Admin Privileges
What is admin privilege separation?
Administrative privileges provide a higher level of access and authorization for computer users to perform tasks requiring higher security.
In normal day-to-day work, Administrative privileges are rarely required, and most users do not require this level of access. Users who need to perform tasks that require admin access are sometimes given this access on the account they use for non-admin work. While this is a convenient solution, it increases the risk to the security of your computer. Malware and hackers can exploit a currently logged in admin account to change settings unexpectedly, install unwanted malicious software or steal sensitive data.
A more secure practice is to login and work using a non-administrative account and use a separate admin account to elevate to higher credentials only as a legitimate need arises. This is done by the practice of privilege separation. As an example, a user would have two accounts "johndoe" , a non-administrative local or Active Directory account, and "admin.johndoe", an administrative level local account.
Our practice is to implement separate admin accounts for Windows PC users who use the Campus Active Directory domain (ad.ucsc.edu) and have an approved request for admin privileges.
Over time, we will establish separate admin accounts for all current users with admin privileges, on both Windows PCs and Macs.
How to elevate privileges on Windows
A user logs in to their PC with their johndoe account and proceeds to work. If at any time the user requires administrative privileges, they:
- right-click on the icon that needs to be run, such as a software installer or system utility
- select 'Run as Administrator' and enter their administrative credentials. This will elevate the privileges only for the specific task being run.
An example of running a software installer using administrative rights:
|
|
Right-clicking on the icon of the software installer shows the option to 'Run as administrator' |
|
When prompted, enter your administrative credentials.
|
NOTE: It is necessary to enter .\ in front of your admin name. Doing so lets the system know that your administrative account is local and not an Active Directory account. |
How to Elevate Privileges on Mac
On Macs, when something requires administrative level access, it will ask for it on an as needed basis.
In the following example, we'll unlock the System Preferences for Printer and Scanners in order to make changes.
|
When prompted, enter your administrative credentials.
|
NOTE: It is not necessary to add .\ before the administrative name on the Mac |
- Standard Desktop Services
- Admin Privileges
- Purchasing a university laptop or computer
- Standard Computer Info
- Standard Software
- Managed Computer Support
Need Help?
Call: (831) 459-HELP (9-4357)
Email: help@ucsc.edu
