1.    09 Jul 2016 #1
    Join Date : Dec 2015
    Posts : 10
    windows 10

    Is it possible to create two administrative user profiles?


    *SORRY--just realized this should be in another forum. Not sure how to move but checking with admin now.

    I would like to create two administrator user profiles, one with complete control and one configured with (at least) two limitations:

    1) the inability to move, delete, or otherwise modify executables (or other files, as needed); plan on doing that through making the primary administrator control a given file, and then assigning lesser rights to the secondary administrator.

    2) the inability to enter safe mode, modify the registry, or change the time.

    I want to give the primary administrator complete rights, so if something happens backup etc. is accessible.

    1) First, need to know if it is possible (and won't screw up my system).

    2) If it is, can this be done safely, and through group policy?

    3) Also, can both users share the same programs, file settings, etc.?

    I currrently have Win 10 x64 Home, but am planning to upgrade (the free, fully functional--but nagging) Win 10 Pro to use group policy--it has it, right?

    I read that older versions of Windows allowed you to create a "superuser" profile with advanced properties; if I can't do this in Windows 10, would it be advisable to go back to Win 8 (or whatever version supported that feature)?

    Thank you!
    Last edited by anoukaimee; 09 Jul 2016 at 22:12. Reason: wrong forum
      My ComputerSystem Spec
  2.    09 Jul 2016 #2
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    You can't stop a user from entering safe mode. That selection for safe mode happens before the OS even starts (and thus the user even logs in).

    Most other things can be done through group policy, but it's a tedious task making the OS hardened like that. And requires a lot of research on your part.
      My ComputerSystem Spec
  3.    09 Jul 2016 #3
    Join Date : Oct 2014
    Posts : 771
    Windows 7

    By design, all Administrator accounts are equal. That has been the case all the way back to the first release of NT in 1993. There is no such thing as primary and secondary administrator accounts. Whatever restrictions you might impose any other administrator can remove or modify. That is an inherent property of an administrator account and cannot be removed.
      My ComputerSystem Spec
  4.    09 Jul 2016 #4
    Join Date : Dec 2015
    Posts : 10
    windows 10
    Thread Starter

    Quote Originally Posted by Mystere View Post
    You can't stop a user from entering safe mode. That selection for safe mode happens before the OS even starts (and thus the user even logs in).

    Most other things can be done through group policy, but it's a tedious task making the OS hardened like that. And requires a lot of research on your part.
    Yep, I figured it would take a lot of work. Given that I have just like 3 things to tweak, can I start with an administrator profile and scale down (that is, retain the settings other than those three or so I want to keep)? Relatively computer savvy, but never used group policy. But have dl'd Microsoft's spreadsheet with all of the commands.

    Should I just start with the default administrator account and then create another administrator account (and if so, local or MS)? If two administrators, how do I specify which is default?

    I have found a command line that works 100% for locking safe mode. I think it is "bcdedit" something, but can't remember. It works so long as you don't have a recovery environment. Which might not be the most optimal environment. Can a user with restricted security settings (such as described above) delete etc. in safe mode, or is that not a concern?

    Thank you!
      My ComputerSystem Spec
  5.    09 Jul 2016 #5
    Join Date : Dec 2015
    Posts : 10
    windows 10
    Thread Starter

    Quote Originally Posted by LMiller7 View Post
    By design, all Administrator accounts are equal. That has been the case all the way back to the first release of NT in 1993. There is no such thing as primary and secondary administrator accounts. Whatever restrictions you might impose any other administrator can remove or modify. That is an inherent property of an administrator account and cannot be removed.
    Even when you are 1) working as the primary administrator and 2) modify the permissions of the second administrator? Would you just have to create a low level profile and "scale up" with additional privileges?
      My ComputerSystem Spec
  6.    09 Jul 2016 #6
    Join Date : Oct 2014
    Posts : 771
    Windows 7

    A "primary administrator" may remove the rights of a "secondary administrator" but the latter can always take them back. Any rights an administrator does not have he can grant himself. That is an inherent capability of an administrator account.
      My ComputerSystem Spec
  7.    10 Jul 2016 #7
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    Quote Originally Posted by LMiller7 View Post
    By design, all Administrator accounts are equal.
    That's actually not exactly true.

    There is the Local Administrator, then there are accounts added to the Administrators group. A third kind of administrator (not really an admin, but has admin abilities) is often termed "Power User". You can also create accounts that are manually given various permissions (such as installing software) without making them an actual administrator.

    That is what I meant by it being a lot of work, since you're going to have to start with a standard account and add abilities.
      My ComputerSystem Spec
  8.    10 Jul 2016 #8
    Join Date : Sep 2014
    Nashville, TN
    Posts : 3,143
    Windows 10 Pro

    Quote Originally Posted by anoukaimee View Post
    Yep, I figured it would take a lot of work. Given that I have just like 3 things to tweak, can I start with an administrator profile and scale down
    No. You have to start with a standard user and add the permissions you want them to have. Adding a user to the Administrators group gives them full rights to everything, and while you can deny any particular user (even administrators) access to certain things, being an administrator means they could just give themselves access to it again.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved User Profiles location changed with Window 10 upgrade
Machine owner did the free upgrade from 7 to Windows 10 believing it would solve the hardware problems he's been having; plus the whole "it's free" deal. Software doesn't fix failing hardware, so I'm having to upgrade/replace the hardware. I had...
User Accounts and Family Safety
Access to all my programs without administrative user's permission
I want to have full access for my laptop because whenever I try to install or make changes it pops out an error message that it requires administrator permission, I tried all the steps that you posted but no luck.
User Accounts and Family Safety
Solved method to sign out of all user profiles in one click
Currently have multiple user profiles and have to log into each one and sign out before shutting the PC down. could a batch file be created to sign out of all user profiles from any or one particular one...? thanks
User Accounts and Family Safety
User account with more local profiles
Hi In Windows 10, a user account can have two or more local profiles? If so, how do I create them and manage them? Thanks Bye
User Accounts and Family Safety
Win10 install/2 user profiles on same computer/1st is mangled/2nd ok
I bit the bullet and upgraded my old Dell Latitude D830 from Win 7 to Win 10 on 9/11/15. I was surprised that I could actually get it to install, but all looked good after the install. I don't like how it looks like MS stripped out/hid some UI...
Installation and Upgrade
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 12:29.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums