Home | Working With Windows | Limited User Index
I have two computers. A laptop runs MacOS X Jaguar (10.2.8), a Unix variant and as a single user on my Mac, I created a user account at installation but was also prompted for an administration password. If I install software, I will be prompted for that admin password. I can also use the 'sudo' command prefix in Terminal to run commands as admin after entering the password.
My other computer runs Windows XP Professional with Service Pack 2. On Windows, the installation creates your user account giving it full administration privileges by default. Therefore, you run your Web browser, email and other applications as administrator. If these are compromised, your machine is at risk and there are many virus, spyware, trojans, etc. out there.
I first learned of the option of running as a Limited user during research on how to best run and secure my Windows XP computer. I found Aaron Margosis' Non-Admin Web Log posts. He has great material in his articles on fully understanding why it is important to run as a limited user and how to do it. The notes I include below describe my experience on creating the setup. (The Aaron Margosis Blog link and more are on my Resources for Running As A Limited User in Windows XP page.)
As a home network user (no domain logon), I act as my own system administrator. In an earlier attempt, I created a new "Limited" account rather than converting my existing account and found problems as some programs wouldn't launch or complained when quitting about being unable to write backup files. After that false start, I decided to follow the suggestions step by step and document how I successfully converted my home login account to run as a limited user. To be thorough, I also include the initial steps for a basic clean install of Windows XP.
Caveat: I don't play games on my computer or use instant messenger much. There is information on the Resources for Running As A Limited User in Windows XP page about programs that require full administrative privileges, with possible work-arounds.
Install Windows XP—Professional, in my case—on your drive following all installer prompts, rebooting when necessary. My install CD has Service Pack 2, which has many security changes. All Windows XP computers need to have this. After installation, your account will be running with administrative privileges, by default.
On initial startup of your newly-installed Windows XP, running from the default administrative privilege account, open Internet Explorer and access http://www.windowsupdate.com/ and select and install all critical and security updates. If your installer did not include Service Pack 2, install this now. Reboot when prompted and re-visit the Windows Update site until Service Pack 2 and all critical updates are installed. Again, rebooting when prompted.
Service Pack 2 installs the Windows Security Center control panel. It centralizes monitoring and managing three critical security features: automatic updates; virus protection; and firewall.
I believe SP2 sets this automatically, but you can check by selecting Start:Control Panel, opening the Automatic Updates control panel and verifying that "Automatic (recommended)" and "Every day" are selected. Pick a time when your computer is on but idle and select the "OK" button. This will ensure your Window XP installation will get updates promptly.
At this point, since the install process prompts you to set your network connection details and I've read newly connected computers can be detected and penetrated in as little as twenty minutes, you should install virus protection and update the virus definitions as one of your first tasks.
The installation of Service Pack 2 will enable Windows Firewall. It is set by the Windows Firewall control panel. I happen to use Zone Alarm Pro as my firewall and it runs in place of the Windows firewall.
Now, we begin the conversion and configuration changes needed to run as a non-admin user, creating a separate admin account for when we need to complete administrative tasks, such as installing software.
Under Start:Control Panel, Open "User Accounts" and create a new account, named "Admin". Pick "Computer Administrator" as the account type ("Limited" is the other choice) and select the "Create Account" button to continue. Aaron Margosis' blog entries recommend a blank password for local home accounts:
Starting with Windows XP, a blank password is actually more secure for certain scenarios than a weak password. By default, an account with a blank password can be used only for logging on at the console. It cannot be used for network access, and it cannot be used with RunAs.
He mentions later that if you can trust everyone who has physical access, login with no password is very convenient; just click the picture button by your name. I decided to use passwords. In the main accounts window, select the Admin account and "Create a password". I already have passwords on the other two accounts.
Returning to the User Accounts main screen, under "Pick a Task" select "Change an Account", and select your current login account, which will be the default installation account with administrative privileges. On the account editing screen that appears, select "Change my account type" and select "Limited" on the next screen and "OK". Logout and then log back in. You are now running as a limited user. As my local computer admin, I will usually run as a limited user but know the admin password for when I need to do admin tasks. It is handy to keep notes. I keep a copy book next to the computer as a change log to date and track software installs, problems and troubleshooting.
Download the MakeMeAdmin.cmd file and place it or a shortcut in a handy spot and run it. You will be prompted for the local computer administrative password and then your account password. An admin shell window with a distinctive background color will display. This utility creates a secondary login and will temporarily add you to the administrators group in that session. You can launch programs from this window that will inherit the admin privileges. As a comparison, you can open another command window with Start:Run and 'cmd', and get a command window that runs under your limited privilege account. Compare the output of the following command in both your user and admin windows:
whoami /user /groups
The MakeMeAdmin window will have an additional line showing Administrators group membership. I see by the command prompts that MakeMeAdmin places me in the C:\WINDOWS\system32 directory, while a standard command window places me in C:\Documents and Settings\myusername directory.
Download the PrivBar archive. Navigate to its directory in your admin command window, created by MakeMeAdmin and extract it. This DLL file needs to be placed where all users can read it. In my admin command window from the PrivBar extracted folder, I created a folder for LUA utilities ('mkdir "C:\Program Files\LUA"') and copied PrivBar to that folder (copy PrivBar.dll "C:\Program Files\LUA"). Quit Internet Explorer (IE), if open, then, run the command to import the registry values. (regsvr32 "C:\Program Files\LUA\PrivBar.dll") You should see a "succeeded" alert window. Launch IE and select PrivBar from View:Toolbars. I needed to deselect the "Links" and "Lock the Toolbar" options under "View:Toolbars." I manually dragged the new toolbar item with my username to the left until I saw the privilege indicator circle. By the way, PrivBar only works with IE. (I often run Firefox.)
You can open any folder from the desktop or My Computer window and you will be running Explorer. Normally, such a request will look for an existing Explorer process and run with those privileges, based on your Desktop, part of your non-privileged account. Occasionally, you may want to run Explorer under admin privileges, so you need to set Explorer to "Launch folder windows in a separate process", a per-user option that is off by default. Once this flag has been set, you can start explorer.exe with RunAs, or from your admin cmd shell making it possible to isolate Explorer windows from the desktop and taskbar.
C:\Program Files\Internet Explorer\iexplore.exe
[or even more simply...]
start iexplore
Here are links to more information on Explorer:
Now that MakeMeAdmin is available, and PrivBar is installed and activated (see above), you are ready to go. Many current programs will run under a limited user account. If you do need to install software or run a program with administrative privileges, you have a couple options.
For running control panels as administrator, lauch MakeMeAdmin and type the name of the control panel file. Most are located under "C:\WINDOWS\system32", the default startup folder for MakeMeAdmin, and have the .cpl file extension. Here are a couple control panels:
The same directory contains many Microsoft Common Console (.msc) files, including the items in the Administrative Tools control panel and more. I did find if I opened the Administrative Tools control panel as a limited user, I could right-click the items listed, like "Services", and select "Run As..." to run as Administrator. As an alternative, you can lauch "Event Viewer" with "eventvwr" or "Services" with "services.msc" from the MakeMeAdmin command window. See this Microsoft Knowledgebase article for more handy executables.
I missed access to the "Repair" option when I right-click on the Wireless Network Connection icon in the System tray. In my first solution for this, I found an article describing the tasks done by Repair in the Microsoft Knowledgebase. As a result, I created a command file that simulates the Repair utility that I can run from the MakeMeAdmin console window by dropping the ".txt" extension and dragging it to the MakeMeAdmin window—to paste its path at the prompt—then, I press Enter. After running as a limited user for awhile, I contacted the author of the non-admin blog and he presented another option:
If you add your regular account to the "Network Configuration Operators" local group, you should be able to use the [Wireless Network Connection] UI directly.
The steps I took to do this were:
I found I could not run "msconfig" from Start:Run so I searched and found the executable file and noted its full path. I then created a new desktop shortcut and entered the path when prompted by the wizard: "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe". The shortcut is named "msconfig.exe" of course. I can use "RunAs" to run it under administrative privileges.
In addition, I replaced a printer and it used a spooler by default. To change that setting in Printers and Faxes, I needed to access the Advanced tab in the printer properties. It is unavailable in a limited user account and there is no "Run As" option. I found Aaron Margosis has a set of scripts ('.cmd' files) one can drag into a MakeMeAdmin terminal window and run to get admin privileges. See his blog article, "RunAs with Explorer". I print infrequently and I prefer immediated printing to the 5-minute wait that is the standard for the spooler.
There will be unexpected problems. While I found Windows XP Service Pack 2 enables automatic updates and that runs successfully under a limited user account and Symantec's Norton System Works virus definition updates and other Live Update items run well, a scheduled Norton One Button Checkup will not run without administrative privileges. I'll login as admin on a regular basis and run it manually, I guess. I also found my recently purchased version of Spyware Doctor would not run but an update to version 3.2.2 would. Microsoft Antispyware Beta 1 needs administrative privileges. (Beta 2 is due at year's end and should support multi-user, limited privilege accounts. Often, you have to hit discussion groups for information.) I found some problems running an older HTML editor. See my Installing HomeSite 5.5 As a Limited User in Windows XP article for a description of that troubleshooting process.
By the way, I do have one oddball problem I should mention. I found the solution in a Microsoft Knowledgebase (KB) article. Running as a limited user, occasionally I cannot logoff via the start menu. I can always logoff via the Task Manager, Ctl-Alt-Del or a right-click on the Taskbar brings it up and I select Users and logoff. But the problem remains for subsequent sessions. According to the KB article, it is a conflict with Norton Systemworks. The solution is to select Start:Logoff and then Switch User. When the following screen appears, select "Turn Off [computer name]" and Restart. Select continue when it warns you that users are logged in. The computer will reboot and the problem will be fixed.
Visit Aaron Margosis' Non-Admin Blog or the NonAdmin Wiki for many more tips and techniques. The information I include here is mainly for my own use but posted with the thought that others may find it useful.
