Windows Vista finally has a practical LUA implementation, many many years overdue, and linux has always had it. The implementation in Ubuntu is really quite elegant. Everyone is defaulted to a power user account, and if you'd like to perform a root-level task, you're simply asked for your password.
Leo Notenboom
November 21, 2006 4:05 PM
The Mac is much like Ubuntu in this regard, and I agree, it's perhaps the most elegant compromise.
What I *don't* know is how often that requirement (administrative access) pops up in what would otherwise be "normal" work. That's what's most frustrating about XP's LUA.
Mike
November 21, 2006 6:39 PM
>> What I *don't* know is how often that requirement (administrative access) pops up in what would otherwise be "normal" work.
Anecdotally, I read that this was one of the biggest complaints about the early RC's for Vista..that even in trivial tasks like deleting a file from your desktop, Vista would password-prompt you (not once, not twice, but) *three* times. However, Microsoft has corrected this in later RCs, and supposedly trimmed down the number of tasks that require entering a password.
Gordon
December 3, 2006 3:10 AM
I have added a Limited account to the computer that I most use for Web Wandering and intend to use that account only for that purpose. Is this sensible?
Jim
December 3, 2006 5:31 PM
In early 2006, I found a reference to a small program on Microsoft's website called DropMyRights. It's used with user setup desktop shortcuts to fire-up DropMyRights which then starts ups another program (such as Internet Exporer, Firefox, Outlook Express) with LimitedUser rights (non-Administrator). I've been using it for the 3 programs above for most of 2006. When I look at the security setting of any of these DropMyRights invoked programs using ProcessExplorer (from SysInternals), ...right-click application name > Properties > Security tab > BUILTIN/Administrators setting: it shows "Deny,Owner" rather than "Owner". I think that for WinXP, this is a pretty good compromise. I can logon with Administrator rights, but then fire up some programs such as browsers and email with LimitedUser rights. I think that this protects me pretty well! I get the benefits of the need for Administrator rights with many applications as well as the protection of LimitedUser rights with my Internet facing applications. I keep my standard desktop icons for browsers, etc. for WindowsUpdate and other such work.
Grant Phillips
September 30, 2007 7:14 AM
I have windows vista and I have asked Dell, as well as my IP. how can seperate two users in email. Right now my wife's email comes in my acct. and if she sends it goes out in my name not hers.
Alex
November 26, 2007 5:18 AM
I believe many people are not aware that it is possible to run an application in a LUA with administrator rights (provided you have the password). The feature is called "Run as..." and is accessible through right-click in Explorer on the program you want to execute. It will only be valid for the current session and is an excellent way of quickly getting things installed or configured without the hassle of temporarily elevating permission rights. It is even possible to setup a shortcut or program to always run as a different account (although I wouldn't recommend that as a design, it's a compromise for the exceptions).
Alex
November 26, 2007 5:27 AM
I have setup my system exactly as described and since I don't use games (which are the ones that are most fiddly about permission rights) everything works fine without hickups or hassles. Admin accounts is ONLY for installation of new programs.
I DO wonder how protected I am with this scheme. Knowing a little about how permissions work with NTFS, I can't figure how a virus could bypass this. Of course there is a way because enterprises get viruses just as anybody else (albeit not as often) and in a corporate environment LUA is exactly the norm. So how do viruses do it? If they can't get write access to the registry, how do they make themselves executable on system restarts?
Adrian Ho
April 11, 2009 6:23 PM
I can't change the security settings from medium to medium high. Is this normal in a limited user account? and when I change try to change these settings I always get "explorer.exe is not responding" or smoething like that when I close or apply the setting. Is something wrong with Windows in my PC?
richard
June 30, 2009 4:13 PM
I use all three levels of XP accounts
Admin for Updates, installs, and SW that requires Admin priv.
Limited for regular day to day stuff and some of the SW can be run with "Run As Admin account" such as FTP Voyager
Guest, I setup the Guest account log into it once and then use the Run As to access the "Guest Account" web browser,
but, I've recently bumped up against a problem with the Guest account User Profile not being retained and can't seem to find a solution anywhere except "it's supposed to do that..." but I know it works as I have set up the Guest account to use for web browsing on 4 previous machines 2 with XP Pro and 2 with XP home and the settings are retained in the Guest Profile, I have tried to setup another XP Pro machine and at every log off the profile is deleted which is not good because all Firefox browser add-ons & settings / customizations etc. are also removed the method I use (because I have software that requires I always be logged in as Admin. to use it), is to setup the Guest account and log into it once then "net user Guest 'password'" and then change the browser shortcut in my admin account to "Run with different credentials" and use the "Guest browser" from within the Admin. & or Limited account is there some registry entry or group policy setting that's preventing the Guest profile from being retained?
Comments
Read the article that everyone's commenting on.
November 21, 2006 10:10 AM
Windows Vista finally has a practical LUA implementation, many many years overdue, and linux has always had it. The implementation in Ubuntu is really quite elegant. Everyone is defaulted to a power user account, and if you'd like to perform a root-level task, you're simply asked for your password.
November 21, 2006 4:05 PM
The Mac is much like Ubuntu in this regard, and I agree, it's perhaps the most elegant compromise.
What I *don't* know is how often that requirement (administrative access) pops up in what would otherwise be "normal" work. That's what's most frustrating about XP's LUA.
November 21, 2006 6:39 PM
>> What I *don't* know is how often that requirement (administrative access) pops up in what would otherwise be "normal" work.
Anecdotally, I read that this was one of the biggest complaints about the early RC's for Vista..that even in trivial tasks like deleting a file from your desktop, Vista would password-prompt you (not once, not twice, but) *three* times. However, Microsoft has corrected this in later RCs, and supposedly trimmed down the number of tasks that require entering a password.
December 3, 2006 3:10 AM
I have added a Limited account to the computer that I most use for Web Wandering and intend to use that account only for that purpose. Is this sensible?
December 3, 2006 5:31 PM
In early 2006, I found a reference to a small program on Microsoft's website called DropMyRights. It's used with user setup desktop shortcuts to fire-up DropMyRights which then starts ups another program (such as Internet Exporer, Firefox, Outlook Express) with LimitedUser rights (non-Administrator). I've been using it for the 3 programs above for most of 2006. When I look at the security setting of any of these DropMyRights invoked programs using ProcessExplorer (from SysInternals), ...right-click application name > Properties > Security tab > BUILTIN/Administrators setting: it shows "Deny,Owner" rather than "Owner". I think that for WinXP, this is a pretty good compromise. I can logon with Administrator rights, but then fire up some programs such as browsers and email with LimitedUser rights. I think that this protects me pretty well! I get the benefits of the need for Administrator rights with many applications as well as the protection of LimitedUser rights with my Internet facing applications. I keep my standard desktop icons for browsers, etc. for WindowsUpdate and other such work.
September 30, 2007 7:14 AM
I have windows vista and I have asked Dell, as well as my IP. how can seperate two users in email. Right now my wife's email comes in my acct. and if she sends it goes out in my name not hers.
November 26, 2007 5:18 AM
I believe many people are not aware that it is possible to run an application in a LUA with administrator rights (provided you have the password). The feature is called "Run as..." and is accessible through right-click in Explorer on the program you want to execute. It will only be valid for the current session and is an excellent way of quickly getting things installed or configured without the hassle of temporarily elevating permission rights. It is even possible to setup a shortcut or program to always run as a different account (although I wouldn't recommend that as a design, it's a compromise for the exceptions).
November 26, 2007 5:27 AM
I have setup my system exactly as described and since I don't use games (which are the ones that are most fiddly about permission rights) everything works fine without hickups or hassles. Admin accounts is ONLY for installation of new programs.
I DO wonder how protected I am with this scheme. Knowing a little about how permissions work with NTFS, I can't figure how a virus could bypass this. Of course there is a way because enterprises get viruses just as anybody else (albeit not as often) and in a corporate environment LUA is exactly the norm. So how do viruses do it? If they can't get write access to the registry, how do they make themselves executable on system restarts?
April 11, 2009 6:23 PM
I can't change the security settings from medium to medium high. Is this normal in a limited user account? and when I change try to change these settings I always get "explorer.exe is not responding" or smoething like that when I close or apply the setting. Is something wrong with Windows in my PC?
June 30, 2009 4:13 PM
I use all three levels of XP accounts
Admin for Updates, installs, and SW that requires Admin priv.
Limited for regular day to day stuff and some of the SW can be run with "Run As Admin account" such as FTP Voyager
Guest, I setup the Guest account log into it once and then use the Run As to access the "Guest Account" web browser,
but, I've recently bumped up against a problem with the Guest account User Profile not being retained and can't seem to find a solution anywhere except "it's supposed to do that..." but I know it works as I have set up the Guest account to use for web browsing on 4 previous machines 2 with XP Pro and 2 with XP home and the settings are retained in the Guest Profile, I have tried to setup another XP Pro machine and at every log off the profile is deleted which is not good because all Firefox browser add-ons & settings / customizations etc. are also removed the method I use (because I have software that requires I always be logged in as Admin. to use it), is to setup the Guest account and log into it once then "net user Guest 'password'" and then change the browser shortcut in my admin account to "Run with different credentials" and use the "Guest browser" from within the Admin. & or Limited account is there some registry entry or group policy setting that's preventing the Guest profile from being retained?
To post a comment on "Are Limited User Accounts effective?", please return to that article's main page.