Don't Use Admin Accounts for Daily Work (Here's Why)
Here’s a scenario that plays out constantly: someone clicks a bad link, malware runs, and because they were logged in as an admin, the malware has full access to everything—every file, every mailbox, every setting. The entire organization is compromised because one person’s daily account had permissions it didn’t need.
Separating admin accounts from daily accounts prevents this.
Why this matters
Admin accounts can change settings, install software, access other people’s data, and modify security controls. When you use an admin account for everyday tasks like reading email and browsing the web, every risk you encounter—every phishing link, every malicious attachment—has admin-level consequences.
A normal account limits the blast radius. If a regular user account gets compromised, the attacker can access that person’s stuff. That’s bad, but containable. If an admin account gets compromised, the attacker can access everyone’s stuff, change passwords, disable security, and cover their tracks.
What to do (30 minutes)
The basic rule
- Daily work: Use a standard (non-admin) account for email, documents, web browsing, and everything you do normally
- Admin tasks: Use a separate admin account only when you need to change settings, manage users, or do something that requires elevated permissions
- Log out of admin when you’re done with the task
In Microsoft 365
- Create a separate admin account (e.g.,
admin-yourname@company.com) - Assign the admin roles to that account
- Remove admin roles from your daily account
- Use your daily account for Outlook, Teams, and regular work
- Sign into the Microsoft 365 admin center with the admin account only when needed
In Google Workspace
- Create a separate admin account (e.g.,
admin-yourname@company.com) - Assign Super Admin or specific admin roles to that account
- Demote your daily account to a regular user
- Use a separate browser profile or incognito window for admin tasks
On your computer
- Windows: Make sure your daily login is a standard user, not a local administrator. Create a separate local admin account for installing software and changing system settings. Windows will prompt for the admin password when needed—this is called User Account Control (UAC), and it’s doing its job.
- macOS: Similar approach. Your daily account should be a standard user. Use a separate admin account when System Settings requires elevated access.
Who needs admin access?
As few people as possible.
- Two people minimum should have admin access (so you’re not locked out if one is unavailable)
- Nobody else unless their job specifically requires it
- If someone “needs admin to install a program,” install it for them from the admin account. That’s faster and safer than giving them permanent admin rights.
Common mistakes
- Everyone is an admin “because it’s easier.” It is easier—until one incident compromises every account and every file in the organization.
- Using the admin account for email. Admin accounts should not have mailboxes, or if they do, those mailboxes should never be used for daily communication. The less exposure an admin account has, the less likely it is to be phished.
- Only one admin. If that person is on vacation, leaves the company, or gets locked out, nobody can manage the system. Always have at least two.
- Never logging out of admin. If you stay logged into an admin session in your browser, any compromise of your machine gives the attacker admin access. Log out when you’re done.
Quick checklist
- Separate admin accounts created for anyone who needs admin access
- Daily accounts demoted to standard/non-admin
- At least two people have admin access
- Admin accounts have MFA enabled
- Admin accounts are not used for email or web browsing
- Team understands to request admin help instead of getting permanent admin rights
This post is part of the Minimum Security Posture series.
If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.