Admin account vs standard

[Andy_2341]

Hi everyone,
I just bought my first Mac (Mini M4) the other night. Today I was reading through some forums, one of which was from 2020, and found that many people don’t like to use a Admin account all the time and instead use a standard account. Is there a reason for this? Does using the Admin account pose some sort of risk?
Thank you,
Andy

 

[iPodNano3]

typically, most macs only have one person who use them, but sometimes they can be used by multiple people in a family, or at a library
admin accounts are what macs with one person use
when you go through the setup, the account you create is an admin account
the main user you usually use on a personal computer is an admin account
the computers at libraries or households with multiple users typically have one or more admin accounts and standard accounts
libraries usually have one admin account that staff use to configure the computer, and the standard accounts are what the customers use
if you are the only one using your mac, then using an admin account is fine, since most software will require you to enter an admin password
if there are multiple people who will use your mac, make yourself the admin, and make more standard accounts for others, unless you trust them to make changes to your computer's settings
if you want to be super secure, you can make an admin account, then make standard one for yourself; use the standard account regularly, but enter the admin username and password when an application requests it

 

[Andy_2341]

typically, most macs only have one person who use them, but sometimes they can be used by multiple people in a family, or at a library
admin accounts are what macs with one person use
when you go through the setup, the account you create is an admin account
the main user you usually use on a personal computer is an admin account
the computers at libraries or households with multiple users typically have one or more admin accounts and standard accounts
libraries usually have one admin account that staff use to configure the computer, and the standard accounts are what the customers use
if you are the only one using your mac, then using an admin account is fine, since most software will require you to enter an admin password
if there are multiple people who will use your mac, make yourself the admin, and make more standard accounts for others, unless you trust them to make changes to your computer's settings
if you want to be super secure, you can make an admin account, then make standard one for yourself; use the standard account regularly, but enter the admin username and password when an application requests it

Thank you for such detailed reply! That explained it pretty well. However, I don’t understand your last paragraph. How does it increase security?

 

[iPodNano3]

Thank you for such detailed reply! That explained it pretty well. However, I don’t understand your last paragraph. How does it increase security?

if an application wants to make critical changes to your computer, it will require an admin password or an admin account
there isn't too much of a difference since you will need to enter an admin password on both types of accounts, but some actions do not require a password if you are on the admin account.

 

[iPodNano3]

if any of my info is inaccurate, i am sorry, since i have no idea how modern mac os works
i daily drive os x 10.9.5 from 2016, so it's a little outdated

 

[russell_314]

I think you’ll be fine using an admin account for daily use. Unless you have other people using the computer where you don’t want them to make changes it’s fine.


On both types major changes require a password, so don’t blindly enter your password if something pops up. Figure out why it’s asking for it. That’s one thing that gets people on all operating systems. A pop up will ask something but people are in a hurry so they just click OK without knowing what it’s asking.

There might be some extra protection in a non admin account, but if you’re downloading or browsing something online that could be risky, you should use a virtual machine to contain it.

 

[Andy_2341]

if any of my info is inaccurate, i am sorry, since i have no idea how modern mac os works
i daily drive os x 10.9.5 from 2016, so it's a little outdated

It seems to still be accurate, thank you.

 

[Andy_2341]

I think you’ll be fine using an admin account for daily use. Unless you have other people using the computer where you don’t want them to make changes it’s fine.


On both types major changes require a password, so don’t blindly enter your password if something pops up. Figure out why it’s asking for it. That’s one thing that gets people on all operating systems. A pop up will ask something but people are in a hurry so they just click OK without knowing what it’s asking.

There might be some extra protection in a non admin account, but if you’re downloading or browsing something online that could be risky, you should use a virtual machine to contain it.

Alright, that’s a good rule of thumb. I understand fully now. Thank you.

 

[Fishrrman]

iPod gave good advice in reply 2 above.

Just speaking for myself...
Since I began using OS X back around 2004, I've always used an administrative account (I'm the only user on my Macs).

Never had any problems with that, in twenty years.

I see no risks -- as in "none" -- for someone who will be the only user of a Mac to stick with an administrative account.

After all, it's what Apple creates for ALL users the first time they "set up".

 

[lemonkid]

Just a question that pops up; when using an admin account and you are silly enough to click a phishing mail, your account and whole computer could get hacked. But when you were on a users account, would then only the account of this user be in danger? And could you restore all with an admin account and TimeMachine?
While when your admin account would get hacked you could loose control over your computer?

(I just assume the theoretical situation that it is possible to take over your computer through a hack)

 

[splifingate]

I've always separated my Administrator from my User(s).

I create an Admin Account, first, then I create a User Account (the Account I use on the daily).

I've been doing such since iirc Leopard.

Basic Safe Hex.

 

[KaliYoni]

Is there a reason for this? Does using the Admin account pose some sort of risk?

Some things I would consider f I was thinking about making my daily-use user account Standard are:

* How is the Mac going to be used (personal, business, email/social media, stock trading, video editing, etc)?
* Are any sensitive or irreplaceable files going to be stored on the Mac?
* What is my risk level for phishing and social engineering attacks?
* How likely am I to panic—and therefore benefit from slowing down—if I see a popup, get a text message, or receive an email that says my computer has been compromised?

Now, having said that, I think the sealed system volume has reduced the need for a non-Admin user account for daily use for many people. My Mac remains set up to only access Admin accounts when updating or troubleshooting but I've become more open to the one-user-account-does-it-all approach. In any case, there is no harm in trying out running as a Standard user. Just make sure you do not delete or make changes to your existing user account. Set up a new account in Settings/Users & Groups and use that account to experiment.

And one more thing™:

Is it more secure to be a normal or admin user?

While you may feel more comfortable working with the more limited privileges of a normal rather than admin user, does that improve security?

eclecticlight.co

 

[ipaqrat]

Several correspondents here contend that an admin account is okay to daily drive, if the machine is single user, or under conditions where the user feels confident, careful and aware... I read the article linked above by @KaliYoni (and I have read dozens similar over the years); ironically, the content of this particular article contradicts its own closing statement.

The fallacy is that ordinary users even CAN be aware of what's going on with their PC and networks around them, that risks even CAN be assessed precisely enough to support confidence, and that there is such a thing as risk avoidance.

The best IT Security measures can provide is risk MANAGEMENT. Wise practitioners don't forgo simple, sensible precautions.

Limited user accounts are simply a sensible (if occasionally frustrating) precaution for degrees of safety, not just against singular direct attack, but against infiltrations/exfiltration exploits assembled piece by piece over time, and whose intent or payload is not necessarily/yet recognizable as malware (so called zero-day).

The internet is not getting safer. And one should expect it to become less safe, as certain premier IT security agencies and practices are dismantled in the coming year(s), in favor of kleptrocratic cronies with demonstrated anti-civil tendencies.

 

[NoBoMac]

Add me to the list of the pro separate admin account camp.

Ditto a lot of what everyone previously posted, plus also is a layer of protection from pilot error: typo on command line or bug in shellscript under development limits the scope of possible harm to system level folders, components, etc.

And if for some reason the user account gets messed up you have that admin account to get back in and start fixing things.

 

[CharlesShaw]

Thanks a lot, OP, LOL, now I'm questioning my admin-only choice that was originally based on reading a consensus of posts in similar threads years ago. I'll need to profile those profiles and reassess.

For a few years, my Mac was only serving a utilitarian function and hidden away, wasn't logged into iCloud, and no data on it. I'd only connect my monitor for updates, but the 2024 Mac mini inspired using a Mac after work instead of just the iPad. I've liked having one user/password and the ability to double-click on my Apple Watch to authorize something important.

 

[apple contributor]

Just a question that pops up; when using an admin account and you are silly enough to click a phishing mail, your account and whole computer could get hacked. But when you were on a users account, would then only the account of this user be in danger? And could you restore all with an admin account and TimeMachine?
While when your admin account would get hacked you could loose control over your computer?

(I just assume the theoretical situation that it is possible to take over your computer through a hack)

Yep, at least that’s why I have an admin account I don’t use and use a standard account. Only the standard account will be hacked, and it can still be restored with an admin account at some point

 

[apple contributor]

Thanks a lot, OP, LOL, now I'm questioning my admin-only choice that was originally based on reading a consensus of posts in similar threads years ago. I'll need to profile those profiles and reassess.

For a few years, my Mac was only serving a utilitarian function and hidden away, wasn't logged into iCloud, and no data on it. I'd only connect my monitor for updates, but the 2024 Mac mini inspired using a Mac after work instead of just the iPad. I've liked having one user/password and the ability to double-click on my Apple Watch to authorize something important.

Cool! Is it really fast authorizing something with Apple Watch? My friend uses an AW Series 6, and it’s kinda slow sometimes.

 

[KaliYoni]

risk MANAGEMENT

Admin-only choice that was originally based on reading a consensus of posts in similar threads years ago

I'm a firm believer in a risk management approach to privacy and security as well, as I've often said in other threads.

I try not to center my Mac security strategy around predictions of bad actors' behavior. I prefer spending some time up front–and money if justified–to minimize the possibility of having to deal with the fallout of an attacker putting viruses or malware on my computer. I view Standard user accounts and anti-virus/anti-malware software as a form of insurance. Yes, it sucks that I need it but I feel that having it lets me sleep better than not having it.

Also, we are all human and we make mistakes, especially when we are in a rush, distracted, or tired. Relying on constant vigilance as protection requires perfection. I don't think any of us can reach that standard very often, especially with something that is constantly changing and morphing.

Finally, I always attempt to keep in mind that nobody on an Internet message board will be available to answer to me if I follow bad advice or take an action that turns out it be ill-suited to my personal situation. The same goes for bloggers, websites, and social media. Only one person can decide what is truly best for me: ME.

 

[CharlesShaw]

Thanks everyone. I was not aware how risky it is to use a Mac. As I said earlier, I had actually planned to be iPad only as I get older, and have fewer things to commit to memory, maintain, and worry about being compromised. I feel like it's just as likely that I could make one of the errors you are all explaining when I'm logged into the Admin account, which would be needed, so maybe the Mac is not for me after all. I've got until Jan 8th to return it if I decide to, so at least I wouldn't be out any money.

It's a shame that Apple allows us to set it up with such risk without any warnings.

 

[Andy_2341]

Thanks a lot, OP, LOL, now I'm questioning my admin-only choice that was originally based on reading a consensus of posts in similar threads years ago. I'll need to profile those profiles and reassess.

For a few years, my Mac was only serving a utilitarian function and hidden away, wasn't logged into iCloud, and no data on it. I'd only connect my monitor for updates, but the 2024 Mac mini inspired using a Mac after work instead of just the iPad. I've liked having one user/password and the ability to double-click on my Apple Watch to authorize something important.

No problem, lol

 

[diggy33]

I run as a Standard user on my Mac, and when I want to elevate briefly, I use Privileges app. There’s really no need for me to run as an admin aside from the times when admin authentication might be required. There’s nothing wrong with running 100% as an admin, if that’s what you choose to do, but I choose not to.

 

[splifingate]

...the ability to double-click on my Apple Watch to authorize something important.

'Tis the same using a bog-standard User Account

 

[splifingate]

It's a shame that Apple allows us to set it up with such risk without any warnings.

The same applies to the winx64 side of things, as well

 

[KaliYoni]

I was not aware how risky it is to use a Mac.

Well, I'd say macOS is more secure in many ways now than it was in the past. The sealed system volume and XProtect/Notarization/Gatekeeper/System Integrity Protection functions provide a good baseline level of protection against many threats by default.

But phishing and social engineering attacks remain a huge problem on macOS, iOS, and iPadOS...so for many people, not running as an Admin (on Macs) is a good defense layer to add to the absolutely necessary, to my mind, use of 2-factor authentication or Passkeys.

 

[AlixSPQR]

OMG, just go with an admin account, it’s the default, and thereafter never give permissions without knowing why. It’s that simple.