Problem creating users

[jw]

I received no response from another ng, so I a trying this ng. Sorry
for dupe post.

I created a new system using XP PRO SP3. For some reason, this time
it created a system with a single user name 'Administrator' and the
appropriate folders for it under
'Documents and Settings>Administrator'.

I read somewhere recently that one way to deter intrusions is to
operate under a login that does not have administrator privileges.
So, I tried to create a new user for that purpose - 'Control
Panel>User Accounts' would not let me because it said I did not
already have an administrator account. So I then made two new users -

Duke - with administrator privileges
Roy - without administrator privileges

I expected in the next system start that boot would be stopped at the
Welcome Screen presenting me with logins from which to choose.

Alas, the system boots straight through just as it did before. Oddly,
though, I can log off and then log back on to either 'Administrator',
'Duke' or 'Roy'. If I log on as 'Roy', and go to 'Control Panel>User
Accounts' thinking I could then delete 'Administrator, I cannot
because 'Administrator' does not show as a user.

This all seems odd to me. Can someone please explain how to set
things straight? Or should I just forget the whole idea?

BTW - there is a web page showing how to control user logins in the
regard, but for WindowsNT (Dwords under UserList in the Registry). I
tried playing with that, to no avail. I guess this is one way NT is
different from XP?

Thanks

Duke

 

[John John - MVP]

In the Start menu Run box enter:

control userpasswords2

and select the "Users must enter a user name..." option.

You can also set this option in the Control Panel's User Account applet.

John

 

[jw]

In the Start menu Run box enter:

control userpasswords2

and select the "Users must enter a user name..." option.

You can also set this option in the Control Panel's User Account applet.

John

Thanks John

That part now works. While I have your attention (assuming I still
do), I have another question on this subject:

I notice the restricted user 'Roy' that I created, lacks some things.
I copied the desktop shortcut icons from the administrator's desktop
to give 'Roy' access to the programs, but how do I avoid having to
MANUALLY set all the display options again? I have them set for my
display with special icon sizes and text fonts and other things. How
can I simply copy the administrator's display settings to 'Roy'?


Duke

 

[Bruce Chambers]

I received no response from another ng, so I a trying this ng. Sorry
for dupe post.

I created a new system using XP PRO SP3. For some reason, this time
it created a system with a single user name 'Administrator' and the
appropriate folders for it under
'Documents and Settings>Administrator'.

"For some reason?" That "reason being that's exactly the way the OS is
designed to work, upon initial installation.

I read somewhere recently that one way to deter intrusions is to
operate under a login that does not have administrator privileges.

Well, doing so may not actually _deter_ intrusions, but it will limit
the amount of damage that any intrusions can do. Routinely using a
computer with administrative privileges is not without some risk. You
will be much more susceptible to some types of malware, particularly
adware and spyware. While using a computer with limited privileges
isn't the cure-all, silver bullet that some claim it to be, any
experienced IT professional will verify that doing so definitely reduces
that amount of damage and depth of penetration by the malware. If you
get infected/infested while running as an administrator, the odds are
much greater that any malware will be extremely difficult, if not
impossible, to remove with formating the hard drive and starting anew.
The intruding malware will have the same privileges to all of the files
on your hard drive that you do.

A technically competent user who is aware of the risks and knows
how to take proper precautions can usually safely operate with
administrative privileges; I do so myself. But I certainly don't
recommend it for the average computer user.

Secondly, and perhaps most importantly, the built-in Administrator
account was never intended to be used for day-to-day normal use. The
standard security practice is to rename the account, set a strong
password on it, and use it only to create another account for regular
use, reserving the Administrator account as a "back door" in case
something corrupts your regular account(s).

So, I tried to create a new user for that purpose - 'Control
Panel>User Accounts' would not let me because it said I did not
already have an administrator account.

Yes, there must be at least one other (besides the built-in
Administrator) account with administrative privileges. This is because,
once again, the built-in Administrator account was never intended to be
used for day-to-day normal use.

So I then made two new users -

Duke - with administrator privileges
Roy - without administrator privileges

I expected in the next system start that boot would be stopped at the
Welcome Screen presenting me with logins from which to choose.

Alas, the system boots straight through just as it did before.

Then you neglected to configure the computer to require users to logon.
Start > Control Panel > Users > Change the way Users Login.

Oddly,
though, I can log off and then log back on to either 'Administrator',
'Duke' or 'Roy'. If I log on as 'Roy', and go to 'Control Panel>User
Accounts' thinking I could then delete 'Administrator, I cannot
because 'Administrator' does not show as a user.

Two points: First of all, the built-in Administrator account *cannot*
be deleted. Secondly, as you've discovered, once any additional user
accounts have been created, the built-in Administrator account will no
longer be displayed on the Welcome Screen or via the Control Panel Users
applet. This is a default security feature. The account is still
accessible via the Microsoft Management Console (Right-click My Computer

Manage), a.k.a. the MMC.

By design, the only way to log into the Administrator account of
WinXP Home is to reboot into Safe Mode. For WinXP Pro, pressing
CTRL+ALT+DEL twice at the Welcome Screen will produce the standard login
dialog box.

This all seems odd to me. Can someone please explain how to set
things straight? Or should I just forget the whole idea?

There's nothing odd, at all, and nothing to set straight. The system
is behaving just as it should.

BTW - there is a web page showing how to control user logins in the
regard, but for WindowsNT (Dwords under UserList in the Registry). I
tried playing with that, to no avail. I guess this is one way NT is
different from XP?

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783



--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

 

[John John - MVP]

Thanks John

That part now works. While I have your attention (assuming I still
do), I have another question on this subject:

I notice the restricted user 'Roy' that I created, lacks some things.
I copied the desktop shortcut icons from the administrator's desktop
to give 'Roy' access to the programs, but how do I avoid having to
MANUALLY set all the display options again? I have them set for my
display with special icon sizes and text fonts and other things. How
can I simply copy the administrator's display settings to 'Roy'?

You can copy the Administrator's user profile to Roy's user profile.
Right click My Computer and click on Properties. At the System
Properties click on the Advanced tab and then on the User Profiles
Settings button and copy the profile from one user to the other. Note
that you need Administrative privileges to do this. Also note that you
cannot copy to or from the user that you are logged on with, if you want
to copy from Administrator to Roy you will have to log on to a third
account that has administrative rights.

John

 

[jw]

You can copy the Administrator's user profile to Roy's user profile.
Right click My Computer and click on Properties. At the System
Properties click on the Advanced tab and then on the User Profiles
Settings button and copy the profile from one user to the other. Note
that you need Administrative privileges to do this. Also note that you
cannot copy to or from the user that you are logged on with, if you want
to copy from Administrator to Roy you will have to log on to a third
account that has administrative rights.

John

I have been playing with copying profiles as per your guidance since
yesterday and have found that while administrator's desktop icons were
copied to Roy's desktop, none of the 'settings' (this may be my term)
such as power options. icon sizes, background color, etc were copied.
I really think someone needs to write a book 'Creating Duplicate User
in XP For Dummies'.

That said - I went back to doing things manually as I have done in the
past. Now I have another question -

In Administrator, I created a new user Roy with administrator
privileges.
I logged in as Roy to get it into c:\Documents and Settings
In Roy - In Windows Explorer, I manually copied Administrator's
Desktop content to Roy's to get all the desktop shortcut icons to Roy.
In Roy - In Control Panel I manually set all the power options. icon
sizes, background color, etc
In Administrator, I changed Roy's privileges to non-administrator.
In Roy, I find I cannot execute some desktop shortcuts, but I can
execute others. Says I don't have the privileges. One example is
Eudora, which I use for e-mails, but I cannot in Roy.
I wonder why not.

Any ideas?

Duke

 

[Roy Smith]

I have been playing with copying profiles as per your guidance since
yesterday and have found that while administrator's desktop icons were
copied to Roy's desktop, none of the 'settings' (this may be my term)
such as power options. icon sizes, background color, etc were copied.
I really think someone needs to write a book 'Creating Duplicate User
in XP For Dummies'.

That said - I went back to doing things manually as I have done in the
past. Now I have another question -

In Administrator, I created a new user Roy with administrator
privileges.
I logged in as Roy to get it into c:\Documents and Settings
In Roy - In Windows Explorer, I manually copied Administrator's
Desktop content to Roy's to get all the desktop shortcut icons to Roy.
In Roy - In Control Panel I manually set all the power options. icon
sizes, background color, etc
In Administrator, I changed Roy's privileges to non-administrator.
In Roy, I find I cannot execute some desktop shortcuts, but I can
execute others. Says I don't have the privileges. One example is
Eudora, which I use for e-mails, but I cannot in Roy.
I wonder why not.

It's because the program is trying to access, create, or edit files or
folders that the account doesn't normally have access to. To get around
this right click on the icon and select properties and in the
compatibility tab select "run as administrator" and click ok.

 

[jw]

It's because the program is trying to access, create, or edit files or
folders that the account doesn't normally have access to. To get around
this right click on the icon and select properties and in the
compatibility tab select "run as administrator" and click ok.

Under properties>compatibility tab, I do not see 'run as
administrator'.

Thanks

Duke

 

[Roy Smith]

Under properties>compatibility tab, I do not see 'run as
administrator'.

Oh crap, I'm sorry forgot that Win XP doesn't have it there, that's
Vista and Win 7. Instead what you need to do is right click the icon pf
the program you want to use, and then choose 'run as' in the drop down
menu. From there you can choose a user account with administrative
privileges to run the program.

 

[jw]

Oh crap, I'm sorry forgot that Win XP doesn't have it there, that's
Vista and Win 7. Instead what you need to do is right click the icon pf
the program you want to use, and then choose 'run as' in the drop down
menu. From there you can choose a user account with administrative
privileges to run the program.

Thanks

Do you mean to do this in 'Roy', who does not have administrator
privileges? Or in 'Administrator' who does?
Sorry for my dumbness.
Duke

 

[John John - MVP]

Thanks

Do you mean to do this in 'Roy', who does not have administrator
privileges? Or in 'Administrator' who does?

When 'Roy' wants to run programs for which he doesn't have permission he
can press and hold the Shift key and then right click on the program or
shortcut and he will see a "Run as..." option.

Re: Copying the profile from Administrator to Roy. You can temporarily
elevate Roy to Administrator then copy the profile over and then log on
to Roy's account while he is elevated to administrator. This should
allow for certain options (like the power profile) to be applied, you
can then logoff Roy and demote his account.

John

 

[jw]

When 'Roy' wants to run programs for which he doesn't have permission he
can press and hold the Shift key and then right click on the program or
shortcut and he will see a "Run as..." option.

Re: Copying the profile from Administrator to Roy. You can temporarily
elevate Roy to Administrator then copy the profile over and then log on
to Roy's account while he is elevated to administrator. This should
allow for certain options (like the power profile) to be applied, you
can then logoff Roy and demote his account.

John

Thanks

Setting up a restricted user is far from easy, simple or clear to
accomplish , as I see it.

Duke