Limited Accounts

[Glenn9999]

Does anyone have a link or a description of a technical nature describing what the limitations are with Limited Accounts? Or how to control limitations if possible? I looked into the help and found a generic description of a few things, and looked online and found almost the same generic description (and more about hacking accounts than information about them). But I observed a few things in testing regarding saving files from programs that makes me wonder.

So I'm wondering if there's an explicit list out there of what a limited account can or can't do?

I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy

 

[linney]

I don't know of one document that covers everything concerning Limited Users, you might have to put them altogether and compile it yourself.

http://support.microsoft.com/search/default.aspx?query=Limited user account&catalog=LCID=1033

Applying the Principle of Least Privilege to User Accounts on Windows XP

http://www.microsoft.com/downloads/...e7-9ecd-4d5d-9eeb-308c5d522e14&displaylang=en

 

[Glenn9999]

Stuff like this is why I'm seeking clarification.

When the idea is made to sound so good here ("you can do almost anything you can do on an administrator account").

http://windows.microsoft.com/en-us/...r-account-instead-of-an-administrator-account

But then you have stuff like this:

http://support.microsoft.com/kb/307091

The list in that link would seem to scream "You can't do anything useful on a limited account" and make anyone want to stay away from even trying it.

And this, where the limited user can't even print:

http://social.answers.microsoft.com...e/thread/7ca54b06-bb41-40f2-8f68-d367c043aca9

Of course I'm gathering that perhaps there's some security settings somewhere that deal with what the different accounts mean, but I'm not finding those.

Again, I find very generic descriptions in the help (involving system maintenance issues), and nothing involving regular tasks...


I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy

 

[Glenn9999]

And if you go into the second link, the indicated workaround seems to be a lot more trouble than its worth if there are so many problems in doing basic functions of programs run on limited accounts. Seems a lot easier in the long run just to run admin accounts in the first place?

So maybe the proper thing to ask next to be that if this "behavior is by design" and is resolved by "replacing the program with a version that is designed for Windows XP", what does "designed for Windows XP" mean? There has to be a document out there entailing that?

I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy

 

[MasterRacker]

The reason programs fail is they are poorly designed and are trying to do things that require higher privileges. For example, many programs try to save settings in the All Users of Local Machine sections of the registry. The whole point of a limited account is that the limited user isn't supposed to be able to affect other users on that machine.

I run as a limited account at home. I have to log in as an admin to install new software, make configuration changes or install hardware but normal operations work fine.

For the most part, anything that requires access to something that affects the whole system will be blocked under a limited account.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[linney]

The first link applies more to Vista and Windows 7 rather than XP, but the gist of it is correct, except in XP you would have to make use of the "Run As" command when it came to installing programs or running some programs.

How to enable and use the "Run As" command when running programs in Windows

http://support.microsoft.com/kb/294676

Or from a Command Prompt for example,

Regedit
runas /user:localmachinename\administrator regedit

Explorer
runas /user:localmachinename\administrator explorer

Disk Cleanup
runas /user:localmachinename\administrator cleanmgr.exe

MsConfig
runas /user:localmachinename\administrator C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

Of course this requires knowledge of the Administrators password.


I don't think that printer link is quite correct?

Assigning printer permissions

http://technet2.microsoft.com/windo...3bca-4201-a788-855b41ecf0371033.mspx?mfr=true

As a general rule you install programs as an Administrator, but surf the Net as a Limited User.

 

[Glenn9999]

The reason programs fail is they are poorly designed and are trying to do things that require higher privileges.

Okay. "Require higher privileges" I guess is what the struggle here is deciding the definition. As for the KB #307091 link, I observe most of those things running under limited accounts with relatively new programs. So what does that mean precisely? The programs aren't following some nebulous rules that Microsoft has set out? For example, is saving, editing, or opening another file outside the "My Documents" folder defined as "access to something that affects the whole system"? Or access to a device defined as such?

I would hate to think that most people would accept running every program under a "Limited User" as administrator as a viable option...

I'm waiting for the white paper entitled "Finding Employment in the Era of Occupational Irrelevancy

 

[linney]

Installing and Running are two different examples, the first one probably would require Administrator Privileges, the latter one, most of the time, would run under the Limited User Privileges.

As to whether a program does, or does not, require extra Privileges is going to be determined as to where the program writes files to, whether it is in Program Files, the Registry, or the Windows folder, etc. It will be further determined not just by the Privilege of the logged on user, but by their actual Access Permissions of and to the locations that are written to. Thus you can still be a Limited user and if your Access Permissions have been set correctly for files accessed by the program, you will be able to run that program as a Limited User. When you run a program "As an Administrator" via the "Run As" command, you are only being allowed the access to files that the Permissions grant an Administrator.

Windows tries to make it easier for you and the setting of Access Permissions, by using Groups, such as Administrators, Power Users, Users etc.

 

[MasterRacker]

It isn't just where a file is saved. What if a program properly saves documents to My Documents but behind the scenes, it tries to save history or something to a restricted part of the registry or the All Users folders or something like that. It will still fail.

It's very frustrating how many things fail as a limited user since it's NEVER a good ides to run day to day as an admin.

My current bane is coupon printing plugins that won't install unless you are an admin. You spend five minutes filling out screens full of info only to find that "the coupon can't be printed". The purpose of the plugin is understandable - they want to make sure you can only print one per household instead of supplying the whole town but the execution leaves a lot to be desired.

The actual guidelines first came out way back wen NT first did. I've done some searching since this thread started and I haven't been able to find relevant docs either.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]