Home / Windows 10

User Account Management

You might have noticed a common theme running through the section on Windows security in this tutorial, that being that users can, and often annoyingly do, deactivate crucial security systems on their PCs because they "find them annoying," "they slow down the PC," which isn't true, or they stop the user "from doing what [they] want," which is very often the whole point, as if the user wants to do something that's blocked by Windows' security systems, it's very likely they shouldn't be doing it anyway.

When it comes to user accounts, it's important to create them in ways that constrain the user to do only what they ought to be doing, and not necessarily what they want to be doing. It might be difficult to prevent a user from spending time on Facebook or eBay, or from playing Minecraft (though these are fairly innocuous activities that are unlikely to jeopardize the security of the PC), allowing a user access to file-sharing, adult, or gambling websites (where malware can often hide), or permitting them to install their own apps and utilities on a PC, which does present a serious potential security risk and therefore a serious risk to the stability and operation of the PC and the integrity of its files and the data stored on both it and elsewhere on your network.

Remember that PCs no longer operate in isolation, not even in the home. Malware infecting a PC can quickly spread across the network, affecting other PCs, and even servers and network hardware and storage, and the result can be expensive downtime or even the opening of backdoors into company data that can result in an embarrassing and extremely costly data breach.

Administrators vs. Standard Users

Back in the days of Windows XP, every new user was an Administrator, even the Standard users to a certain extent, because there was no UAC feature to prevent unwanted changes being made to a PC. Administrators can change anything on a PC, anything at all. They can install new software, modify configuration settings, and even delete files in the \Windows operating system folder.

Standard users on the other hand can only make changes that affect their own user account, and nobody else's. This can have some downsides in the workplace, especially if a user does need to install the odd extra piece of software (all users can install apps from the Microsoft and Windows Business stores), but it's generally accepted that there should be just one Administrator on a PC (usually the person who knows what they're doing) and that everybody else should be a Standard user.

Local Accounts vs. Microsoft Accounts

If you are using PCs in the workplace, you'll most likely have users set up on PCs using Domain or Azure Active Directory accounts managed by a Windows Server system. Smaller businesses might have users signed into PCs using a Microsoft 365 account, but for everybody else it's the choice between using a Microsoft account to sign into a PC or a local account.

While it is still technically possible to install Windows with a local account (make sure the PC is disconnected from the Internet at the time of installation). Microsoft wants everybody using a Microsoft account because that's what offers the "best experience" and Windows 10 will try, and likely succeed in forcing you to switch to a Microsoft account instead. List the pros and cons using Microsoft and local accounts on a Windows 10 PC (Tables).

Table: The pros and cons of using a local account

Local Account

Pros				Cons

No personal data is shared	Syncing of personalization and Ease of Access
with Microsoft			settings is not supported
					

No files are stored in the	Windows Store cannot be used without Microsoft
cloud unless you deliberately 	account sign-in
set it up
				OneDrive file sync is not supported without
				Microsoft account sign-in

				Setup and configuration can take much longer
				After a reinstall

Table: The pros and cons of using a Microsoft account

Microsoft Account

Pros				Cons
You get the full Windows 10	Personal advertising data is shared with 
experience with all features	Microsoft unless you opt out during or 
supported and working		after installation

Profile sync across your 	Integration is built into Microsoft 
Windows 10 devices (PCs, 	services you may not wish to use
laptops, tablets, smartphones) 
including personalization and 
Ease of Access options

File backup and sync between 
PCs are possible using OneDrive

Setup and configuration is 
partly handled automatically 
after a reinstall 

User Identity and Sign-In Management

Windows 10 supports many more ways for a user to sign into a PC than just by using a password, but this isn't always a good thing. These additional sign-in methods include picture passwords, where you draw shapes over a picture (fairly pointless but useful for children perhaps); a PIN, such as the one you use for your bank card at an ATM; and Windows Hello, which supports several forms of biometric sign-in from fingerprint readers to iris and facial recognition.

How to Create a Superstrong Password

It is always a good idea to use a password manager, though the main web browsers such as Chrome and Edge have excellent password managers built-in that can sync across desktop and mobile platforms. If you don't use a dedicated password manager however, these are my top tips for creating superstrong passwords for use on your PC and with websites and Internet services:

  • Create passwords that are a bare minimum of 12 characters in length.
  • Always use a mixture of numbers, uppercase letters, lowercase letters, and symbols.
  • Substitute some letters and numbers for other characters. For example, you can use a 5 instead of an s or S; an & instead of a or A; () instead of o, O, or 0; and / instead of the number 7.
  • Use a phrase, perhaps a line from a song or poem, instead of a single word to make the password longer.
  • Append some unique characters representing the service or website the password is for to the beginning or end of the password to make it unique to that service or website. For example, use ebA for eBay, aMa for Amazon, or g()() for Google web services.
  • Choose a format you will use for each word in your password, for example, capitalizing the second letter of each word and substituting the first vowel with a symbol.

An Introduction to Family Safety

While we're on the subject of preventing users from doing things that can adversely affect the security of the PC, it's worth finishing up by talking about children. If you have children, then you also have my sympathies, because you'll be all too aware that especially younger children have almost no idea of what constitutes a risk, either in the playground or on the Internet.

Windows 10 does include Family Safety features, and when you add a new user to the PC, you'll be asked if they are a family member or somebody else. The former option then lets you choose if the person is a child or an adult. Child accounts are automatically hooked into the Family Safety features, which include website filtering, game ratings management, and usage time management for the PC.

For the purposes of maintaining security, it's the website filtering that's the most useful. This can prevent children from accessing adult, file-sharing, or gambling websites where malware is often found.

Note: It's worth mentioning that no Family Safety or Child Protection feature, be they from Microsoft, from a third party, or managed by your Internet Service Provider (ISP), can't guarantee to block every attempt by a child to access content that you consider inappropriate. Thus, it is important to maintain good communication with your child on how they can keep themselves safe online, and why it is important for them to do so.

Managing and Deleting User Accounts

User accounts are managed in Windows 10's Settings app. There's really not much else you can do with them in the Control Panel. If you have a user set up on a PC that's an Administrator when they should really be a Standard user, you can change their account type in Accounts and Family & other people. Note that you need to be signed in as an Administrator to do this.

Sometimes, though, you will want to remove a user from a PC. Clicking in their account name in the Settings app will reveal a Remove button. Bear in mind though that removing an account will delete their user folders from the PC, including any files and documents they have created and stored. Always make sure files are fully backed up before performing this action!

Caution: Deleting user accounts and their files does NOT securely delete the files and data, which can still be recovered through the use of file recovery apps. To securely wipe currently unused space on your PC, you will need a third-party tool such as CCleaner from piriform.com. You can also wipe the free space on your PC by opening the Command Prompt (Admin) from the Win + X menu and typing cipher /w:[directory name or drive letter].