Using Admin vs Standard Accounts...

Posted:
in macOS edited January 2014
Just got a new cMBP, and am wondering this burning question...

How necessary is it to create both an [B]Admin Account[/B] and a [B]Standard Account[/B] for my new Mac?

On this MacBook, I just have one Admin Account under which I run all day long.

In the past, I have heard a fair amount of people say you should never run your day-to-day computing activities under an "Admin" account, but maybe that is more of a Windows thing?! :\

---------
It seems that when I first switch over to Macs about 5 years ago, that I briefly tried working under a "Standard" account, but since I am a Developer, I found that it was such a PITA that I ditched things, and chose to work entirely under one "Admin" account type?! 8-)

Not sure how things have changed from Leopard to Mountain Lion...

I could definitely use some *expert* advice on this topic, because I would hate spending a few days setting up my new cMBP, and then find out I have some gaping security holes in how things are set up?! :wow:

Sincerely,


Debbie

Comments

  • Reply 1 of 4


    There is not really any great reasons to not use an admin account for day to day usage. All the admin account gets you is write privileges to /Applications, and your username is pre-populated in the privilege escalation window when it pops up.

  • Reply 2 of 4
    There is not really any great reasons to not use an admin account for day to day usage. All the admin account gets you is write privileges to /Applications, and your username is pre-populated in the privilege escalation window when it pops up.

    This is what a document on Hardening Mac OS-X says on this topic...
    Use a standard user account for daily operations. Administrator accounts should
    only be used for operations that require administrative privileges. Administrator privileges are
    required for tasks like installing software, running updates and configuring various
    settings in the operating system. When running as an administrator, malicious software
    could affect the operating system or applications. Malicious software is often not able to
    exploit a given system if the local user executing the code does not have sufficient
    privileges to install or change the configuration of the system. Administrator accounts
    should not be used for writing documents, checking e-mail or browsing websites.
    Administrators of systems should always keep the segregation of duties when dealing
    with administrator and user actions.

    I think my main apprehension with having both an Admin and a Standard account is that in the past when I tried this in Windows - and I believe on this MacBook when it was new - was that I'd install and configure everything as an Admin, but then when I went into the Standard account I had to reconfigure everything again?!

    And even for little things like Desktop Icon placement and Browser Preferences, this was a real PITA!!

    Maybe I did things the wrong way back then?! :\

    Or maybe I will have a different experience on Mountain Lion?

    Both this MacBook and my new cMBP are used for Development and things which probably require more access than Jane User. (For example, I'm not sure what would happen when I fire up MAMP every day to develop my website if I am logged in as a Standard user??)

    Sincerely,


    Debbie
  • Reply 3 of 4


    Nearly everyone will set up one admin account on the computer and use this.


     


    What you are 'meant to do' is to set up an admin account, and as many standard accounts as you need. 


     


    Then, what you do is log in the standard account, and do all the set up under that account. If you are prompted for an Administrator username and password when, for example, installing software, then you only need to provide the Administrator username and password.


     


    It will be rare to need to actually login using the administrator account.


     


    The issue is basically that an admin account is one step away from root access at all times. Root access means being able to read/write any file on the computer, including system files. Install any software. Delete anything etc. A lot more power than you actually need for day to day computing.

  • Reply 4 of 4
    Nearly everyone will set up one admin account on the computer and use this.

    What you are 'meant to do' is to set up an admin account, and as many standard accounts as you need. 
     
    Then, what you do is log in the standard account, and do all the set up under that account. If you are prompted for an Administrator username and password when, for example, installing software, then you only need to provide the Administrator username and password.
     
    It will be rare to need to actually login using the administrator account.
     
    The issue is basically that an admin account is one step away from root access at all times. Root access means being able to read/write any file on the computer, including system files. Install any software. Delete anything etc. A lot more power than you actually need for day to day computing.

    Thanks for the response.

    So maybe you can help me clear up some confusion in my mind? (This is maybe influenced from my many years as a Windows user...)

    I tried to set up an "Admin" and a "Standard" account on my PC in the past, and here is what I recall...

    I couldn't install or configure things in the "Standard" account, so I had to do it in the "Admin" account.

    But then when I went into the "Standard" account, it was like I had to start all over. If I recall correctly, the apps that I installed as "Admin" were available to both accounts, but any preferences or customizations I did in one account would not show up in the other. (A lot of people would say "Good", but for me as the only user, that was a pain!)

    It also seemed like I had to log into "Admin" to do the simplest things, and so it soon became a drag, and I went back to running under one "Admin" account for good - which, mind you, is pretty dangerous on Windows XP!!

    Maybe if I explain how I actually use my Mac, it will help you to help me figure out the best strategy?

    This new cMBP will be used to run a small business that I am starting, and do all of my development work.

    Here is a list of the apps I use regularly...
    * FireFox
    - Opera
    - Safari
    - Chrome

    - OpenOffice

    * MAMP
    * NetBeans
    * FireBug
    - Text Edit
    - Text Wrangler
    - FileZilla
    - SnagIt for Mac

    * Audacity

    * Witopia Client (Personal VPN)

    Where an asterisk denotes apps I can't live without!!!


    It sounds like you are saying that I could create an "Admin" and a "Standard" account, and then log in under the "Standard" account and enter my "Admin Credentials" and I should be able to download, install, and configure nearly all of those apps from my "Standard" account?? :\

    I believe nearly all of those apps above would just be needed in my "Standard" account, but what about these apps that would be needed in both...
    * FireFox
    * SnagIt for Mac
    * WiTopia Client (Personal VPN)


    Also, this time around I plan on taking advantage of "File Vault 2", so how would that work when I have both an "Admin" and a "Standard" account?? :\

    I normally don't mind experimenting with things, but I feel like this is like laying the foundation for a house, and I just don't think that "tinkering" with that is a good idea, so that's why I'm asking for some help and advice from a pro!!!

    Sincerely,


    Debbie
Sign In or Register to comment.