Tech Off Thread

14 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Running as Administrator

Back to Forum: Tech Off
  • User profile image

    I have to admit that I run as administrator almost always.  Shame on me.  I understand that this isn't best practice, so I'd like to run a limited account.  The problem is that it's too limited.  What does everyone else do?

    Also, after reading about the "high security threat flaw" in sp2, I wonder why Microsoft doesn't educate the user more about not running in Admin mode.  It would be rediculous in linux to run on a root account, why is this different for Windows?

    It seems like they could have added like a toaster popup that says "You have just spent 1 hour as an admin, click here to find out why this is bad."  And have this feature defaulted on.  Maybe something to think about for Longhorn.

  • User profile image

    I, too, run as an administrator, as do many of the IT experts I know. It is a risk, yes, but with good antivirus and firewall software and a grain of salt, common sense, and some caution, I see no real harm in it.

  • User profile image

    Yeah! I'm always run as administrator. I tried to run as a norma user but limitations were to hihg to work comfortable. I'd like to delete some files and have acces to all data. I don't think that normal user is usefull for people who know what they are doing and want to have control over their computer.

  • User profile image

    One way to make the most of the "Limited" user account and the Administrator account is to Enable Fast User Switching.

    What you do is logon normally user the Limited User account, then switch over to the Admin account when you require making some installs.

    With fast user switching, it is quite convenient to just use the WinKey+Q to switch over to another account, then switch back. [No need to logoff constantly...].

  • User profile image

    Ah, not too long ago I too was running as Administrator all the time.  About a month or so ago I decided to stop for various reasons.  The hardest part in running as a non-Admin isn't writing code, changing system settings, or screwing with the system in general.  Those can be worked around by the simple command "runas /user:Administrator cmd".  The toughest part is starting.  Man, what a pain it is the first five times you go to change some setting and realize you can't.  And for the most part (assuming you stick with it) you realize that you didn't really need to be flipping those bits all the time anyways.  Now I only use the Admin console to get at a few files still stored in the account's My Documents and to install the odd piece of software.  Quite literally, everything else I need to do I can do with relative ease from a limited user account.

    My only gripe is that my Toshiba tablet's silly custom power manager won't function without full Admin rights (meaning I can't customize power settings, but that's not too bad).

    So, what's your excuse? =)

  • User profile image

    I have a Win2k3 box in the hallway, which has a login that a flatmate uses (with an easy password for him to remember) on the console. Consequently it's a fairly locked down account (at least so far as he is a User, fairly large sections are read only or deny access). It doesn't stop him doing anything. If you try to install hardware (ie. USB it hasn't seen before), it prompts with a "Run As". If you want to change something in control panel, you "Run As". At least my Mac has this idea of "just because I have super cow powers doesn't mean that you should overwrite or delete system files without prompting me first", using the sudo stuff, where you don't have to maintain a secondary account.

  • User profile image

    I a running as a Limited account for about half year now, and I think I'm used to it, and I don't find annoying any more. After learning the tips and tricks that I needed to do so (begin a developer, so I needed ASP .NET debugging, and lots of other administrative operations too).

    However, about the popup that could announce one when she has spent too much time logged in as an Administrator, I want to say that I would find that popup very annoying during the time I install things, especially when installing over Internet on a slow Internet connection (may take very long time). So I vote against it.

  • User profile image

     Not the "default" admin though.

  • User profile image

    Its pretty unrealistic to ask the common user manage multiple roles let alone accounts.  I thought we were supposed to make computers more user friendly?  Personally my OS should be working for me, not me for it.

    I run in Admin mode all the time, as long as you use common sense and the tools mentioned above you can stay fairly safe. 

  • User profile image

    Yes this is a good trade-off unless you need "offline" files or folders. Offline folders is not available if your system has "Fast user switching" enabled

  • User profile image

    yes, i do it too, although i know it's bad.  it's a simple matter of programs not being made to run without admin rights.

    i go to setup my computer after a fresh install, put a bunch of programs on, and only some of them are available for all users.

    it's too much hassle to switch a regular user to admin and then back again each time i need to do something, so i just don't.

    bad i know, but as i read somewhere else today, programmers are lazy and will follow the path of least resistance, expect it to stay like this for anyone who is not a security nut.

  • User profile image

    Briden wrote:
    bad i know, but as i read somewhere else today, programmers are lazy and will follow the path of least resistance, expect it to stay like this for anyone who is not a security nut.

    That should read "programmers who are lazy are bad programmers."  Building good software of any complexity takes discipline. Smiley

  • User profile image
    Sven Groot

    I've taken to running full-time in a limited user account for about a year now, and I've not had significant trouble. Sure, there'll always be things only admins can do, but 99% of the time "Run As..." will suffice. There are a few things you need to be aware of though:

    1. The "Run As..." option doesn't show up on certain types of shortcut, most notably the Control Panel items. If it doesn't show up, try holding the left-shift key while right-clicking.
    2. Remember that right-click "Run As..." is not the only way to do this. There's also the runas /user:Administrator command. I tend to have several often-used as admin apps, such as cmd, regedit, taskmgr and others in my Start/Run list using runas.
    3. Unfortunately, neither right-click "Run As..." nor runas can do a ShellExecute, so it only works on applications and shortcuts. I've created a simple registry hack that alleviates this shortcoming. If anyone's interested I can post the registry entries here.
    4. Certain apps won't work with Run As (unfortunately this includes Windows Update v5), in this case fast user switching is indispensible.
    5. Some applications require that you are an Administrator. These include applications that can be only be used by the user that installs them as well as other scenarios. The problems this poses can be quickly solved by the tool MakeMeAdmin.

    Besides this there are some concerns when developing, these are covered in great depth in the Developing Software in Visual Studio .Net Using Non-Administrative Privileges article. It's a must-read for all developers.
    The recent .Net Rocks episode with Don Kiely also talks about the necessity of developing with least-privilege and how to overcome some of the hurdles. Again, this is greatly recommended listening.

    And remember folks, if we devs don't use least-privilege user accounts, how can we ever expect end-users to start doing it?

  • User profile image


    "That's because I'm a good programmer, and good programmers are lazy"

    Programming should be elegant and the tools that are available should support that.  If good programmers weren't lazy, we'd still be all writing in assembly!

    Honestly though, I know i should run as non-admin, but if i were to do this, i'd need to do a runas or a logout, login as admin, switch permissions, logout, login cycle everytime something like MSN messenger is updated, and that simply isn't acceptable.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.