Cyber Essentials
DashboardSign Out

Lesson 6.6 — Administrator accounts: separate admin accounts, privileged access and special access removal

This lesson helps the learner understand how Cyber Essentials treats administrator accounts and other special access privileges.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify administrator and privileged accounts
  • distinguish daily-use accounts from administrator accounts
  • explain why privileged access must be limited
  • review local administrator rights and cloud/SaaS administrator roles
  • control supplier administrator access
  • collect evidence that administrative privileges are assigned

Why This Matters

It explains why administrator accounts are higher risk, why administrative activities should be carried out using separate accounts, why administrator accounts should not be used for ordinary daily work, and how to remove or disable privileged access when it is no longer required.

The most common problems are:

  • using administrator accounts for daily work;
  • allowing admin accounts to receive email or browse the web unnecessarily;
  • giving users local admin rights by default;
  • using one shared admin account;

The Core Rule

Administrator accounts and special access privileges are higher risk because they can make significant changes or access sensitive data.

Cyber Essentials expects administrative activities to be performed using separate accounts.

What the CE Assessor Looks For

A strong position shows:

  • administrator and special access accounts are identified;
  • admin access is approved before it is granted;
  • standard users do not have local admin rights by default;
  • administrators use separate admin accounts;
  • admin accounts are not used for daily email or web browsing;
  • admin accounts use MFA where available;

Common Mistakes

  • using administrator accounts for daily work;
  • allowing admin accounts to receive email or browse the web unnecessarily;
  • giving users local admin rights by default;
  • using one shared admin account;
  • giving global admin where a smaller role would work;
  • forgetting SaaS administrator roles;

Copy This

Keep this rule visible:

Admin access should be limited, protected, used only when needed, and removed when it is no longer required.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why are administrator accounts higher risk than standard accounts?
  • [ ] What does Cyber Essentials expect for administrative activities?
  • [ ] Why should administrator accounts not be used for daily work?
  • [ ] What is least privilege for administrators?
  • [ ] Why are local administrator rights on user devices a risk?

Your Action

Do this now — it takes 10–20 minutes.

List all administrator accounts across your systems. For each, confirm there is a named owner and a documented business reason. Add to Section UAC.

Key Takeaway

Admin access should be limited, protected, used only when needed, and removed when it is no longer required.

Your Workbook Activity

Complete: Administrator and privileged access review record

Next Lesson

In the next lesson: Final user access control review: account evidence, access reviews and common failures

Up next

Final user access control review

Complete final access-control assurance checks and gather evidence for assessment confidence.