Good practices for setting up admin and user accounts on WinXP Pro

[Guest]

First, I'll confess: I've used a Win XP Pro PC with just one administrator
account, and have used the admin account for everyday use. Bad practice, I
admit. I want to stop doing that, and have *finally* gotten around to
reading up on configuring user accounts. I read through 'Local Users and
Groups overview,' at

http://www.microsoft.com/resources/.../proddocs/en-us/lsm_overview_01.mspx?mfr=true

and have the appropriate snap-in installed in MMC.

This is how I think it's supposed to be done, for configuring a new Win XP
Pro machine for single user use. PLEASE CORRECT ME IF I'M WRONG! That's why
I'm posting:

Strategy #1
-------------

1. Create Administrator account.

2. Get all Windows Updates and install all software as Administrator.

3. Create Everyday User account and use it for everything else.

4. Save all document files in a Everyday User's subdirectory of Documents
and Settings. Don't scatter them around the hard disk, if possible.

5. Log-in as administrator only to install/remove software, and other
essential administrative tasks. Nothing else.

In experimentation so far, however, Norton anti-virus seems pretty confused
to have a new user introduced on my system. When I log in as the new user,
it reports that I have to be an administrator to complete configuration.

Which leads me to wonder if I should take another approach:

Strategy #2
--------------

1. Create Administrator account and get all Windows Updates as
administrator.

2. Create Everyday User account.

3. Put Everyday User account in the Power Users group using the MMC snap
in, to allow it to install software.

4. Install all software as Everyday User. This will provide a measure of
security, as Everyday User won't have administrator rights -- and also will
allow all software to be installed the first time the way I want it to be
installed on the system.

This is new to me, so I'm sorry if I show any obvious blundering or
misunderstanding. I admit, I should have done this a long time ago -- as in,
when I first got the PC!

 

[Harry Johnston]

This is how I think it's supposed to be done, for configuring a new Win XP
Pro machine for single user use. PLEASE CORRECT ME IF I'M WRONG!

Strategy #1 is basically correct. However, you may need to add another point:

6. Get rid of Norton anti-virus.

You may be able to solve the specific problem you're having by making your user
account administrative temporarily. However I seem to recall I eventually had
to edit the registry by hand to fix it. Try contacting Norton support and see
if they can advise you. (Yeah, right - good luck with that!)

Norton really is bad software. I'll admit I'm still using it myself because I
don't want to spend any more money at this point, but once the subscription
lapses I'll be looking around. I wouldn't recommend McAfee either. Someone
else may be able to suggest an alternative.

As for Strategy #2:

3. Put Everyday User account in the Power Users group using the MMC snap
in, to allow it to install software.

Some people do do this, basically out of desperation with the state of software
out there, but it isn't ideal. It isn't usually hard for a Power User to break
into the system and gain the same access as an Administrator. Admittedly I
haven't heard of any malware that actually tries to do this, so unless you
attract the personal attention of a hacker you might be OK.

Personally I take the (small) risk of using my admin account (not the same as
the built in Administrator account) for running certain game software which
won't work as Limited User. Of course this should only be done when the network
is disconnected.

Harry.

 

[Jim]

First, I'll confess: I've used a Win XP Pro PC with just one
administrator
account, and have used the admin account for everyday use. Bad practice,
I
admit. I want to stop doing that, and have *finally* gotten around to
reading up on configuring user accounts. I read through 'Local Users
and
Groups overview,' at

http://www.microsoft.com/resources/.../proddocs/en-us/lsm_overview_01.mspx?mfr=true

and have the appropriate snap-in installed in MMC.

This is how I think it's supposed to be done, for configuring a new Win XP
Pro machine for single user use. PLEASE CORRECT ME IF I'M WRONG! That's
why
I'm posting:

Strategy #1

No. Create an account which is a member of the administrators group. The
default installation provides an account called "administrator".

2. Get all Windows Updates and install all software as Administrator. OK with the proviso above.

3. Create Everyday User account and use it for everything else. OK

4. Save all document files in a Everyday User's subdirectory of
Documents
and Settings. Don't scatter them around the hard disk, if possible. OK

5. Log-in as administrator only to install/remove software, and other
essential administrative tasks. Nothing else.

Add this:
6. Rename the built in administrator account to something else. Add a
password to this account.
7. Rename the built in Guest account to something else. Add a password to
this account.

In experimentation so far, however, Norton anti-virus seems pretty
confused
to have a new user introduced on my system. When I log in as the new
user,
it reports that I have to be an administrator to complete configuration.

No, it isn't confused at all. Unless you install it using an account with
administrator rights, the installation will fail.

Which leads me to wonder if I should take another approach:

Strategy #2
--------------

1. Create Administrator account and get all Windows Updates as
administrator. No

2. Create Everyday User account.

3. Put Everyday User account in the Power Users group using the MMC snap
in, to allow it to install software. No.

4. Install all software as Everyday User. This will provide a measure of
security, as Everyday User won't have administrator rights -- and also
will
allow all software to be installed the first time the way I want it to be
installed on the system

No. You may not be able to install most software without administrator
rights..
You need to add the same steps that I mentioned above.

This is new to me, so I'm sorry if I show any obvious blundering or
misunderstanding. I admit, I should have done this a long time ago -- as
in,
when I first got the PC!

There aren't very many of us who didn't attend the school of hard knocks.
Jim

 

[Harry Johnston]

No, it isn't confused at all. Unless you install it using an account with
administrator rights, the installation will fail.

You misunderstand the problem. Norton is already installed and working, but
every time a user who doesn't have administrative access logs in it generates an
error message. Lousy programming, huh?

Harry.

 

[Guest]

Let me reiterate the key point:

1. Remove Norton Antivirus.

You'll be glad you did, for other reasons too. Get AVG, Avira, Sophos,
Kaspersky or whatever. Avoid: Norton, McAfee, Panda.

As for setting-up a PC, I normally create two accounts, Administrator and
User. (literally User, not the user's name) I give them both passwords.

If I don't want to logon manually I use 'control userpasswords2' to create
an autologon. I still allocate passwords though, as they are important to
share security. I also allocate a password to the Guest account. This makes
Simple Sharing password-protected, if it's active.

Tip: Setting passwords is easiest from the commandline, with:
net user {username} {password}

In general -having learned from bitter experience- I try to avoid creating
anything on a computer (other than perhaps an email account) that's named
after a person. If you do so, you just create a proverbial stick for your own
back when the user leaves (or marries!)

As to whether the standard account should be limited, your call. On Linux
that works quite well, on a non-domainmember Windows PC it can be
troublesome.

Main issue is that if you logon as Admin to install software, all settings
are lost when you change back to Everday User, so you virtually have to
repeat the config process a second time. A limited account also legislates
against your using remote-access methods to maintain the PC, since a change
of user kicks the remote session off.

 

[Guest]

Thanks to everyone who responded to this thread. I opted for another
anti-virus program, and that made a big difference -- no more problems with
shutdown.

But, I still haven't quite gotten the hang of user accounts, and had better
post my question in another thread. (I'm a slow learner sometimes <g> )