ADMINISTRATOR vs Administrator USer

[AIANDAS]

Hi,
is there a difference between the Administrator one gets when you log in in
SAFE MODE vs an account that is declared Administrator in a USER account
context?

My gut tells me the SAFE MODE Administrator takes precedence? But of course
I could be wrong and this is the reason I need to ask here. Thanks in advance!

 

[PA Bear [MS MVP]]

Yes.

 

[Jim]

Hi,
is there a difference between the Administrator one gets when you log in
in
SAFE MODE vs an account that is declared Administrator in a USER account
context?

My gut tells me the SAFE MODE Administrator takes precedence? But of
course
I could be wrong and this is the reason I need to ask here. Thanks in
advance!

All accounts which are members of the administrators group are equal.

Your are doubtless describing XP Home, as the built in administrator account
can only be accessed in safe mode. In XP Pro, though, you can logon as
administrator in safe or normal mode.

Jim

 

[Patrick Keenan]

Hi,
is there a difference between the Administrator one gets when you log in
in
SAFE MODE vs an account that is declared Administrator in a USER account
context?

My gut tells me the SAFE MODE Administrator takes precedence? But of
course
I could be wrong and this is the reason I need to ask here. Thanks in
advance!

The Administrator account is a specific named account. Other accounts with
Administrator rights are different accounts.

 

[AIANDAS]

Actually I am in XP Pro mode. So then in XP Pro whether SAFE MODE or not the
administrator is still administrator.
OK then next question is there a way one administrator can supercede the
restrictions over another, where the other cannot supercede the previous?
I want to have an ALPHA Administrator and all other administrators on this
machine be secondary and tertiary in power.

 

[Jim]

Any account which is a member of the administrators group can do whatever
the user wants whenever the user wants it done.
Jim

 

[AIANDAS]

OK so what I am hearing in XP Pro there is no way to make one administrator
ALPHA over another?

 

[AIANDAS]

Aren't there various flavours of users, i.e., power user et al? Can these be
designated as administrator or how do I define one administrator as a power
user and another not?
Is there a link that give me detailed info on administrators and various
flavours of users?

 

[John Wunderlich]

OK so what I am hearing in XP Pro there is no way to make one
administrator ALPHA over another?

Any adminstrator can, for example, deny access to a file by any other
user -- whether administrator or not (even himself). However, if
that other user is also a member of the "administrators" group, then
they have the power to change the access rights of that file back so
they can again access that file.

You can, if you want, create another group e.g. "subadmins" and grant
members of that group an admin privilege subset using the Group
Policy Editor (start->run->gpedit.msc). This assumes XP Pro.

"How To Use the Group Policy Editor to Manage Local Computer Policy
in Windows XP"
<http://support.microsoft.com/kb/307882>

HTH,
John

 

[Patrick Keenan]

OK so what I am hearing in XP Pro there is no way to make one
administrator
ALPHA over another?

Well, that really wasn't your first question.

What you should be hearing is that the Administrator account is a built-in
account that should not ever be used as a regular account, only for
maintenance. You should be hearing that other Administrator-level accounts
can be created with full and equal rights, but those are *not the
Administrator account*, just as my car is not your car even if they are
identical models.

You can also via policies do things to alter the situation, but what exactly
is it that you wish to accomplish?

HTH
-pk

 

[Shenan Stanley]

Aren't there various flavours of users, i.e., power user et al? Can
these be designated as administrator or how do I define one
administrator as a power user and another not?
Is there a link that give me detailed info on administrators and
various flavours of users?

Let's make this easy.

If a user is a member of the "administrators" group - they are all-powerful
(except in personalized worlds - like encrypted data - and even then, they
could (if the other users are unwise in their best practices) make said
encrypted data *lost* to the other user completely.)

If a user is a member of the "administrators" group - no matter their other
memberships - they can do what they want to whom ever they want on said
system. If another member of the "administrators" group changes something
on their account, they can retaliate and do the same.

As far as I am concerned (the following is my opinion, my take on things) -
despite some people's usage of the "power users" group - there are only a
few levels of users.

When dealing with users - you give them *as little* power as
possible/plausible and grant them only the additional power they need. You
do not give them 'all powerful' rights and then try to limit them.

- Guest (these people cannot do much of anything, fairly unused level.)
- User (very limited, no installation rights, etc.)
- Modified User (this is not a built-in group, but a user whom I have
granted an extra right or three...)
- Administrator (full ownage of everything in said system.)

Power Users is supposed to be a group that can install certain things, do
certain things - but I have always found their power too broad to be useful
in restricting people. Power Users still get infections that affect all
other users, they can install software that affect all other users, etc.
I'd rather not have that sort of user on a multi-user system and I would
rather only have a single administrator (although there may be multiple
adminstrator level accounts - for 'oops' situations.)

My suggestion is to limit the usage of the "administrators" group as much as
possible. Create all "users" and if you must, grant certain users 'special
powers'.

http://technet.microsoft.com/en-us/library/bb456992.aspx
http://support.microsoft.com/kb/279783

 

[AIANDAS]

Well I want there to be one ADMINISTRATOR that can control all the others.
Now in XP Pro we have 2 choices. Administrator and Limited Accounts. So there
is one user @ home that whines if I don't make them an Administrator but
don't trust their internet savvy to not get us into some kind of trouble. So
I do make them an administrator but I need to find a way to limit their
access without making them Limited.
Somebody mentioned Sub-Administrator. How do I make them a Sub-Administrator?

 

[Shenan Stanley]

Well I want there to be one ADMINISTRATOR that can control all the
others. Now in XP Pro we have 2 choices. Administrator and Limited
Accounts. So there is one user @ home that whines if I don't make
them an Administrator but don't trust their internet savvy to not
get us into some kind of trouble. So I do make them an
administrator but I need to find a way to limit their access
without making them Limited.
Somebody mentioned Sub-Administrator. How do I make them a
Sub-Administrator?

You have to let them whine. If they cannot be trusted with power, then
certainly don't give it to them.

You have chosen badly by making them administrators. They do not *need* to
be adminstrators to utilize the computer. In fact - best practice is for
them *not* to be an administrator while performing daily tasks.

Let's make this easy.

If a user is a member of the "administrators" group - they are all-powerful
(except in personalized worlds - like encrypted data - and even then, they
could (if the other users are unwise in their best practices) make said
encrypted data *lost* to the other user completely.)

If a user is a member of the "administrators" group - no matter their other
memberships - they can do what they want to whom ever they want on said
system. If another member of the "administrators" group changes something
on their account, they can retaliate and do the same.

As far as I am concerned (the following is my opinion, my take on things) -
despite some people's usage of the "power users" group - there are only a
few levels of users.

When dealing with users - you give them *as little* power as
possible/plausible and grant them only the additional power they need. You
do not give them 'all powerful' rights and then try to limit them.

- Guest (these people cannot do much of anything, fairly unused level.)
- User (very limited, no installation rights, etc.)
- Modified User (this is not a built-in group, but a user whom I have
granted an extra right or three...)
- Administrator (full ownage of everything in said system.)

Power Users is supposed to be a group that can install certain things, do
certain things - but I have always found their power too broad to be useful
in restricting people. Power Users still get infections that affect all
other users, they can install software that affect all other users, etc.
I'd rather not have that sort of user on a multi-user system and I would
rather only have a single administrator (although there may be multiple
adminstrator level accounts - for 'oops' situations.)

My suggestion is to limit the usage of the "administrators" group as much as
possible. Create all "users" and if you must, grant certain users 'special
powers'.

http://technet.microsoft.com/en-us/library/bb456992.aspx
http://support.microsoft.com/kb/279783

 

[Patrick Keenan]

Well I want there to be one ADMINISTRATOR that can control all the others.

Then you have to limit the other accounts in some way, and not give them
administrator permissions.

Now in XP Pro we have 2 choices. Administrator and Limited Accounts. So
there
is one user @ home that whines if I don't make them an Administrator but

But, there's a saying. "Too bad".

What exactly do they need Admin permissions to do?

don't trust their internet savvy to not get us into some kind of trouble.
So
I do make them an administrator but I need to find a way to limit their
access without making them Limited.

If they are administrators, their access is by definition unlimited.

Power User might be an option.

Somebody mentioned Sub-Administrator. How do I make them a
Sub-Administrator?

Never heard of it.

HTH
-pk

 

[AIANDAS]

Shenan
Thank you very much this was very insightful.

 

[C.Joseph Drayton]

Any adminstrator can, for example, deny access to a file by any other
user -- whether administrator or not (even himself). However, if
that other user is also a member of the "administrators" group, then
they have the power to change the access rights of that file back so
they can again access that file.

You can, if you want, create another group e.g. "subadmins" and grant
members of that group an admin privilege subset using the Group
Policy Editor (start->run->gpedit.msc). This assumes XP Pro.

"How To Use the Group Policy Editor to Manage Local Computer Policy
in Windows XP"
<http://support.microsoft.com/kb/307882>

HTH,
John

There is a program that was written by one of the MVPs here
called WindowsXP Security Console that will allow you to
achieve what you want.

You of course must install it as an administrator. Then the
next thing you do is load each users profile, and restrict
their use of the WindowsXP Security Console. Also make sure
that you load the default user profile and place the same
restriction there. Once you have done that, you can than
restrict the 'administrators' access without them being able
to over-ride that restriction. Of course if they get into
your account (which still has policy setting capability),
then all bets are off.

One word of caution do not accidentally restrict your your
access to the WindowsXP Security Console, or you will find
that you can no longer make any policy changes.

BTW, the WindowsXP Security Console works with all versions
of XP that I have tested including the 64bit version.

Sincerely,
C.Joseph Drayton, Ph.D. AS&T

CSD Computer Services

Web site: http://csdcs.site90.net/
E-mail: (e-mail address removed)90.net

 

[Shenan Stanley]

There is a program that was written by one of the MVPs here
called WindowsXP Security Console that will allow you to
achieve what you want.

You of course must install it as an administrator. Then the
next thing you do is load each users profile, and restrict
their use of the WindowsXP Security Console. Also make sure
that you load the default user profile and place the same
restriction there. Once you have done that, you can than
restrict the 'administrators' access without them being able
to over-ride that restriction. Of course if they get into
your account (which still has policy setting capability),
then all bets are off.

One word of caution do not accidentally restrict your your
access to the WindowsXP Security Console, or you will find
that you can no longer make any policy changes.

BTW, the WindowsXP Security Console works with all versions
of XP that I have tested including the 64bit version.

Are you speaking of:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
??

If so - I don't think it does what you seem to be representing it does. An
administrative level user in Windows XP is all powerful and running the
given software or not - an administrative level account can do whatever they
desire to do on Windows XP. You can *attempt* to limit things on
adminstrative level accounts in many ways - all of which will be failures in
the end.

You either create limited users (just plain old user accounts) or you deal
with the consequences of everyone having elevated privs with non-technical
methods (because if they have _any_ technical skills (even if they don't
they can still infest/infect the machine) or just the normal propensity for
mischief - you've wasted a lot of time trying to take away rights they never
should have had.)

 

[John Wunderlich]

There is a program that was written by one of the MVPs here
called WindowsXP Security Console that will allow you to
achieve what you want.

You of course must install it as an administrator. Then the
next thing you do is load each users profile, and restrict
their use of the WindowsXP Security Console. Also make sure
that you load the default user profile and place the same
restriction there. Once you have done that, you can than
restrict the 'administrators' access without them being able
to over-ride that restriction. Of course if they get into
your account (which still has policy setting capability),
then all bets are off.

One word of caution do not accidentally restrict your your
access to the WindowsXP Security Console, or you will find
that you can no longer make any policy changes.

BTW, the WindowsXP Security Console works with all versions
of XP that I have tested including the 64bit version.

Sincerely,
C.Joseph Drayton, Ph.D. AS&T

CSD Computer Services

Web site: http://csdcs.site90.net/
E-mail: (e-mail address removed)90.net

You probably should have replied to the OP rather than me, but I'll go
ahead and provide the link:

<http://www.dougknox.com/xp/utils/xp_securityconsole.htm>

HTH,
John

 

[C.Joseph Drayton]

Are you speaking of:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
??

If so - I don't think it does what you seem to be representing it does. An
administrative level user in Windows XP is all powerful and running the
given software or not - an administrative level account can do whatever they
desire to do on Windows XP. You can *attempt* to limit things on
adminstrative level accounts in many ways - all of which will be failures in
the end.

You either create limited users (just plain old user accounts) or you deal
with the consequences of everyone having elevated privs with non-technical
methods (because if they have _any_ technical skills (even if they don't
they can still infest/infect the machine) or just the normal propensity for
mischief - you've wasted a lot of time trying to take away rights they never
should have had.)

Yes, that is the application I am referring to, and if you
set restrictions as to applications that they can use, then
yes it does work as I described.

As to whether the program can be circumvented I don't know.
I know that I have had it used by different sites for a
number of years with no problems. The users at those sites
could simply not be technical enough to bypass the security
that the program uses. I do know that it works, and yes it
is a pain to set up the restrictions but from what the OP
said, I think it is as application that he might want to
look at.

Sincerely,
C.Joseph Drayton, Ph.D. AS&T

CSD Computer Services

Web site: http://csdcs.site90.net/
E-mail: (e-mail address removed)90.net

 

[Shenan Stanley]

The conversation before this:
http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/204190216d338284
(archived indefinitely)

There is a program that was written by one of the MVPs here
called WindowsXP Security Console that will allow you to
achieve what you want.

You of course must install it as an administrator. Then the
next thing you do is load each users profile, and restrict
their use of the WindowsXP Security Console. Also make sure
that you load the default user profile and place the same
restriction there. Once you have done that, you can than
restrict the 'administrators' access without them being able
to over-ride that restriction. Of course if they get into
your account (which still has policy setting capability),
then all bets are off.

One word of caution do not accidentally restrict your your
access to the WindowsXP Security Console, or you will find
that you can no longer make any policy changes.

BTW, the WindowsXP Security Console works with all versions
of XP that I have tested including the 64bit version.

Are you speaking of:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
??

If so - I don't think it does what you seem to be representing it
does. An administrative level user in Windows XP is all powerful
and running the given software or not - an administrative level
account can do whatever they desire to do on Windows XP. You can
*attempt* to limit things on adminstrative level accounts in many
ways - all of which will be failures in the end.

You either create limited users (just plain old user accounts) or
you deal with the consequences of everyone having elevated privs
with non-technical methods (because if they have _any_ technical
skills (even if they don't they can still infest/infect the
machine) or just the normal propensity for mischief - you've wasted
a lot of time trying to take away rights they never should have
had.)

Yes, that is the application I am referring to, and if you
set restrictions as to applications that they can use, then
yes it does work as I described.

As to whether the program can be circumvented I don't know.
I know that I have had it used by different sites for a
number of years with no problems. The users at those sites
could simply not be technical enough to bypass the security
that the program uses. I do know that it works, and yes it
is a pain to set up the restrictions but from what the OP
said, I think it is as application that he might want to
look at.

If a user is an administrator, they can circumvent almost everything you do
to try and limit them. The only exceptions are related to security that is
secondary (like encryption.)

I should also point out that technical savvy (or appearance of) is easily
gained with Internet searches - or at least enough to get around limitation
one might impose the way you have suggested. ;-)

IMO, it is *always* better to start with the lowest possible permissions and
grant only what is necessary than start by giving someone everything and
trying to take things away.