Admin - Limited user accounts.


G

Guest

I've just bought a new HP Windows XP Media Center Edition 2005 computer.
Can someone explain this to me. I understand that for ssecurity reasons you
should not be using your Admin logon to visit the internet. Ok so I have made
a limited user account. So...why is it that not all software is transfered
from the Admin account to the limited user account. Really confusing to me,
that if I make an udate to the preinstalled Norton internet security on Admin
(because you are not allowed to make any updates under a limited user
account) that these updates are not passed over the all accounts on the
computer. I have found that, any software added from the internet to this new
computer must be done using Admin. Thats really great considering when I go
back over to my limited user account the software is not even there, and how
in the world am I going to get the software over there since its a limited
user account. Does Windows XP require that you install software all over the
place? Like not only for the Admin account but for each and every limited
user on a computer? Am I maybe missing the big picture here, or does it look
like I'm going in circles? I have 2 kids and I do not want them visiting the
internet with the Admin account so it makes since to make user accounts but
what good are the user accounts if when they use them, no updates, pictures,
software etc are being forwarded over?
 
Ad

Advertisements

B

Bruce Chambers

CK said:
I've just bought a new HP Windows XP Media Center Edition 2005 computer.
Can someone explain this to me. I understand that for ssecurity reasons you
should not be using your Admin logon to visit the internet. Ok so I have made
a limited user account. So...why is it that not all software is transfered
from the Admin account to the limited user account. Really confusing to me,
that if I make an udate to the preinstalled Norton internet security on Admin
(because you are not allowed to make any updates under a limited user
account) that these updates are not passed over the all accounts on the
computer. I have found that, any software added from the internet to this new
computer must be done using Admin. Thats really great considering when I go
back over to my limited user account the software is not even there, and how
in the world am I going to get the software over there since its a limited
user account. Does Windows XP require that you install software all over the
place? Like not only for the Admin account but for each and every limited
user on a computer? Am I maybe missing the big picture here, or does it look
like I'm going in circles? I have 2 kids and I do not want them visiting the
internet with the Admin account so it makes since to make user accounts but
what good are the user accounts if when they use them, no updates, pictures,
software etc are being forwarded over?


You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions. (Games
are particularly likely to follow this horrible practice.)

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving settings
on limited accounts, you may need to change permissions on the registry
keys. Run regedit.exe and go to HKLM\Software\vendor\app, where
"vendor\app" is the key that the software vendor used for your specific
program. Change the permissions on this key to allow Users full control."




--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell
 
G

Guest

CK,

This has always been a source of annoyance to me. One of the most common
security recommendations that you read and hear about is to use a limited
user account (LUA) for everyday work, but no one ever reveals just how
difficult this can be. The time and skills required to make it work is
beyond most users. I am an experienced Windows/UNIX/Oracle administrator,
and I have found this to be a difficult problem. Microsoft has tools for
network/system administrators like me to assist with the creation of LUAs.
They are the Application Compatibility Toolkit, the Standard User Analyzer,
and the Microsoft Shared Computer Toolkit. I have used the ACT and SUA but
not the other.

This problem is not entirely the fault of Microsoft. In order to create an
operating system that is easy (relatively) to setup and use, Microsoft
designed Windows from the beginning with user accounts having the ability to
do anything. As time went on, it became clear that this was a problem. The
ability to create limited user accounts was introduced, and "experts" began
recommending their use. I can't help thinking that these "experts" never
used them and had no clue just how difficult it was. In any event,
application developers wrote their programs with the assumption that their
software would be running in a full-privileged account. When it is not, all
kinds of problems develop. It is a very complex task to get everything to
work in a LUA. Not only would most users (over 99%) not be able to get it to
work, they would also find it frustrating to use if they could.

I am wondering how this is going to play out with Vista because it is LUA
out of the box. (To do it justice, the LUA in Vista is not quite the same as
in XP, and I think this is what prompted a change in terms from LUA to UAC
(User Access Control).) Nevertheless, it is possible with some difficulty to
bypass UAC and use the built-in administrator account in Vista--even
auto-login with that account--but most users will never see it. Even that
built-in administrator has some frustrating limitations. For those of us who
know how to use administrative privileges without endangering our computers,
networks, and next of kin, it is very frustrating that Vista is now making us
dance to the UAC tune. I refuse to use LUA/UAC at home. (I am forced to at
work.) Good computing practices can mitigate the danger. In the many years
that I have done so, I have never had major infections on any computer system
I own or use, and the few attempts that were made against me were stopped
cold.

Kind regards,
Opus
 
Ad

Advertisements

C

cmcanulty

I can't get "fast user switching" to turn off in Windows Media Center
2005. So I can't secure computers at our library. I want a limited
account for patrons and admin for librarian. But fast user switching
can't be turned off, I have tried several suggested reg repairs and
tweaks. Any help? Thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top