Do I still need admin on my own laptop?

Almost never. The one or two things you do each quarter that need admin (install a specific tool, run a specific command) are better handled via a helpdesk request or a scoped elevation, not by running as admin all day. The goal isn't to be obstructive; it's to remove the attacker's easiest route to total compromise, which is a user running as admin getting phished.

What about our IT person? Don't they need admin everywhere?

They need privileged access, but the ACSC-correct way is a separate named admin account (not their daily account), usable only from a secure admin workstation, with MFA, and with every action logged. Running daily work from an admin account is the control gap we see most often and the one that turns a small compromise into a catastrophic one.

How fast is just-in-time elevation?

With our tooling, roughly 30 seconds for an emergency request approved by another admin. Scheduled elevations for planned work are instant. It's an operational step, not a bottleneck.

Essential Eight · Control 05 of 08

Restrict administrative privileges

Making sure only the people who need admin rights have them, and only when they need them.

Why this control matters

An attacker who compromises a regular user can encrypt that user's files. An attacker who compromises an administrator can encrypt the organisation. Keeping the admin count small, named, and logged is the single biggest multiplier of containment after application control.

The three maturity levels

Restrict administrative privileges at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Privileged accounts are limited to designated privileged duties. Privileged accounts can't access the internet, email, or web services.

ML2 Regulated or under audit

Privileged accounts are validated every 12 months and when there's a change in duty. Secure admin workstations are used for privileged tasks. Just-in-time administration is implemented for cloud services.

ML3 Defence or sensitive

Privileged activities are logged centrally. Privileged account credentials are protected by memory integrity and credential guard.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements restrict administrative privileges for clients.

We bring the admin account count down to the minimum named individuals who demonstrably need it, separate admin accounts from day-to-day accounts (so daily work doesn't risk the keys to the kingdom), and implement just-in-time elevation for cloud services. Privileged accounts don't access email or browse the web. All privileged activity is logged centrally and reviewed.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about restrict administrative privileges.

Do I still need admin on my own laptop?: Almost never. The one or two things you do each quarter that need admin (install a specific tool, run a specific command) are better handled via a helpdesk request or a scoped elevation, not by running as admin all day. The goal isn't to be obstructive; it's to remove the attacker's easiest route to total compromise, which is a user running as admin getting phished.
What about our IT person? Don't they need admin everywhere?: They need privileged access, but the ACSC-correct way is a separate named admin account (not their daily account), usable only from a secure admin workstation, with MFA, and with every action logged. Running daily work from an admin account is the control gap we see most often and the one that turns a small compromise into a catastrophic one.
How fast is just-in-time elevation?: With our tooling, roughly 30 seconds for an emergency request approved by another admin. Scheduled elevations for planned work are instant. It's an operational step, not a bottleneck.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 07

Multi-factor authentication

Requiring something more than a password to log in (a code, a key, an app).

Read the control

Control 01

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Read the control

Control 08

Regular backups

Keeping copies of your important data somewhere safe, and regularly testing that you can actually restore them.

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.