Protomartyr

Level 3
Verified
I'm about to wipe and clean install Windows 10 Home on a desktop that will be shared. I am planning on having an admin account used solely for installation/setup and having standard user accounts for daily usage.

What is the proper way to go about setting this up properly? What settings will be shared among the accounts and what settings per account basis?

Any and all tips/suggestions are greatly appreciated!
 

Umbra

Level 25
Verified
There is nothing really special to do on the admin account, however:
1- I would recommend to use a local account (not a Microsoft one).
2- You may want tighten security a bit by using few registry tweaks.
- deny elevation of unsigned apps. This would prevent execution of let say 80% of ordinary malware.
- force admin to enter credentials for UAC prompts. This supposedly make the job harder for auto-elevation of malware.
3- don't use your browser on admin account, download apps (and check they are clean) on SUA then logout and install them on Admin Account.

On the other other hand, on the SUA account, setting UAC at max is an obligation.

Note than SUA was originally designed for privacy between users on shared computers (SUA is just admin account stripped of most privileges), not security unlike Linux which use real separated users accounts.

Also some tools like cleaners or process monitors are more effective on Admin Account than SUA (if not elevated), since they will get more privileges but they still work well on SUA (but you can still run them as admin anyway even on SUA).
 

oldschool

Level 42
Verified
After you've installed Windows, from Admin account go to Settings > Accounts > Family and others (I think) and you create a new local or standard user account. Follow the prompts to finish. I just tweak privacy and other settings, especially my taskbar, etc. in admin account. Then I set up browsers, OS settings, etc. on local account.

Important note: I think when setting up a new PC or upon clean install, M$ will try to force you to (or now does force you!) to use an M$ account, at least this is what I found when I set up this new laptop. They really keep the settings hidden, and even not-so-old tech site posts on setting up without M$ account are now out of date. You will find your way around those darn M$ setttings, Luke Skywalker! :D

@Umbra is correct, except one thing I think you can do only from admin account ---> changing Windows Firewall profiles, e.g from Private > Public.
 

roger_m

Level 26
Verified
Content Creator
Important note: I think when setting up a new PC or upon clean install, M$ will try to force you to (or now does force you!) to use an M$ account, at least this is what I found when I set up this new laptop.
You can still use a local account if you are not connected to the internet, or if you enter a valid account name (I usually just try a few random names until I find one that works) and enter the wrong password a few times. In either case, you are given the option to use a local account.
 

Umbra

Level 25
Verified
Important note: I think when setting up a new PC or upon clean install, M$ will try to force you to (or now does force you!) to use an M$ account, at least this is what I found when I set up this new laptop. They really keep the settings hidden, and even not-so-old tech site posts on setting up without M$ account are now out of date. You will find your way around those darn M$ setttings, Luke Skywalker! :D
or do the "forced" MS account > create a 2nd admin LOCAL account > delete original MS admin account > create SUA. :p

@Umbra is correct, except one thing I think you can do only from admin account ---> changing Windows Firewall profiles, e.g from Private > Public.
Indeed. Anything related to Windows Firewall's Advanced Settings are only via Admin Account (for obvious reasons).
 

shmu26

Level 84
Verified
Trusted
Content Creator
Use a Microsoft account if you want your settings etc to be backed up the cloud and also applied to other computers on which you make an account under the same name. It can be convenient and useful. If you are a privacy paranoid, don't do it.