Advice sought on Running XP Home SP2 as Admin or Limited User

[GSD]

I am a late convert to XP after using Win 98 for the last 7 years and am
trying to come to terms with the User Account side of things particularly
from the security aspect .My new PC was set up by my supplier with myself as
the one Admin User .
However, as I have read more I have seen advice to the effect that even as a
stand alone ,single user I should use a Limited User Account for everyday
use , particularly Internet which I do use a lot.
To try this out I have now set up a new Limited User Account but I find it
very impractical for a retired person like myself who spends quite a bit of
time using the computer for a variety of things .
As I should have expected I guess ,there are a number of programs that do
not seem to work or even do not appear on the Desktop when I switch to the
Limited User . The Microsoft Works Suite and Word keep ask me Register the
Software which I already have when installed , the Quicken finance program
tells me I have a corrupted Licence so I have to switch back to use that . I
now realize too that My CA Antivirus cannot Update from the Limited User
Account .
If I were to operate from this account most of the time I also need to set
up OE again for mail and newsgroups .

To stop rambling further my Question is mainly -what is the difference
between me just using the Admin account which allows me to do everything at
the same time and the way I successfully operated as a single user on Win 98
for 7 years appears . Is XP more insecure , I would have thought the reverse
.. I may have been fortunate but during my use of Win 98 I never had any
Virus Infections nor have I encountered Spyware for which I regularly check
using a number of the well know Tools . Not to say that it cannot happen I
realize that but I try to be pretty careful .

I am tempted to go back to using just the Admin account but perhaps there is
something I have missed in all this that could help make the Limited User
Account more usable .
I would appreciate any advice from experienced XP users .

GSD

 

[DL]

Apart from the main default admin account, set up one for day to day use
with admin privileges.
If you set a password REMEMBER it/them (It is not neccessary to set a
password on the user day to day account)

 

[darkrats]

If you are the only person who has regular access to your computer, running
it using the Admin Account is not going to cause you any problems. In fact,
on many computers I've worked on, running multiple accounts (especially when
you have kids sharing the system) is the cause of a lot of grief.

As long as you have a good firewall, good adware and good antivirus program
you should be well protected. I'd also recommend that you turn off (yes, I
know lots of MVPs will disagree) Windows Update. There are plenty of places
to go and manually download needed updates and patches. Install the latest
Cumulative Security update for Internet Explorer, and stay away (at least
until all the bugs are found) from Internet Explorer 7. Be aware that if you
have Windows Update turned on, you may get IE7 whether you want it or not.

I haven't had a virus or any kind of ad/spyware for years.

 

[GSD]

Apart from the main default admin account, set up one for day to day use
with admin privileges.
If you set a password REMEMBER it/them (It is not neccessary to set a
password on the user day to day account) --------------------------->

Thanks for the comments . I am not sure though what would be the purpose of
making the second account Admin .? I would have thought I may as well stick
to the one I already have set up under my Name .
GSD

 

[Kerry Brown]

Running as a limited user is far more secure than running as an
administrator. Most other modern OS' are normally run as a standard or
limited user. This is the main reason they are more secure than Windows XP.
Unfortunately with XP this is almost impossible for most people. It requires
a high level of skill to set things up so this will work. It's hard to know
where to place the blame for this. I believe it's a combination of things.
Many programmers started programming in DOS based versions of Windows where
all users were equal and could do anything. They never learned how to
program for security because there was no security in the OS. Microsoft
never really encouraged programmers to write programs that would work when
run as a standard user. Indeed as you have noticed many Microsoft programs
don't work unless the user is an administrator. Microsoft has seen the light
with Vista and is starting to enforce better programming.

With XP you are probably stuck running as an administrator. Make sure you
have antivirus, antispyware, and firewall programs running.

If you do want to run as a standard user then you will have to keep
switching the account back and forth between standard and administrator.
Create a second administrator account. Use this account for installing new
programs and maintenance tasks. If you install a program with the
administrator account and then have problems with the standard account you
can temporarily set the standard account as an administrator, then run the
program and let it update whatever settings it needs. Once this is done
switch the account back to a standard account. This will get most programs
running. Those that don't complain to the developer. It's sloppy programming
on their part that is the problem, not XP itself. If programs are written
properly they need administrator status for installation only.

 

[Bill]

GSD

From the sound of things you describe, it would seem that not all the
concepts of Windows multiple users has become clear to you yet.

First, don't give up!!!

Just to be clear, each user has their own desktop. So, any time you have
a multiple user machine, each user would set up their desktops to suit
themselves. You might find it easier to become accustom to XP if you
switch your desktop to "Windows Classic", (right-click the background
portion of your desktop and choose the "Desktop" tab.... you'll see what
I mean there.).

Accounts (that's what users are called) with administrator authority and
those without have equal access to programs and data. However, there
are programs that require administrator authority to be executed. For
example, Windows Installer requires administrator authority. You should
not have any trouble running application programs, such as Word,
Outlook Express or Internet Explorer. If you're having difficulties there,
it's not due to the authority level of the user account.

Your administrator account should have a password, but there's no
reason the general user, being yourself, would require one. You must
remember that any tasks that you run as "Scheduled Tasks" would
necessarily run under the authority of the administrator account, as such
tasks MUST include the authoritative password, for example: Tasks like
automatic LiveUpdate for Norton Antivirus, backup jobs and the like.

I'll stop at this point and await a reply, lest I go on and on when what
I've already offered gave rise to more questions than I already might
have answered.

Bill
California - USA

 

[GSD]

If you are the only person who has regular access to your computer,
running
it using the Admin Account is not going to cause you any problems. In
fact,
on many computers I've worked on, running multiple accounts (especially
when
you have kids sharing the system) is the cause of a lot of grief.

As long as you have a good firewall, good adware and good antivirus
program
you should be well protected. I'd also recommend that you turn off (yes, I
know lots of MVPs will disagree) Windows Update. There are plenty of
places
to go and manually download needed updates and patches. Install the latest
Cumulative Security update for Internet Explorer, and stay away (at least
until all the bugs are found) from Internet Explorer 7. Be aware that if
you
have Windows Update turned on, you may get IE7 whether you want it or not.

I haven't had a virus or any kind of ad/spyware for years.

Thanks, Yes I always run with Anti Virus , firewall and have a few Anti spy
programs and this why I cannot quite understand why running this way is any
more secure than the way I ran Win 98 . Just as an aside I have actually
downloaded and successfully installed IE7 I rather like it . A lot of the
time though I use Opera or Firefox for general browsing .

GSD

 

[GSD]

Running as a limited user is far more secure than running as an
administrator. Most other modern OS' are normally run as a standard or
limited user. This is the main reason they are more secure than Windows
XP. Unfortunately with XP this is almost impossible for most people. It
requires a high level of skill to set things up so this will work. It's
hard to know where to place the blame for this. I believe it's a
combination of things. Many programmers started programming in DOS based
versions of Windows where all users were equal and could do anything. They
never learned how to program for security because there was no security in
the OS. Microsoft never really encouraged programmers to write programs
that would work when run as a standard user. Indeed as you have noticed
many Microsoft programs don't work unless the user is an administrator.
Microsoft has seen the light with Vista and is starting to enforce better
programming.

With XP you are probably stuck running as an administrator. Make sure you
have antivirus, antispyware, and firewall programs running.

If you do want to run as a standard user then you will have to keep
switching the account back and forth between standard and administrator.
Create a second administrator account. Use this account for installing new
programs and maintenance tasks. If you install a program with the
administrator account and then have problems with the standard account you
can temporarily set the standard account as an administrator, then run the
program and let it update whatever settings it needs. Once this is done
switch the account back to a standard account. This will get most programs
running. Those that don't complain to the developer. It's sloppy
programming on their part that is the problem, not XP itself. If programs
are written properly they need administrator status for installation only.

Thanks for that Kerry , I find your comments very interesting .
What you are saying I guess is that Win 98 was not very secure but I managed
to survive it .
You are the second person to suggest creating a second Administrator account
.. Could you clarify the reason for this .

GSD

 

[GSD]

GSD

From the sound of things you describe, it would seem that not all the
concepts of Windows multiple users has become clear to you yet.

First, don't give up!!!

Just to be clear, each user has their own desktop. So, any time you have
a multiple user machine, each user would set up their desktops to suit
themselves. You might find it easier to become accustom to XP if you
switch your desktop to "Windows Classic", (right-click the background
portion of your desktop and choose the "Desktop" tab.... you'll see what
I mean there.).

Accounts (that's what users are called) with administrator authority and
those without have equal access to programs and data. However, there
are programs that require administrator authority to be executed. For
example, Windows Installer requires administrator authority. You should
not have any trouble running application programs, such as Word,
Outlook Express or Internet Explorer. If you're having difficulties there,
it's not due to the authority level of the user account.

Your administrator account should have a password, but there's no
reason the general user, being yourself, would require one. You must
remember that any tasks that you run as "Scheduled Tasks" would
necessarily run under the authority of the administrator account, as such
tasks MUST include the authoritative password, for example: Tasks like
automatic LiveUpdate for Norton Antivirus, backup jobs and the like.

I'll stop at this point and await a reply, lest I go on and on when what
I've already offered gave rise to more questions than I already might
have answered.

Bill
California - USA

Thank you Bill I am really getting some useful information resulting from my
query
You are right I am still learning about the different user accounts and
their capabilities .
I think the user accounts would be fine when used for their main purpose
that is to allow different users in the house to have their own set up .
But as a single user I really want the same set up as when I am in the Admin
Account that is already set up, if I am going to make the limited user mode
my main desktop ,otherwise it is not great value to me .
You say that the limited accounts have equal access to data but as I see it
when I am in the limited mode I cannot access the current content of My
Documents . I believe there is a way round this by putting them into shared
but again this seems a lot of messing and cluttering ,when it is just me
wanting to use them.
Outlook Express works of course but has to be set up again for mail and
resubscribe to all the same newsgroups etc. as I have under Admin as I like
to monitor these things as I work on other things . All my email message
archives are in OE on the Admin set up . I get a lot of mail from Genealogy
Lists and from family overseas and I find now if I use the Limited User
account I have to send an email to myself and open it the Admin account to
store in its correct folder . Otherwise I will have messages in 2 different
places. That's as I see it anyway. I know I can just keep swithing back and
forth but not keen on that idea .
The fact that the anti Virus does not update [normally 3 times] per day if I
spend most time in Limited mode is a worry too.

In regard to the other points you raise I have not put any password on my
Admin Account ,with just myself I could see no reason but maybe there is . I
have thought about running the Classic style but resisted so I could become
familiar with the newer XP version .

I know it seems like a lot of whinging on my part but not really just
pointing out as I see it a lot shortcomings for me to use the Limited User
account in my position . As I see it using just the Admin Account as I have
started off doing places me in the same position as I was using Win 98 all
that time with which I was comfortable . However I am listening to everyone
and learning so as I can make a judgement and maybe be convinced otherwise .

GSD

 

[Kerry Brown]

Thanks for that Kerry , I find your comments very interesting .
What you are saying I guess is that Win 98 was not very secure but I
managed to survive it .
You are the second person to suggest creating a second Administrator
account . Could you clarify the reason for this .

GSD

In some ways Windows 98 was more secure from Internet worms and hacking but
less secure from viruses and trojans.

I was talking more about security for multiple users. An OS has several
users besides the user running programs. There is a system account and a
network account which OS uses. There may be other accounts for backups and
other things. When you run as a standard user processes you run cannot
affect the other accounts and their processes giving the OS protection from
rogue processes. When you run as an administrator this protection is gone.
Rogue processes can crash, alter, or corrupt any other processes so malware
has an easy time of it. That's a very simple version of why running as a
standard user is more secure.

I was suggesting a second administrator user in the context of two users,
one standard for everyday use, and one administrator for administrator use.
It is best to have two administrator accounts, but you already have this.
The administrator account and your account which is a member of the
administrators group. You don't normally see the administrator account but
by default there is a special account called "administrator". The reason for
two administrator accounts is in case one gets corrupted you can still
logon.

 

[Bill]

GSD
Based on what you say, I would agree that there's no point in
having multiple user accounts. As long as you have a good
firewall and antivirus clients on your system in addition to
adware, you should get along just fine running your system
with a single account.

The MVP's might disagree, but you would be wise to put your
settings for Windows updates such that they are allowed to
download automatically, but that you simply be notified that
they are ready to install. THEN, look at what updates are
queued for installation and decide if you want them installed.

Make a note to yourself regarding the use of scheduled tasks,
in that your single user account MUST HAVE A PASSWORD
in order that that user account be used as the authorizing user
in running the task. Having done that, the next question is how
do you get around having to enter a password just to use your
own computer??? The answer is that you "Run"
"Control userpasswords2". That option will give you a dialog
box wherein you can specify that your primary user account
(you) is not required to enter a password. That is something
you'll want to do in the next day or so, even if you don't
expect to use scheduled tasks anytime soon.

Bill

GSD

From the sound of things you describe, it would seem that not all the
concepts of Windows multiple users has become clear to you yet.

First, don't give up!!!

Just to be clear, each user has their own desktop. So, any time you have
a multiple user machine, each user would set up their desktops to suit
themselves. You might find it easier to become accustom to XP if you
switch your desktop to "Windows Classic", (right-click the background
portion of your desktop and choose the "Desktop" tab.... you'll see what
I mean there.).

Accounts (that's what users are called) with administrator authority and
those without have equal access to programs and data. However, there
are programs that require administrator authority to be executed. For
example, Windows Installer requires administrator authority. You should
not have any trouble running application programs, such as Word,
Outlook Express or Internet Explorer. If you're having difficulties
there,
it's not due to the authority level of the user account.

Your administrator account should have a password, but there's no
reason the general user, being yourself, would require one. You must
remember that any tasks that you run as "Scheduled Tasks" would
necessarily run under the authority of the administrator account, as such
tasks MUST include the authoritative password, for example: Tasks like
automatic LiveUpdate for Norton Antivirus, backup jobs and the like.

I'll stop at this point and await a reply, lest I go on and on when what
I've already offered gave rise to more questions than I already might
have answered.

Bill
California - USA

Thank you Bill I am really getting some useful information resulting from
my query
You are right I am still learning about the different user accounts and
their capabilities .
I think the user accounts would be fine when used for their main purpose
that is to allow different users in the house to have their own set up .
But as a single user I really want the same set up as when I am in the
Admin Account that is already set up, if I am going to make the limited
user mode my main desktop ,otherwise it is not great value to me .
You say that the limited accounts have equal access to data but as I see
it when I am in the limited mode I cannot access the current content of
My Documents . I believe there is a way round this by putting them into
shared but again this seems a lot of messing and cluttering ,when it is
just me wanting to use them.
Outlook Express works of course but has to be set up again for mail and
resubscribe to all the same newsgroups etc. as I have under Admin as I
like to monitor these things as I work on other things . All my email
message archives are in OE on the Admin set up . I get a lot of mail from
Genealogy Lists and from family overseas and I find now if I use the
Limited User account I have to send an email to myself and open it the
Admin account to store in its correct folder . Otherwise I will have
messages in 2 different places. That's as I see it anyway. I know I can
just keep swithing back and forth but not keen on that idea .
The fact that the anti Virus does not update [normally 3 times] per day if
I spend most time in Limited mode is a worry too.

In regard to the other points you raise I have not put any password on my
Admin Account ,with just myself I could see no reason but maybe there is .
I have thought about running the Classic style but resisted so I could
become familiar with the newer XP version .

I know it seems like a lot of whinging on my part but not really just
pointing out as I see it a lot shortcomings for me to use the Limited
User account in my position . As I see it using just the Admin Account as
I have started off doing places me in the same position as I was using
Win 98 all that time with which I was comfortable . However I am
listening to everyone and learning so as I can make a judgement and maybe
be convinced otherwise .

GSD

 

[GSD]

In some ways Windows 98 was more secure from Internet worms and hacking
but less secure from viruses and trojans.

I was talking more about security for multiple users. An OS has several
users besides the user running programs. There is a system account and a
network account which OS uses. There may be other accounts for backups and
other things. When you run as a standard user processes you run cannot
affect the other accounts and their processes giving the OS protection
from rogue processes. When you run as an administrator this protection is
gone. Rogue processes can crash, alter, or corrupt any other processes so
malware has an easy time of it. That's a very simple version of why
running as a standard user is more secure.

I was suggesting a second administrator user in the context of two users,
one standard for everyday use, and one administrator for administrator
use. It is best to have two administrator accounts, but you already have
this. The administrator account and your account which is a member of the
administrators group. You don't normally see the administrator account but
by default there is a special account called "administrator". The reason
for two administrator accounts is in case one gets corrupted you can still
logon.

Kerry yes I think I understand what you are getting at . The security issue
concerning having multiple users is not one that I have ever been involved
in with no one else touching the computer -- I think my wife thinks
computers are evil things and wont go near it .. I can see though that using
Admin and getting some sort of malware might affect the whole computer
whereas with a limited user it is more or less confined to their files .
You still have to get rid of it though .Have I got this right??
You raised the point that has been baffling me concerning the default Admin
Account that I have read about . When I got my computer built locally they
set up the one user Admin under my name of 'Graeme" . From what you say
there is another Admin Account . I have not seen this . Is it accessible ??
Or am I using that default merely renamed to Graeme . All a bit of a mystery
to me . If I do not see it how would I use it to logon in an emergency .

Sorry to keep at this but I am really interested in learning . I do check
out Google a lot but the info does not always answer a persons specific
questions .

GSD

 

[GSD]

GSD
Based on what you say, I would agree that there's no point in
having multiple user accounts. As long as you have a good
firewall and antivirus clients on your system in addition to
adware, you should get along just fine running your system
with a single account.

The MVP's might disagree, but you would be wise to put your
settings for Windows updates such that they are allowed to
download automatically, but that you simply be notified that
they are ready to install. THEN, look at what updates are
queued for installation and decide if you want them installed.

Make a note to yourself regarding the use of scheduled tasks,
in that your single user account MUST HAVE A PASSWORD
in order that that user account be used as the authorizing user
in running the task. Having done that, the next question is how
do you get around having to enter a password just to use your
own computer??? The answer is that you "Run"
"Control userpasswords2". That option will give you a dialog
box wherein you can specify that your primary user account
(you) is not required to enter a password. That is something
you'll want to do in the next day or so, even if you don't
expect to use scheduled tasks anytime soon.

Bill

Bill , I am a little confused when you say getting along with a single
account do you mean the Admin Account by itself or the a Limited Account.
I have already set the Auto Update feature to just notify me when available
,as I am not a fan of things Automatic on my computer I like to see what is
going on first with all programmes . The only program I set on Auto download
is my Anti virus definition updater .

When you refer to Scheduled tasks what are you referring to, as I indicated
I have no scheduled tasks except for the CA Antivirus updates and I do not
think this depends upon a user account password . Everything else , all
maintenance tasks I run manually . I suppose being a retire person with time
on my hands I ca afford to do this . By the way my ADSL Modem has a NAT
Router built in which does provide greater protection as I understand
things .Thanks for your patience

GSD

 

[GSD]

The main reason for NOT using the built-in Administrator account as the
only log-in (which I presume you are advocating) is that if the account
gets corrupted, and they do, then the ONLY way into the machine is by a
repair install of XP. If the owner does NOT have a proper XP CD but a
restore CD, then that cannot be done, and the only way forward is to
restore the machine to factory settings, with attendant loss of data etc
etc.

Thanks for the reply .
To be quite honest I do not know whether I am using the built in Admin
Account or not . My supplier set it up with just the one Admin User account
using my name "Graeme" whether this is the builtin account I do not know . I
am not advocating its use I am trying to find out what is the best way to
use XP Home as a single user.
A right royal PITA.

GSD

 

[Kerry Brown]

Kerry yes I think I understand what you are getting at . The security
issue concerning having multiple users is not one that I have ever
been involved in with no one else touching the computer -- I think my
wife thinks computers are evil things and wont go near it .. I can
see though that using Admin and getting some sort of malware might
affect the whole computer whereas with a limited user it is more or
less confined to their files . You still have to get rid of it
though .Have I got this right??

Yes, you have that right.

You raised the point that has been baffling me concerning the default
Admin Account that I have read about . When I got my computer built
locally they set up the one user Admin under my name of 'Graeme" .
From what you say there is another Admin Account . I have not seen
this . Is it accessible ?? Or am I using that default merely renamed
to Graeme . All a bit of a mystery to me . If I do not see it how
would I use it to logon in an emergency .
Sorry to keep at this but I am really interested in learning . I do
check out Google a lot but the info does not always answer a persons
specific questions .

Boot into safe mode to see the "administrator" account.

http://www.microsoft.com/resources/...ll/proddocs/en-us/boot_failsafe.mspx?mfr=true

 

[Bill]

GSD,
By single account, I mean just one account with administrator
authority.
Bill

 

[GSD]

Yes, you have that right.



Boot into safe mode to see the "administrator" account.

http://www.microsoft.com/resources/...ll/proddocs/en-us/boot_failsafe.mspx?mfr=true --
Kerry
MS-MVP Windows - Shell/User
www.vistahelp.ca

Thanks again Kerry , you and others who have responded to my query have been
extremely helpful . Time for me sit down and go through all the details . I
can see that the decision as to how I run the computer is really up to me,
but now I think I am in a better position to decide and be aware of
different consequences .

GSD

 

[GSD]

Thanks Bill .
Probably that is the way I will go, but I will have a look at all the
replies that have resulted from my query and consider the different
suggestions . Everyone has been very helpful it is good to have a group like
this to be able to refer to when a problem comes up.
GSD

 

[Kerry Brown]

Thanks again Kerry , you and others who have responded to my query
have been extremely helpful . Time for me sit down and go through all
the details . I can see that the decision as to how I run the
computer is really up to me, but now I think I am in a better
position to decide and be aware of different consequences .

GSD

Except on a corporate network where the users run a limited number of
programs that are installed by a network administrator no one runs XP as a
standard user. It's too inconvenient. Make sure you have good security
programs and don't worry too much about it

Windows Vista is different. I have been running Vista as a standard user
since last June.

 

[GSD]

Except on a corporate network where the users run a limited number of
programs that are installed by a network administrator no one runs XP as a
standard user. It's too inconvenient. Make sure you have good security
programs and don't worry too much about it

Windows Vista is different. I have been running Vista as a standard user
since last June.

Thank you
GSD