Use of "Administrator" and "Standard" accounts questions. (Set up new Mac)

Your guidance would be valued, dear people! Thanks in advance!!


I'm about to take delivery of a brand new MacBook Air to replace an old, old MBP.


This time, I'd like to take security more seriously, and run my "normal" account as "STANDARD" instead of "ADMINISTRATOR", at least most of the time.


I plan to switch to "administrator" when I am installing software, and back to "standard" when those tasks are done.


I intend to set up two accounts. Let's call them "JohnAdmin" and "JohnNormal".


"JohnAdmin" would have no other function other than being used to toggle "JohnNormal" between administrator/standard as required. All software installations would be made under JohnNormal (operating in admin mode). All useful work would be done under JohnNormal.


Does this sound workable, safe, necessary? Are there better ways?


PS. I have to say, despite all the searches on this community, I'm still not really sure what the functional restrictions of a "Standard" account are. I mean at a detailed level. I'm not sure what potentially malicious actions are blocked in "Standard" mode.

MacBook Air (2020 or later)

Posted on Oct 13, 2021 8:08 AM

Reply
Question marked as Top-ranking reply

Posted on Oct 13, 2021 4:22 PM

johnfkitchen wrote:

This time, I'd like to take security more seriously, and run my "normal" account as "STANDARD" instead of "ADMINISTRATOR", at least most of the time.

I run all of my computers like this.

I plan to switch to "administrator" when I am installing software, and back to "standard" when those tasks are done.

You don't need to do that. If you ever need administrator credentials, you will be prompted for them. If you were running an admin account, you would get the same prompt, but the account name would be filled in. If you are running as a standard user, then you must fill in both an admin account name and password.


That default name being filled in for you is probably the biggest functional difference between running as an admin user and as a standard user.

"JohnAdmin" would have no other function other than being used to toggle "JohnNormal" between administrator/standard as required. All software installations would be made under JohnNormal (operating in admin mode). All useful work would be done under JohnNormal.

It doesn't quite work that way. You would use the "JohnNormal" account 100% of the time. If you ever need to install software or make any kind of change that requires the privileges of "JohnAdmin", you would be able to enter "JohnAdmin" and "JohnAdmin's password" in the dialog box. There is no need to ever switch accounts. I can't remember the last time I signed into my admin account.

PS. I have to say, despite all the searches on this community, I'm still not really sure what the functional restrictions of a "Standard" account are. I mean at a detailed level. I'm not sure what potentially malicious actions are blocked in "Standard" mode.

An admin user has the capability to act as the root user. A standard user cannot (directly) do this. There are some legacy Unix directories that are restricted to only Admin users. The diagnostic log directories fall into this category. There is no security risk here, it is just the way things have always been done. The diagnostic logs themselves are anonymized and have their own security infrastructure. It is an annoyance for me being the developer of EtreCheck, but otherwise, no one notices.


Also, if you ever need to make any changes as root from the command line, you will need two step. An admin user can run the "sudo" command to act as the super user. A standard user must first use the "su" command to move into the admin user and then use the "sudo" command.


All that being said, you aren't getting as much extra security as you think. The macOS operating system already has many levels of security. Even the root user is blocked from accessing your personal files. But if any malicious software wanted access, they could just ask. Almost everything hands over all privileges to any malicious software upon request.

Similar questions

16 replies
Question marked as Top-ranking reply

Oct 13, 2021 4:22 PM in response to johnfkitchen

johnfkitchen wrote:

This time, I'd like to take security more seriously, and run my "normal" account as "STANDARD" instead of "ADMINISTRATOR", at least most of the time.

I run all of my computers like this.

I plan to switch to "administrator" when I am installing software, and back to "standard" when those tasks are done.

You don't need to do that. If you ever need administrator credentials, you will be prompted for them. If you were running an admin account, you would get the same prompt, but the account name would be filled in. If you are running as a standard user, then you must fill in both an admin account name and password.


That default name being filled in for you is probably the biggest functional difference between running as an admin user and as a standard user.

"JohnAdmin" would have no other function other than being used to toggle "JohnNormal" between administrator/standard as required. All software installations would be made under JohnNormal (operating in admin mode). All useful work would be done under JohnNormal.

It doesn't quite work that way. You would use the "JohnNormal" account 100% of the time. If you ever need to install software or make any kind of change that requires the privileges of "JohnAdmin", you would be able to enter "JohnAdmin" and "JohnAdmin's password" in the dialog box. There is no need to ever switch accounts. I can't remember the last time I signed into my admin account.

PS. I have to say, despite all the searches on this community, I'm still not really sure what the functional restrictions of a "Standard" account are. I mean at a detailed level. I'm not sure what potentially malicious actions are blocked in "Standard" mode.

An admin user has the capability to act as the root user. A standard user cannot (directly) do this. There are some legacy Unix directories that are restricted to only Admin users. The diagnostic log directories fall into this category. There is no security risk here, it is just the way things have always been done. The diagnostic logs themselves are anonymized and have their own security infrastructure. It is an annoyance for me being the developer of EtreCheck, but otherwise, no one notices.


Also, if you ever need to make any changes as root from the command line, you will need two step. An admin user can run the "sudo" command to act as the super user. A standard user must first use the "su" command to move into the admin user and then use the "sudo" command.


All that being said, you aren't getting as much extra security as you think. The macOS operating system already has many levels of security. Even the root user is blocked from accessing your personal files. But if any malicious software wanted access, they could just ask. Almost everything hands over all privileges to any malicious software upon request.

Oct 13, 2021 10:27 AM in response to johnfkitchen

No real reason to "toggle" the admin status of Normal. Just use the admin account to do what you need. Even when working in "Normal" you can enter the admin username and password to elevate privileges.


The only value I can find in running a standard user account instead of Admin is to protect you from yourself.

By separating the OS from the Data, Apple has pretty much made that a non-issue. Not only is it separate, but it is a sealed snapshot of a read-only volume.


Even from a security aspect, gaining access to a "privileged" user account doesn't allow you to alter the OS in any way. You would just have the same access as if it was a standard account.

Oct 13, 2021 10:51 AM in response to Barney-15E

JohnF:


I’ll second what Barney said. (I’ve been setup as you envision doing for years)


While the need might open to debate, it certainly CAN’T do any harm.


You rarely need to switch to “admin” …


… macOS is IMO much better than Windows in prompting you for the Admin credentials “on-the-fly” whenever needed.


I also DO think that there’s some value gained from the prompting; making you “think twice” before installing software or altering a particularly significant setting.

Oct 14, 2021 7:37 AM in response to Chattanoogan

Chattanoogan wrote:

Addendum:

Since you are pre-planning your new setup …

… don’t overlook considering the functionality afforded by “Firmware Password” (Intel) or “File Vault” (Apple M1 / M1X).

More detail here:
https://support.apple.com/en-us/HT204455



A word of caution here.

If you do this, make absolutely sure that you don't forget that firmware password!


For me, the risk of ever losing access to my documents far outweighs the risk of someone else having a peek.

Thus I prefer not to have a firmware password nor FileVault.

But I understand that different people have different situations.


Oct 14, 2021 1:40 PM in response to Luis Sequeira1

I had an Online Personal Session with Apple to cover setup questions, and the Apple Rep said that Migration Assistant would NOT transfer 32 bit apps to the new Mac. I'm not confident that he's correct since his advice on the Multiport Adapter seemed a bit suspect.


Anyhow, I think the advice I'm getting here is cleaner. So I'll avoid the option to transfer apps, and just look to reinstall the ones I truly need.


Thanks, all!

Oct 14, 2021 7:59 AM in response to johnfkitchen

Concur on all point from Previous posting but digress somewhat.


The New MBA M1 or whatever version of M? CPU - if one will Migrate from Old to New Machine - just Migrate the User Account and nothing more.


Issue that make have existed on the Old would Migrate to New.


Further, Applications for Old to New does not mean they translate to Compatible or Functional on the Big Sur especially considering the M Chip factor.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Use of "Administrator" and "Standard" accounts questions. (Set up new Mac)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.