Why not use regular Administrator Account?

Discussion in 'Windows XP General' started by Don J, Oct 23, 2007.

  1. Don J

    Don J Guest

    I've yet to see a good explanation of how to avoid using the predefined
    Administrator Account as the Regular Aministrator Acount during normal
    operation. What is the difference between the regular Administrator Account
    and one that you have defined for the purpose. In particular can roles be
    reversed? Can a new Account be defined and used as the hidden Account, and
    the original Account be used as the operating account. If the answer to
    this question is no, whst is the reason?

    Don J

    ----------------------------------------------------------------------------------------------------------
     
    Don J, Oct 23, 2007
    #1
    1. Advertisements

  2. Don J

    JS Guest

    Think of the built in Admin account as your back door (safety net), and your
    personal account (Admin privileges) as your every day account. Should your
    personal account get hosed that back door may be the only way into Windows.

    JS

    "Don J" <> wrote in message
    news:...
    > I've yet to see a good explanation of how to avoid using the predefined
    > Administrator Account as the Regular Aministrator Acount during normal
    > operation. What is the difference between the regular Administrator
    > Account
    > and one that you have defined for the purpose. In particular can roles be
    > reversed? Can a new Account be defined and used as the hidden Account,
    > and
    > the original Account be used as the operating account. If the answer to
    > this question is no, whst is the reason?
    >
    > Don
    > J
    >
    > ----------------------------------------------------------------------------------------------------------
    >
    >
    >
     
    JS, Oct 23, 2007
    #2
    1. Advertisements

  3. Don J

    Don J Guest

    Why can't the roles be reversed?

    Don J

    ------------------------------------------------------------------------
    "JS" <@> wrote in message news:...
    > Think of the built in Admin account as your back door (safety net), and
    > your personal account (Admin privileges) as your every day account. Should
    > your personal account get hosed that back door may be the only way into
    > Windows.
    >
    > JS
    >
    > "Don J" <> wrote in message
    > news:...
    >> I've yet to see a good explanation of how to avoid using the predefined
    >> Administrator Account as the Regular Aministrator Acount during normal
    >> operation. What is the difference between the regular Administrator
    >> Account
    >> and one that you have defined for the purpose. In particular can roles
    >> be
    >> reversed? Can a new Account be defined and used as the hidden Account,
    >> and
    >> the original Account be used as the operating account. If the answer to
    >> this question is no, whst is the reason?
    >>
    >> Don
    >> J
    >>
    >> ----------------------------------------------------------------------------------------------------------
    >>
    >>
    >>

    >
    >
     
    Don J, Oct 23, 2007
    #3
  4. Don J wrote:
    > Why can't the roles be reversed?


    JS wrote:
    > Think of the built in Admin account as your back door (safety
    > net), and your personal account (Admin privileges) as your every
    > day account. Should your personal account get hosed that back door
    > may be the only way into Windows.


    Don J wrote:
    > I've yet to see a good explanation of how to avoid using the
    > predefined Administrator Account as the Regular Aministrator
    > Acount during normal operation. What is the difference between
    > the regular Administrator Account and one that you have
    > defined for the purpose. In particular can
    > roles be reversed? Can a new Account be defined and used as
    > the hidden Account, and the original Account be used as the
    > operating account. If the answer to this question is no, whst
    > is the reason?


    First - what is the purpose?
    Some sort of 'security by obscurity'? Unwise IMHO...

    No matter the reasoning - where did you get that it 'could not be done'?
    You can disable the built in administrator and create as many other
    administrators on a Windows XP system as you desire.

    How to disable the Local Administrator account in Windows
    http://support.microsoft.com/kb/281140

    The warning there says a bunch...
    ------
    Note Before you disable the local Administrator account, make sure that
    there is at least one other local or network user who can gain access to the
    computer with administrator permissions. Otherwise, you will not be able to
    reverse this action in the future.
    ------

    Your original question should have had nothing to do with how to avoid using
    the built-in account - it should be, essentially (and paraphrasing) - why is
    it unwise to run as an administrator all the time and/or have only a single
    user with administrative rights that you use for daily activity? The answer
    is simple - you are apt to make a foolish/unwise decision and with that much
    power on the machine - you can pretty much turn a small 'shouldn't have
    clicked on that' to a complete format and install anew in a matter of
    minutes. Not fun, not worth it.

    Sure - you could say 'I keep good backups' or 'I have an image of my
    machine' or whatever method you plan on reversing it - but while you are
    doing that, someone with more than one administrative account with good
    password and security built in will be fixed and running while you are
    restoring and hoping you haven't lost too much.

    As for the account being 'hidden' - only if you are utilizing Windows XP
    Home Edition. Even then it is not really hidden - just more difficult for
    the normal Windows user to get to and utilize than in the professional
    version of the same OS (and all supersets of that.)

    Now - what would REALLY be unwise is to have ONLY one account and use that
    lone account with administrative powers (would pretty much have to have
    these rights - given it is the ONLY user account) on a daily basis. After
    all - if something gets corrupted - what account are you logging in as in
    order to repair things? Sure - you can do the recovery console, you could
    do a repair install, you could boot from a Windows XP BartPE CD and erase
    the account's profile directory (or rename it) so a new profile is made at
    the next logon - but that still puts all your eggs in one basket.

    --
    Shenan Stanley
    MS-MVP
    --
    How To Ask Questions The Smart Way
    http://www.catb.org/~esr/faqs/smart-questions.html
     
    Shenan Stanley, Oct 23, 2007
    #4
  5. Don J

    smlunatick Guest

    On Oct 22, 8:35 pm, "Don J" <> wrote:
    > Why can't the roles be reversed?
    >
    > Don J
    >
    > ------------------------------------------------------------------------
    >
    >
    >
    > "JS" <@> wrote in messagenews:...
    > > Think of the built in Admin account as your back door (safety net), and
    > > your personal account (Admin privileges) as your every day account. Should
    > > your personal account get hosed that back door may be the only way into
    > > Windows.

    >
    > > JS

    >
    > > "Don J" <> wrote in message
    > >news:...
    > >> I've yet to see a good explanation of how to avoid using the predefined
    > >> Administrator Account as the Regular Aministrator Acount during normal
    > >> operation. What is the difference between the regular Administrator
    > >> Account
    > >> and one that you have defined for the purpose. In particular can roles
    > >> be
    > >> reversed? Can a new Account be defined and used as the hidden Account,
    > >> and
    > >> the original Account be used as the operating account. If the answer to
    > >> this question is no, whst is the reason?

    >
    > >> Don
    > >> J

    >
    > >> ---------------------------------------------------------------------------­-------------------------------- Hide quoted text -

    >
    > - Show quoted text -


    The "Administrator" account is the default account that XP creates (as
    with Windows NT and 2000.) Depending on how your create your general
    day to day userr account, you might not:

    1) Be able to access the "administrator" account data files

    2) Be able to create new user accounts

    3) Reset passwords


    XP Home does not let you use the "Administrator" account directly.
    And during creating new user account, the "administrator" account
    creating the new user account can define this new account as a
    different type of accouint than "administrator" type.
     
    smlunatick, Oct 23, 2007
    #5
  6. Don J

    Don J Guest

    I don't understand your last paragraph. In particular I've been using the
    Administrator Account as my normal day to day account, in XP Home, for about
    a year. What do you mean by "XP Home does not allow you to use the
    'Administrator' account directly"?

    And what do you mean by "creating the new user account can define this new
    account as a different type of account than administrator type."? How does
    it get changed?

    Don J

    -----------------------------------------------------------------------------------------
    "smlunatick" <> wrote in message
    news:...
    On Oct 22, 8:35 pm, "Don J" <> wrote:
    > Why can't the roles be reversed?
    >
    > Don J
    >
    > ------------------------------------------------------------------------
    >
    >
    >
    > "JS" <@> wrote in messagenews:...
    > > Think of the built in Admin account as your back door (safety net), and
    > > your personal account (Admin privileges) as your every day account.
    > > Should
    > > your personal account get hosed that back door may be the only way into
    > > Windows.

    >
    > > JS

    >
    > > "Don J" <> wrote in message
    > >news:...
    > >> I've yet to see a good explanation of how to avoid using the predefined
    > >> Administrator Account as the Regular Aministrator Acount during normal
    > >> operation. What is the difference between the regular Administrator
    > >> Account
    > >> and one that you have defined for the purpose. In particular can roles
    > >> be
    > >> reversed? Can a new Account be defined and used as the hidden Account,
    > >> and
    > >> the original Account be used as the operating account. If the answer
    > >> to
    > >> this question is no, whst is the reason?

    >
    > >>
    > >> Don
    > >> J

    >
    > >> ---------------------------------------------------------------------------­--------------------------------
    > >> Hide quoted text -

    >
    > - Show quoted text -


    The "Administrator" account is the default account that XP creates (as
    with Windows NT and 2000.) Depending on how your create your general
    day to day userr account, you might not:

    1) Be able to access the "administrator" account data files

    2) Be able to create new user accounts

    3) Reset passwords


    XP Home does not let you use the "Administrator" account directly.
    And during creating new user account, the "administrator" account
    creating the new user account can define this new account as a
    different type of accouint than "administrator" type.
     
    Don J, Oct 23, 2007
    #6
  7. Don J

    Jim Guest

    "Don J" <> wrote in message
    news:...
    > I've yet to see a good explanation of how to avoid using the predefined
    > Administrator Account as the Regular Aministrator Acount during normal
    > operation. What is the difference between the regular Administrator
    > Account
    > and one that you have defined for the purpose. In particular can roles be
    > reversed? Can a new Account be defined and used as the hidden Account,
    > and
    > the original Account be used as the operating account. If the answer to
    > this question is no, whst is the reason?
    >
    > Don
    > J
    >
    > ----------------------------------------------------------------------------------------------------------
    >
    >
    >

    All members of the administrators group are equal. Thus it is easy to
    create an account that is the full equal of the built in administrator. The
    best practice is to rename the administrator account to something else; this
    is a form of security by obscurity. You then create an account for your own
    use which is a member of the administrators group. You use this account for
    all tasks which need the power of the administrator.

    Doing this serves two goals.

    In the first place, it is harder for malware to login as the administrator
    if that account has been renamed and is disabled. It is also harder to
    login with your private account because the malware needs to search for
    members of the administrators group.

    In the second place, using a separate private account for day to day
    activities which require the power of an administrator keeps one such
    account free for repair purposes when, like most humans, you make some
    mistake. A mistake by a member of the administratos group can cause serious
    problems.

    Jim
     
    Jim, Oct 23, 2007
    #7
  8. Don J

    John John Guest

    Shenan Stanley wrote:

    > No matter the reasoning - where did you get that it 'could not be done'?
    > You can disable the built in administrator and create as many other
    > administrators on a Windows XP system as you desire.
    >
    > How to disable the Local Administrator account in Windows
    > http://support.microsoft.com/kb/281140
    >
    > The warning there says a bunch...
    > ------
    > Note Before you disable the local Administrator account, make sure that
    > there is at least one other local or network user who can gain access to the
    > computer with administrator permissions. Otherwise, you will not be able to
    > reverse this action in the future.
    > ------


    I think it's time Microsoft reviewed and rewrote that article. For
    Windows XP you cannot keep the built-in Administrator account from
    logging on to Safe-Mode with the procedure described there and for
    Windows 2000 that will not prevent logging on locally with the built-in
    Administrator account, the Administrator will still be able to log on
    locally in Safe-Mode and in Normal mode! There is another policy at the
    same location that will effectively lockout the built-in Administrator
    account, but the one mentioned in the article won't do it.

    John
     
    John John, Oct 23, 2007
    #8
  9. Don J

    M.I.5¾ Guest

    "Don J" <> wrote in message
    news:...
    >I don't understand your last paragraph. In particular I've been using the
    >Administrator Account as my normal day to day account, in XP Home, for
    >about a year. What do you mean by "XP Home does not allow you to use the
    >'Administrator' account directly"?
    >


    In Windows XP Home, if you do not create any other account and only have the
    administrator account existing, then XP will boot directly into that account
    and allow its use for everyday purposes. As soon as you create a second
    account regardless of whether you grant administrator or limited access, the
    administrator account is disabled from being accessed in anything other than
    safe mode. This is done to disuade the home user from using the safety net
    for anything other than a safety net. The current discussion shows clearly
    that non professional users don't appreciate the importance of keeping the
    safety net in good order (and having previously used the likes of Windows 98
    or ME, why would they?).

    > And what do you mean by "creating the new user account can define this new
    > account as a different type of account than administrator type."? How
    > does it get changed?
    >


    From Control panel and then User ccounts, you can create a new user account.
    Such an account can be either an 'administrator' account or a 'limited'
    account. The former has all the privileges of the default administrator
    account, and as much capability to wreak havoc. It can also be accessed in
    safe mode. The limited account has much more limited capability. It can't
    generally load new applications or make most registry changes. It also
    can't be entered while in safe mode. The account type can be changed in the
    control panel.

    While in the user accounts, you will notice that there is a third type of
    account called 'guest', which is disabled by default. When enabled this
    account allows access with even more restriction than the limited account.
    I heartily recommend against enabling this account.

    Users of XP professional will be aware that there are more types of account
    available with increasing levels of privilege available.
     
    M.I.5¾, Oct 23, 2007
    #9
  10. Don J

    Guest Guest

    I'm guilty of using the out-of-the-box Administrator as the sole daily user
    account (XP Pro) -Thanks for this post. This Administrator's "Account Name"
    is a major Folder Name in Local Documents & Settings. Assuming the matching
    names Are Related, what happens to that Folder name if you Re-name Or
    Disable that Administrator's account when creating a new Account with Admin
    Privileges as you suggest ? As a non-expert I don't want to Open a can of
    worms I can't fix. Thanks.

    "Jim" wrote:

    >
    > "Don J" <> wrote in message
    > news:...
    > > I've yet to see a good explanation of how to avoid using the predefined
    > > Administrator Account as the Regular Aministrator Acount during normal
    > > operation. What is the difference between the regular Administrator
    > > Account
    > > and one that you have defined for the purpose. In particular can roles be
    > > reversed? Can a new Account be defined and used as the hidden Account,
    > > and
    > > the original Account be used as the operating account. If the answer to
    > > this question is no, whst is the reason?
    > >
    > > Don
    > > J
    > >
    > > ----------------------------------------------------------------------------------------------------------
    > >
    > >
    > >

    > All members of the administrators group are equal. Thus it is easy to
    > create an account that is the full equal of the built in administrator. The
    > best practice is to rename the administrator account to something else; this
    > is a form of security by obscurity. You then create an account for your own
    > use which is a member of the administrators group. You use this account for
    > all tasks which need the power of the administrator.
    >
    > Doing this serves two goals.
    >
    > In the first place, it is harder for malware to login as the administrator
    > if that account has been renamed and is disabled. It is also harder to
    > login with your private account because the malware needs to search for
    > members of the administrators group.
    >
    > In the second place, using a separate private account for day to day
    > activities which require the power of an administrator keeps one such
    > account free for repair purposes when, like most humans, you make some
    > mistake. A mistake by a member of the administratos group can cause serious
    > problems.
    >
    > Jim
    >
    >
    >
     
    Guest, Oct 23, 2007
    #10
  11. Don J

    Don J Guest

    I don't undedrstand your statement that creating a second account prevents
    the original Adminisrator Account from being accessed in anything but "Safe
    Mode". I have used an "XP Home" disk to create a new XP installation of
    Windows XP. The first thing I did was to define a new Administrator
    Account. I then exited Windows and reentered it. There is no indication
    that I am in "Safe Mode".

    Don J

    ------------------------------------------------------------------------------------------------
    "M.I.5¾" <_SPAM.co.uk> wrote in message
    news:471dab94$...
    >
    > "Don J" <> wrote in message
    > news:...
    >>I don't understand your last paragraph. In particular I've been using the
    >>Administrator Account as my normal day to day account, in XP Home, for
    >>about a year. What do you mean by "XP Home does not allow you to use the
    >>'Administrator' account directly"?
    >>

    >
    > In Windows XP Home, if you do not create any other account and only have
    > the administrator account existing, then XP will boot directly into that
    > account and allow its use for everyday purposes. As soon as you create a
    > second account regardless of whether you grant administrator or limited
    > access, the administrator account is disabled from being accessed in
    > anything other than safe mode. This is done to disuade the home user from
    > using the safety net for anything other than a safety net. The current
    > discussion shows clearly that non professional users don't appreciate the
    > importance of keeping the safety net in good order (and having previously
    > used the likes of Windows 98 or ME, why would they?).
    >
    >> And what do you mean by "creating the new user account can define this
    >> new account as a different type of account than administrator type."?
    >> How does it get changed?
    >>

    >
    > From Control panel and then User ccounts, you can create a new user
    > account. Such an account can be either an 'administrator' account or a
    > 'limited' account. The former has all the privileges of the default
    > administrator account, and as much capability to wreak havoc. It can
    > also be accessed in safe mode. The limited account has much more limited
    > capability. It can't generally load new applications or make most
    > registry changes. It also can't be entered while in safe mode. The
    > account type can be changed in the control panel.
    >
    > While in the user accounts, you will notice that there is a third type of
    > account called 'guest', which is disabled by default. When enabled this
    > account allows access with even more restriction than the limited account.
    > I heartily recommend against enabling this account.
    >
    > Users of XP professional will be aware that there are more types of
    > account available with increasing levels of privilege available.
    >
    >
    >
     
    Don J, Oct 23, 2007
    #11
  12. Don J

    WaIIy Guest

    On Mon, 22 Oct 2007 20:00:49 -0500, "Shenan Stanley"
    <> wrote:

    >Now - what would REALLY be unwise is to have ONLY one account and use that
    >lone account with administrative powers (would pretty much have to have
    >these rights - given it is the ONLY user account) on a daily basis. After
    >all - if something gets corrupted - what account are you logging in as in
    >order to repair things? Sure - you can do the recovery console, you could
    >do a repair install, you could boot from a Windows XP BartPE CD and erase
    >the account's profile directory (or rename it) so a new profile is made at
    >the next logon - but that still puts all your eggs in one basket.


    Great comments and advice on this issue. As a reader of this group, I
    thank you for taking the time to explain the logic of not having only
    the administrator account activated.
     
    WaIIy, Oct 23, 2007
    #12
  13. Don J

    Jim Guest

    "Craig S" <> wrote in message
    news:...
    > I'm guilty of using the out-of-the-box Administrator as the sole daily
    > user
    > account (XP Pro) -Thanks for this post. This Administrator's "Account
    > Name"
    > is a major Folder Name in Local Documents & Settings. Assuming the
    > matching
    > names Are Related, what happens to that Folder name if you Re-name Or
    > Disable that Administrator's account when creating a new Account with
    > Admin
    > Privileges as you suggest ? As a non-expert I don't want to Open a can of
    > worms I can't fix. Thanks.
    >

    <big snip?
    Nothing happens to the folder name in Documents & Settings when all you do
    is rename the account.
    When you create an account, a new folder tree for that specific account gets
    created in Documents & Settings.

    The way that this works is that every account is tied to a specific Security
    ID. This is a multi digit number which would be the pits to use as your
    login. A username is thus merely an alias for the SID.
    When you rename an account, you are actually changing the alias. As far as
    XP is concerned you have done nothing. Creating a new member of the
    administrators group has no effect on any of the other members of the group.

    Jim
     
    Jim, Oct 23, 2007
    #13
  14. Don J

    WaIIy Guest

    On Tue, 23 Oct 2007 09:22:31 +0100, "M.I.5¾"
    <_SPAM.co.uk> wrote:

    >
    >"Don J" <> wrote in message
    >news:...
    >>I don't understand your last paragraph. In particular I've been using the
    >>Administrator Account as my normal day to day account, in XP Home, for
    >>about a year. What do you mean by "XP Home does not allow you to use the
    >>'Administrator' account directly"?
    >>

    >
    >In Windows XP Home, if you do not create any other account and only have the
    >administrator account existing, then XP will boot directly into that account
    >and allow its use for everyday purposes. As soon as you create a second
    >account regardless of whether you grant administrator or limited access, the
    >administrator account is disabled from being accessed in anything other than
    >safe mode. This is done to disuade the home user from using the safety net
    >for anything other than a safety net. The current discussion shows clearly
    >that non professional users don't appreciate the importance of keeping the
    >safety net in good order (and having previously used the likes of Windows 98
    >or ME, why would they?).
    >
    >> And what do you mean by "creating the new user account can define this new
    >> account as a different type of account than administrator type."? How
    >> does it get changed?
    >>

    >
    >From Control panel and then User ccounts, you can create a new user account.
    >Such an account can be either an 'administrator' account or a 'limited'
    >account. The former has all the privileges of the default administrator
    >account, and as much capability to wreak havoc. It can also be accessed in
    >safe mode. The limited account has much more limited capability. It can't
    >generally load new applications or make most registry changes. It also
    >can't be entered while in safe mode. The account type can be changed in the
    >control panel.
    >
    >While in the user accounts, you will notice that there is a third type of
    >account called 'guest', which is disabled by default. When enabled this
    >account allows access with even more restriction than the limited account.
    >I heartily recommend against enabling this account.
    >
    >Users of XP professional will be aware that there are more types of account
    >available with increasing levels of privilege available.
    >
    >


    I installed http://support.microsoft.com/?kbid=245216

    SCESP41.EXE to my WinXP Home which gives me the Security Tab as in
    XP Pro.

    Pretty handy and can be pretty dangerous at the same time.
     
    WaIIy, Oct 23, 2007
    #14
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. DannyKewl

    Administrator Account - can I use as general account?

    DannyKewl, Jul 31, 2003, in forum: Windows XP General
    Replies:
    5
    Views:
    298
    DannyKewl
    Aug 2, 2003
  2. circuit slave
    Replies:
    2
    Views:
    291
    circuit slave
    Aug 21, 2003
  3. Guest

    administrator account requires administrator

    Guest, Jan 7, 2004, in forum: Windows XP General
    Replies:
    2
    Views:
    231
    Guest
    Jan 7, 2004
  4. Guest
    Replies:
    1
    Views:
    272
    Guest
    Jan 8, 2004
  5. Leon
    Replies:
    5
    Views:
    638
    *Vanguard*
    Feb 10, 2004
Loading...

Share This Page