On a computer, what are administrators and administrative rights?

An administrator is a local account or a local security group with complete and unrestricted access to create, delete, and modify files, folders, and settings on a particular computer. This is in contrast to other types of user accounts that have been granted only specific permissions and levels of access. An administrator account is used to make systemwide changes to the computer, such as:

Creating or deleting user accounts on the computer
Creating account passwords for other users on the computer
Changing others' account names, pictures, passwords, and types

Administrative rights are permissions granted by administrators to users allowing them to make such changes. Without administrative rights, you cannot perform many such system modifications, including installing software or changing network settings. For more, see At IU, why do I need to know the administrator account on my computer?

You need to know the administrative password to your computer; otherwise, you won't be able to modify files and settings, install programs, or fix problems.

Windows

In Windows NT, 2000, XP, and Vista, the account named "Administrator" has all possible rights, as does everyone in the Administrator local security group. Normal users have some minor administrative rights (e.g., they can modify anything in their home directories), but rights that affect the computer as a whole are normally withheld. (Earlier versions of Windows had no privileged or unprivileged accounts; any user could modify anything on the computer.)

Computer administrators cannot change computer administrator accounts to a less-privileged type unless there is at least one other user with a computer administrator account type on that computer. This ensures that there is always at least one user with administrative rights.

Ideally, the computer administrator account should be used only to:

Install, upgrade, repair, or back up the operating system and components
Install service packs (SPs)
Configure critical operating system parameters (e.g., password policy, access control, audit policy, kernel mode driver configuration)
Take ownership of files that have become inaccessible

Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?

Unix, Linux, BSD, Solaris, and Mac OS X

Unix computers and Unix-based operating systems typically have one unrestricted account, normally called "root" or the "superuser". The root user has full access to all files and directories on a Unix system and many low-level tasks must run as root. In addition to the root user, some Unix implementations have a group of administrative users, sometimes called the "wheel" group. Administrator accounts do not have full access to the operating system, but they can escalate their status to root to perform certain tasks.

Because the root user has such unrestricted access to the computer, administrators typically do not log into it or operate as root continuously. Instead, they assume root-level access using the sudo command. At a command prompt, permitted users can enter sudo and their password, and then execute the command they normally don't have access to. Alternatively, if administrators need to operate for a period of time with root privileges, at a command prompt they can enter sudo -s and their password, and then function as root within the terminal window for as long as they need to.

Normal users on a Unix system do not have access to sudo and cannot perform system-related tasks. However, they still have the ability to install some software and customize their environment. Each user has a home directory where he or she can save documents, install programs, and maintain personal preferences.

Also see:

This is document aorq in domain all.
Last modified on June 27, 2008.

Please tell us, did you find the answer to your question?