Run as Non-Admin ?

I never have any problems...so...

<b>I</b> run as admin, <b>you</b> should not.

-DS

EDIT:
-Hardware firewall
-Software firewall
-Real-time antivirus
-Real-time antispyware/antimalware (x3)
-Realtime antirootkit
-Full encryption of personal and irreplaceable information
-RAID1 realtime backup of personal and irreplaceable information to encrypted external drive
-Tight knot in network cable to keep out the bad stuff

hell no, windows limited account sucks. i only run in limited account in linux, cause the linux implementation actually works, and doesnt get in teh way.

This should be in OT...

We encourage people to run as non-admin. Vista also has the concept of UAP, which limits what an account can do, even if it is an admin.

i havent seen any of this stuff in any of the vista builds ive tried, so i cant comment, but for windows xp, it just doesnt work. i tried to setup limited accounts once before for my family members on win xp and they werent able to use many of their apps.

BTW, where do you work in MS?

Of course. MS has to assume that the majority of their users not only don't need admin rights, but aren't even aware of the concept.

However, I don't know anyone there who uses a non-admin account. I just did my own informal poll last night of friends who are still there, some of which have been there for more than 12 years. I asked, "Do you, or anyone you know at work, use non-admin level accounts in Windows on any machine you have at home or at work?"

100% said, "No." The only sort-of exception were people who used multiple accounts at home on the family machines where the SO or kids used the computer, but the account of the person in question is admin level.

The only conclusion in this is that people all share the same, "It won't happen to me." attitude.

EDIT: And it could be seen as an indication that the non-admin accounts are just too problematic to deal with.

I too use a non-root account in Linux because of it's better implementation. If Vista has a better way to protect the admin functions of the OS without hampering the user as much as it does now, then I'd happily go along with that. After all, if it's done well, there would be no reason not to.

-Doc

I too use a non-root account in Linux because of it's better implementation.

I wonder what in the world you could mean by that. There is nothing at all wrong with the "implementation" of non-adminsitartive accounts in WinNT derivatives; in fact, the security model they implement is quite a bit more sophisticated than what many Unix variants offer. The DEC heritage shows...

Anyway, the only "problem with non-administrative accounts on Windows systems" is the massive incompetence of many software developers, who routinely violate Windows XP compatibility standards that have been out for at least a decade. Stuff like, as a normal user, you never, ever, write or modify files in system folders, or modify keys in HKLM, etc., etc.

We should be very clear about one thing: If a user mode application does not run properly without administrative rights, what that means is that this application is not compatible with Windows XP, and does not meet XP logo requirements. As an aside, I might mention that on this very machine I am sitting on right now, I have more applications installed than most people in this forum have probably ever heard of, and every single one of them runs just fine without administrative rights, just like any well-designed application should.

Finally, from a security point of view, routinely running with adminsitrative rights is pure insanity, period. Nobody who is the least bit interested in system security, has a minimum amount of competence, and is in his right mind (well, there's a list of caveats there...) would run his day-to-day work logged in with administrative rights.

Here's a thought for the Redmondites:

If Vista comes out, provide the user system of previous server admin. IE: User, Power User, Administrator, etc. for home users.

Thanks for a few laughs

Tell me, how do I change User permissions in Windows XP Home? I just want to use this:
User1 can write/access "User1[My Documents]"
User1 can write/access "C:\user1temp"
User2 cannot access "C:\user1temp"
(Both User1 and User2 are non-admins)
Just this.... Please, tell me, Windows advocate

Ah, yes... to clarify, I mean exactly what you stated later in your reply. The overall user experience in a non-admin account can really suck depending on how much software installation and messing about you do. So you're right in the fact that it's not an MS thing, it's an overall problem.

I do as I've learned, and I learned from 10 years at MS. Everyone I mentioned in my informal poll also works there. I'm not saying it's a good habit, but I am saying that a great deal of people who are quite in-the-know still do this, and that the internal culture of "From Whence It Came" isn't necessarily teaching it's own people the best of habits.

I do agree with you, as indicated in my initial reply in this thread where I implied "Do as I say, not as I do."

-Doc

I dont see how it is an issue with the applications that make limited accounts not work. developers shouldnt have to jump through hoops to get their apps to work with it. In linux, it is very simple. you cant modify system files as non-root, however, you can view them. This means that a non-root cant install/uninstall software, but can run anything already on the system. period. application developers dont have to add any extra code for it.

More importantly, if a non-root wanted to install an app in linux, all it would rquire is typing in the root password in a dialog box that comes up. in windows, it requries logging off and logging in as admin. pain in the ass.

There are no hoops that developers have to jump through. It's very simple. MSDN has had this information freely available for 10 years or more. If you want to save a document, start by saving to the "My Documents" area. Users always have access to their own "My Documents" folder, period. Don't save to "Program Files". That folder should hold Program Files, which is why it's not called "Data Files". Don't save to the root of a volume. Don't start cluttering the root of the volume with yet another folder. Saving a file is saving a file is saving a file, the process is the same no matter what. WHERE the file is saved is where the difference lies. Incompetent developers don't get it.

Don't save data to HKEY_LOCAL_MACHINE. There's no need except on installation, which should only be done by admins anyway. Save to HKEY_CURRENT_USER. Not new. Not a hoop. The process of writing to one or the other is identical, it's just that one will always be available no matter who is logged on, while the other may be in read-only mode. Incompetent developers don't get it.

Now, I do agree that the Linux implementation is better. However, 99% of the reasons people don't use limited accounts in Windows were created by shoddy third party programming, as stated above.

actually, cant you rightclick on something and select "run as" another user? anyway, that sort of defeats the purpose cause i dont want my little brother knowing the admin password in the first place.

Run As works for most things but not all, namely explorer.exe and 16-bit application that use shell calls to open other executables. This is where the Linux implementation is better, because you're prompted with something that basically says, you can't do this unless you gimme a password of an account that can. I've also encountered some difficulties with Run As when managing a trusted domain, but that's a pretty rare thing. Most people can't be bothered to use Run As, and I don't blame them. However, you can modify your shortcuts to fire off with Run As, so you're automagically prompted for a password without mucking around with command prompts or context menus. Most people don't want to be bothered with that either. Vista is showing promise in making this process less hassling, though.

Just this.... Please, tell me, Windows advocate

Boot into safe mode, log in as the administrator, and set the permissions you want. You might want to google the subject if you need more help. is your friend

Doc Said: "I do agree with you..."

I was hoping that you would not misunderstand my comments; from other posts of yours that I have seen I had the impression that you generally know what you are talking about, so my comments were not so much directed at yourself, but at the ignorant masses (you know, the ones who so seemed to like my post...)

Drizek said. "developers shouldnt have to jump through hoops to get their apps to work with it.

They don't have to "jump through any hoops". They should just not do stuff that they would not be allowed to do on a Unix system either. See, the difference is that Unix developers understand security, whereas many Windows developers do not seem to have progressed beyond an understanding of DOS' security model... If a developer is stupid and/or lazy enough to store per-user settings in HKLM, and store program configuration files in the installation directory, rather than doing these things in HKCU or the user's Documents and Settings tree, they should be run out of business.

Generaly, but I've been schooled here a few times and I certainly like to learn. I understand the folly of running as admin, but, alas, I still do it.

-Doc