Administrator vs limited account

[PAUL SIMON]

I am running a system that has XP Professional. I have my account which is
set up as an administrator account, and I have accounts for my kids that are
set up as "limited" accounts. When they play a game that wants to save data,
it basically tells them they can't and then exits. I suspect this is because
it is in the limited mode. Is there a way to "adjust" windows to allow them
to save their data from their game?

Thanks.... Paul

 

[Jim]

Hmm... I thought the limited account just prevented access to adminstrator
level privileges (e.g., setting up scheduled tasks, reconfiguring machine,
disk/partition management, program installation/removal, etc.). Seems odd
that mere "file access", read ot write, would be an issue. Maybe the issue
is *where* the game is trying to save? Perhaps the game was installed by
the administrator under another account, and it's now trying to save to
*that* administrators My Documents, which would be off limits to a limited
account. Can't the game be configured (menu Options?) to save to *their* My
Documents?!

HTH

Jim

 

[bxb7668]

From past experience, some programs not designed for XP limited
accounts write to the programs Program Files folder which may not have
been granted write access to anyone not administrator. They also often
write to the Registry to areas that only some with administrator
privilege can write. Sometime you can fix this while logged onto an
administrator privilege account by changing the permissions to allow
everyone to write to the appropriate folders and/or registry keys.
The hard part is to figure out which folders and keys.

 

[Carrie Garth]

I am running a system that has XP Professional. I have my account which is
set up as an administrator account, and I have accounts for my kids that are
set up as "limited" accounts. When they play a game that wants to save data,
it basically tells them they can't and then exits. I suspect this is because
it is in the limited mode. Is there a way to "adjust" windows to allow them
to save their data from their game?

As others have mentioned, the problem is likely that the default permissions
given to members of the "limited" account (the Users group) are too stringent
for the "game that wants to save data". As such, it will not run successfully.

Some options are to:

- Contact the application developer to obtain the list of objects (files, folders
and/or registry keys) that need relaxed permissions and relax permissions on those
objects. For more information about how "To set, view, change, or remove file and
folder permissions", and how "To assign permissions to a registry key" see the
Help and Support Center topic by those titles.

- Allow users of such applications to be members of the Power Users group
and hope that this relaxes permissions enough. For more information about
the "Power Users" group see the Help and Support Center topics titled:
"Groups overview", "Default security settings", and "Privileges". For
information about how "To add a member to a group", see the Help and Support
Center topic by that title.

- Apply the predefined incremental security templates named compatws.inf
(Compatible) and hope that this relaxes permissions enough. For information
about "Predefined security templates" and how to "Apply a security template
to local policy", see the Help and Support Center topics by those title.

- Use the Sysinternals tools Filemon and Regmon to monitor the programs'
access to files, folders and registry keys. Then search Regmon for "ACCDENIED" and
Filemon for "FAILURE", and then relax permissions on those objects.

For more information about Regmon and Filemon see:

Sysinternals Freeware - Information for Windows NT and Windows 2000
http://www.sysinternals.com/ntw2k/utilities.shtml

 

[cquirke (MVP Win9x)]

As others have mentioned, the problem is likely that the default permissions
given to members of the "limited" account (the Users group) are too stringent
for the "game that wants to save data". As such, it will not run successfully.

Some options are to:

Try installing the game to a path that is not nested within
"C:\Program Files", so that it has permission to write to its own
subtree - or avoid the problem (and some protection) by not using
NTFS, or install the game on a FATxx volume.

- Contact the application developer to obtain the list of objects (files, folders
and/or registry keys) that need relaxed permissions and relax permissions on those

- Allow users of such applications to be members of the Power Users group
and hope that this relaxes permissions enough.

- Apply the predefined incremental security templates named compatws.inf
(Compatible) and hope that this relaxes permissions enough.

- Use the Sysinternals tools Filemon and Regmon to monitor the programs'
access to files, folders and registry keys.


-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Walter Clayton]

successfully.

Try installing the game to a path that is not nested within
"C:\Program Files", so that it has permission to write to its own
subtree - or avoid the problem (and some protection) by not using
NTFS, or install the game on a FATxx volume.

Recommending FAT is not good for numerous reasons. You ignore registry
permissions which happens regardless of the file structure as well.

Setting permissions on the specific directory is acceptable however.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org

 

[cquirke (MVP Win9x)]

Paul Simon? The guy with the diamond heels?

....were snipt...

Recommending FAT is not good for numerous reasons. You ignore registry
permissions which happens regardless of the file structure as well.

Does that apply if registry and C: are NTFS, but troublesome and
data-trivial games are installed on non-C: FATxx volumes?

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Walter Clayton]

Paul Simon? The guy with the diamond heels?

Hmmm. Didn't notice that before. Maybe.

...were snipt...



Does that apply if registry and C: are NTFS, but troublesome and
data-trivial games are installed on non-C: FATxx volumes?

Yes. The HD structure has nothing to do with registry permissions.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org

 

[cquirke (MVP Win9x)]

Yes. The HD structure has nothing to do with registry permissions.

So it doesn't matter whether I suggest FATxx or NTFS, the story with
registry permissions (rights to update registry keys) would be the
same. Ah, but that's what you meant when you said "you ignore
registry permissions"; IOW my advice would make no difference to that,
positively or negatively. True, but I thought not being able to save
from a game would be more file-level rather than registry.

------------ ----- ---- --- -- - - - -

Our senses are our UI to reality

 

[Walter Clayton]

So it doesn't matter whether I suggest FATxx or NTFS, the story with
registry permissions (rights to update registry keys) would be the
same. Ah, but that's what you meant when you said "you ignore
registry permissions"; IOW my advice would make no difference to that,
positively or negatively. True, but I thought not being able to save
from a game would be more file-level rather than registry.

Generally it is on HD permission, but not always. If the app/game is doing
less than wise things with protected parts of the registry then there is
nothing that can be done with regard the HD structure permissions or lack
thereof. One issue is whether or not the app is saving state
information/pointers in the registry and exactly where.

In a nutshell there are a ton of unsafe apps out there since they were
developed for the 9x platform and the vendors were never forced to program
safely. Unsafe being defined as wanting to alter either parts of the
registry or parts of the HD structure that an application has no business
touching, although there are other things that are considered unsafe in
modern context. These same vendors never had a version of the software/game
that would run correctly on any NT kernel but since the target audience at
the time, for the most part, was running a wide open unprotected platform,
they didn't care. And since an admin class user is running mostly carte
blanc, they still don't care since the XP default is multiple admin class
users which is an unsafe mode of operation..

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org

 

[cquirke (MVP Win9x)]

"cquirke (MVP Win9x)" <[email protected]>

Generally it is on HD permission, but not always. If the app/game is doing
less than wise things with protected parts of the registry then there is
nothing that can be done with regard the HD structure permissions

Fair enuff. There are quite a few custom-data accounting apps that
tuck their data within or under their base dir, and that also breaks
if it's not allowed to write to "Program Files".

In a nutshell there are a ton of unsafe apps out there since they were
developed for the 9x platform

Well, they were written for the 9x platform - understandable, given
that until XP, NT lagged behind in budled DirectX and user mass.

...and the vendors were never forced to program safely. Unsafe
being defined as wanting to alter either parts of the registry or parts
of the HD structure that an application has no business touching

Hm. I remember MS beating the drum for app vendors to dump in the
registry rather than use private config files, which IMO is not always
appropriate (causes needless bloat if there are no other apps on earth
that ever need to see those settings). I didn't hear much about
"write to HKCU but not HKLM" etc. at the time, or even now.

Same with "Program Files"; the push was to use it, rather than dumping
off C:\ (and I'm glad about that). From the Win9x side of the pond, I
never heard MS saying where to save data, through from the Win95 SR2
days on I was trying to scoop data into a common subtree for backup.

These same vendors never had a version of the software/game
that would run correctly on any NT kernel but since the target audience at
the time, for the most part, was running a wide open unprotected platform,
they didn't care. And since an admin class user is running mostly carte
blanc, they still don't care since the XP default is multiple admin class
users which is an unsafe mode of operation..

At present, limited accounts in XP Home are IMO too awful (and yes,
unsafe) to bother with - given that one is forced to accept dumb MS
duhfaults that have risk implications, such as hiding hidden files,
paths and file name extensions. You can only apply those settings if
the account is admin, and you cannot pre-apply them to the prototype
from which new accounts are created.

With those and other limitations in mind, I consider multiple or
limited accounts (and especially subsequently-spawned accounts) as
unfit for use. Let's hope the design improves with the next revision.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.