separate PC. Every user has his or her private Documents, Pictures, Music, and Video folders for storing files. Each user account can have its own Windows apps, e-mail account, and Internet favorites. Each user can customize the desktop, Start screen, and other settings to that user's own liking.
When you start your computer, the Windows lock screen appears. Press Enter, swipe up (on a tablet or touch screen), press the spacebar, or roll the mouse wheel up to display the sign-in screen. You also see the sign-on screen when you sign out of your user account. If you click a user account that isn't password-protected, you're taken straight into the account. But if you click the picture for a password protected account, a password prompt appears.
To get into the account, enter the appropriate password. If you enter the wrong password, a message appears letting you know that the user account name or password is incorrect. You can click OK to try again. You can't get into the user account until you've entered the correct password for that account. The first time you or someone else logs in to a new user account is just like starting Windows 10 on a brand-new PC. The desktop has the default appearance. All the document folders in the account are empty. You have no e-mail accounts, no Internet favorites, and no Windows apps installed. To use email, the user must set up the account with an e-mail account, preferably an account used only by that user.
The user has access to all the programs installed on the computer (except for rare cases in which someone installed a program for personal use only). The user likely has Internet connectivity through the same network or Wi-Fi as all other user accounts.
If the user account is a standard account, some limitations control what the user can do. For example, Windows settings are not synced with other devices, such as a Windows Phone or tablet. In addition, the user can't make changes to the system that would affect other users. That's where Windows 10's User Account Control security comes into play.
Understanding User Account Control
User Account Control (UAC) is the general term for the way administrative and standard user accounts work in Windows 10. As you scroll through pages in the Control Panel, notice that many links have a shield icon next to them.
Items that have a shield icon require administrative approval. Items without a shield icon don't. For example, any user can change his or her Windows password, with or without administrative approval. Options that have a shield icon next to them require administrative approval. But you don't have to be logged in to an administrative account to use those options. You only have to prove that you have administrative privileges. To prove you have administrative privileges on this computer, enter the password for the administrative user account and click Submit (or OK in some dialog boxes).
When someone who doesn't know the administrative account password encounters the User Account Control dialog box, he or she is stuck. Users who don't know the password can't go any further. This prevents the standard user from doing things that might affect the overall system and other people's user accounts. It also prevents children from overriding parental controls.
Privilege escalation in administrative accounts
If you happen to be logged in to an administrative account when you click a shielded option, you don't need to enter an administrative password. After all, if you're in an administrative account, you must already know the password required to get into that account. You don't need to prove that you know that password again. But, by default, you still see a prompt telling you that the program you're about to run makes changes to the system. Cick Continue to proceed.
Clicking something to get to the item you clicked may seem irritating, but the prompt works that way for a reason. The dialog box lets you know that the program you're about to run is going to make changes to the overall system. You expect to see that dialog box after you click a shielded option. With time and experience, you'll learn to expect it when you do other things that affect the system as a whole, such as when you install new programs.
Sometimes the prompt appears when you don't expect to see it. For example, when opening an e-mail attachment, you don't expect to see that message. After all, opening an e-mail attachment should show you the contents of the attachment, and not make a change to the system as a whole. Seeing the warning in that context lets you know that something fishy is going on, most likely something bad in the e-mail attachment. Click Cancel to not open the attachment, thereby protecting your system from whatever virus or other bad thing lies hidden within the e-mail attachment.
On a more technical note, UAC operates on a principle of least privilege. When you're in an administrative account, you run with the same privileges as a standard user. This arrangement protects your system from malware that would otherwise exploit your administrative account to make malicious changes to your system.
When you enter a password or click Continue in response to a UAC prompt, you temporarily elevate your privileges to allow that change to be made. After the change is complete, you return to your more secure standard user privileges. This procedure has been common in high-security settings for years, and it's considered a security best practice.
Turning UAC on and off
If possible, you should follow standard best practices and keep UAC active on your own computer. But if UAC proves to be impractical, you can turn it off.
Even though UAC is much improved from Windows Vista, Windows 7, and 8/8.1, UAC is not always a very popular Windows 10 feature. After all, nobody wants a feature that makes them do more work, even when the extra work is nothing more than an occasional extra mouse click. Furthermore, sometimes UAC is just impractical. For example, if you give your kids standard user accounts, they can't install their own programs. But if you give them administrative accounts, you can't institute parental controls.
Before you turn off UAC, we recommend that you first ensure that all the other security measures are installed and working on your PC. UAC is just one component of an overall security strategy. The more components you have on and working, the better.
Note:
UAC in Windows 10 employs similar functionality to that used in Windows 8.1 and earlier versions to make it less obtrusive to the user. In contrast to how UAC functioned in Windows Vista, Windows 7, and Windows 8/8.1, in which UAC was an on-or-off feature, UAC in Windows 10 offers a range of settings to tailor the end-user experience.
Changing UAC settings is a simple process. From the Windows 10 Start menu, select Control Panel, and click User Accounts. Or from the desktop, press Windows+X and click Control Panel. Click User Accounts. Click Change User Account Control settings and then, if prompted to do so, enter an administrative password to get to the dialog box.
You can choose from the following options:
- Always Notify:
Windows notifies you if programs try to install software or make changes to the computer, or if you make changes to Windows settings. - Notify Me Only When Apps Try to Make Changes to My Computer (Default):
Windows does not notify you when you make changes to your computer, but if programs attempt to make changes, Windows notifies you by dimming the desktop and displaying a warning. - Notify Me Only When Apps Try to Make Changes to My Computer (Do Not Dim My Desktop): Windows does not notify you when you make changes to your computer, but it notifies you when programs attempt to make changes. However, Windows does not dim the desktop; instead, it displays a message.
- Never Notify:
Windows does not notify you of changes (this option turns off UAC). The only safe time to use this option is when you need to install a program that doesn't work with UAC. Turn off UAC, install the program, and then turn on UAC again.
To turn UAC off, drag the slider down to Never Notify. Or, if it was already off and you want better security, drag the slider up to the desired level. Then click OK.
If you turned off UAC, when you click a shielded option you receive no prompting for credentials or status checking. The settings are basically the same as they were in Windows XP and other earlier versions of Windows.
