Working outside an admin account: Safe but annoying

Topic

New Reply

WINDOWS By Lincoln Spector You’ve probably been told to have both a standard Windows account for safety’s sake and an administrator account because Wi
[See the full post at: Working outside an admin account: Safe but annoying]

3 users thanked author for this post.

Tom-R, Fred, woody

Reply | Quote

Replies

Tracey Caper: “But let’s face it, most of us have ignored this advice because … well, juggling two accounts isn’t much fun. ”

I completely agree. Same attitude here. If the price of complete safety is to get tied into knots, then give me risk, give me danger, so I can do my job and still have some time left to go out and get something of a life. (Exaggerating just a little here, not a lot, to make a point.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I have used standard accounts for most of my Windows computing for years, and it has hardly ever been annoying.  The only times I really needed to get into my Admin account was to install new or updated software, which I do rarely.

Also, since my new laptop has a fingerprint reader, logging in to Admin is practically trivial; I set Windows Hello up so that my right finger opens the Standard account I use 99% of the time; my left finger opens my Admin account.  The left finger also works when I am logged in as Standard, and get a dialogue box requiring Admin credentials to do an install or update.

I think the minor inconvenience (not annoyance) is worth it to give me another layer of protection from ransomeware, etc.

 

 

1 user thanked author for this post.

wavy

Reply | Quote

gtd12345 wrote:

I have used standard accounts for most of my Windows computing for years, and it has hardly ever been annoying.  The only times I really needed to get into my Admin account was to install new or updated software, which I do rarely.

You may be fortunate in that you haven’t managed to end up with some critical piece of software that insists on extra privileges on every startup or so.

I mean, really, I can sort of understand needing admin rights the first time you attach a weird USB instrument and install drivers, but on EVERY USE of the instrument or its dedicated application … sheesh.

Reply | Quote

Right !!
Why do not they (MS) have a whitelist and avoid that uac at every run??

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Thanks for the good article. I’ve been preaching this for a long time.

Let me just say that you should have a little talk with your colleagues here on Ask Woody — even though many of the tweaks and settings they recommend require admin privileges, they *NEVER* tell you that. Obviously, they’re always running as admin [BOO on them] and so don’t notice when they do something that really needs it

Reply | Quote

One thing that I’m constantly annoyed by, is that Windows approximately never tells you which specific privilege you need.

I mean, I’d like to set up accounts that are elevated just enough to do whatever, but…

And also, my most annoying scenario was kindergarten-level educational software on Windows XP. Copy protection or whatever meant it wouldn’t run as a regular user.

That’s when I gave up on “Home” versions of Windows for home use.

1 user thanked author for this post.

wavy

Reply | Quote

I use a non-admin account for normal work in Windows 8.1, and an admin account when needed. It is very easy – whenever admin rights are needed (such as when I am installing a program), I am prompted for my admin password. I type in the admin password and hit OK.

Not only is this very easy, but also I am alerted whenever Windows is trying to perform some privileged task.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

2 users thanked author for this post.

Tom-R, Tom in Az

Reply | Quote

I have never routinely logged on as a member of the Administrators group.  Very, very few procedures require that logged-on level, such as running an in-place upgrade.  The vast majority only require Admin-level privileges.

For those apps and utilities that require elevated privileges, I edit the shortcut by ticking the box by “Run as administrator”.  I have my Admin account setup for PIN, and when UAC pops up, it’s a quick trip to the number pad to launch a program.

For installing apps/programs, I right-click and select Run as administrator, tickle the number pad, and it’s all go from there on out.  It’s much less interuption than clicking File > Save as… when I want to save a new file.  I dare say that I use that more often than run as administrator.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

Tom-R

Reply | Quote

“But let’s face it, most of us have ignored this advice”
What is the basis for this assertion? I don’t believe it.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

The fact that UAC exists. Microsoft created it to give people running as admin some level of extra protection, because they knew people weren’t running as a limited user.

I don’t do it, because having to type in my password rather than just click a button is inconvenient. It’s one of the things that I was so happy to get away from Linux, where the sudo prompt would always require a password.

It also encourages me to use a less secure password that is easier to type if I actually have to type it all the time. Passwords are better handled by some sort of password manager.

Reply | Quote

https://makemeadmin.com/ a lifesaver (and timesaver).

Reply | Quote

With Windows 7, I use an account with a level of privilege that allows me to right-click and choose “run as an administrator.” I need to do this rather often, to use the command console application, for such things as to start or stop a service, for example when installing patches as Group B, to stop Windows Update from running and blocking my own use of the installer.

I have a separate “Administrator” account I use to create the other accounts, including the one I use regularly and have just described. Also to go to when logging in in Safe Mode.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I get as far as step 4 and select ” I don’t have…” and I just get a “Something went wrong” message. Is this because I have a ‘local” account?

Peter

Reply | Quote

No. Probably because you’re already using a standard user account, not an administrator.

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

I get as far as step 4 and select ” I don’t have…” and I just get a “Something went wrong” message. Is this because I have a ‘local” account?

Peter

b wrote:

No. Probably because you’re already using a standard user account, not an administrator.

Thanks “b” but that’ s not the case. Anyone any other sugestions?

1 user thanked author for this post.

b

Reply | Quote

I already have this setup as advised by Lincoln. I’m on Win 10 1903. The difficulty I have is running the Windows utilities (especially those that appear on right click to the windows logo bottom left, such as Disk Management) as admin. The right click doesn’t work from this submenu. Does anyone have an easy answer for this? Thanks

Reply | Quote

Doing this is very simple, if you allow it to be that way.
I’ve had several jobs where everyone had split accounts, named fairly inconspicuous things (users start with a u, admin accounts start with a) and the digits are all the same except the first letter. Easy peasy lemon squeezy. My current job, we have our account, plus an SA (SysAdmin) account, plus DA (Domain Admin). Again, same digits, other than the finishing letters being added. Very easy.

I do not practice this at home, however, as an IT guy. 🙂 I have 1 admin account on every computer (mine), everyone else in the house is a standard user. No complaints with that setup.

Reply | Quote

[Bundaburra]

You can login as an Administrator, but run selected programs as an ordinary user, via StripMyRights. It’s an old program, but still works with Windows 10.  For example, if you are an Administrator but you want to run Firefox as a normal user, the command line would be similar to

C:\SMR\StripMyRights.exe /L N “C:\Program Files\Mozilla Firefox\Firefox.exe”.

The /L N switch says to run the following  program at the Level of a Normal user.  Put the command in a batch file, call it (for example) Firefox.bat, then whenever you want to run Firefox, just execute Firefox.bat.  Should apply to any other program.

Windows 10 Pro 64 bit 20H2

• This reply was modified 3 years, 10 months ago by Bundaburra.

Reply | Quote

Lincoln, your article appears to apply to local accounts.  But here in my environment, a small private school, everyone logs in to their computers with a domain account.  So would your advice still apply, and it so, how?

Thanks.

Bob

Reply | Quote

Hey Y’all,

As one who has ALWAYS run with an Admin level account this thread intrigued me so I thought I’d do a little experimenting, it’s what I do after all … LOL.

I setup a User level account on my test machine and did some testing. Now a great majority of my computer use revolves around programming (PowerShell, Excel & Access VBA, etc.) and tinkering with Windows. Well needless to say I was frustrated by my access level at every turn.

When running PowerShell  to get Admin access I had to use the Run As Administrator right-click menu option and then provide the password for my Administrator account. This was of course expected. However, what was not expected was that PowerShell now thought I was the Administrator so when I used standard techniques to return directories it returned those for the Administrator not for the User. When I tried to run a program to create a Scheduled Task it created it in the Administrator’s account not the users. You can see where this is going.

Almost all of the tinkering with the registry that I do via PowerShell requires Admin access.
Even getting PowerShell to allow me to run scripts required different settings than with an Admin account.

Instead of: Set-ExecutionPolicy RemoteSigned -Force with an Admin account.

It’s: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force with a User account as that is the only level you have access to.

So it didn’t take to long for me to realize that the way I use my computers the User account is a non-starter.

Don’t get me wrong I have my UAC settings set to:

so I still have a few prompts to click. I do get around that by setting up a lot of Scheduled Tasks with shortcuts to run them that run with administrator access, thus avoiding those prompts for stuff I use all the time. Unfortunately, there was no way I could find to set those up in the User account.

As always just my 2 cents and YMMV! 😎

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Rick Corbett

Reply | Quote

RG
have you tried save the savcred switch?

%windir%\system32\runas.exe /user:localhost\ralph /savcred "C:\Utilities\ProcessExplorer\procexp.exe"

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc771525%28v=ws.11%29

🤗

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Also some useful info
https://www.tenforums.com/tutorials/63827-run-different-user-windows-10-a.html

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Wavy,

I get this:

C:\Users\UAxxxxx>%windir%\system32\runas.exe /user:localhost\xxxxx /savcred G:\BEKDocs\NonInstPrograms\SysInternals\Autologon.exe
Attempting to start G:\BEKDocs\NonInstPrograms\SysInternals\Autologon.exe as user "localhost\xxxxx" ...
RUNAS ERROR: Unable to run - G:\BEKDocs\NonInstPrograms\SysInternals\Autologon.exe
740: The requested operation requires elevation.

C:\Users\UAxxxxx>

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I do not know why you got that. But maybe missing quotes? and why ‘Autologon.exe’ try another to test. Is user xxxxx an admin. It has been a while since I use this, I like you have been running as admin and trusting to UAC for a while. (maybe back to XP, when I setup my VM I will check, could be a while)

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

I’ve been running in admin forever.  And I have turned off the UAC prompts.  I’m on the net hours every day.  Have never had a problem.  Your mileage may differ.

Reply | Quote

It has long been the advice to not run as an Administrator user for day-to day use, such as this advice from 2004:

The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.

In another discussion on AskWoody a couple of years ago, @mrbrian posted this link:
Why UAC is important and how it can protect you

Reply | Quote

Yes, and that is because we live in a lowest common denominator world where everyone is considered equally dumb and everyone must be protected from themselves.

I think that these harsh warnings tend to make people afraid of technology and computers.

Reply | Quote

The problem is less with the human user’s decision-making, than with automated processes that can run without the human being aware of their presence or effects (until it’s too late)…
🙂

1 user thanked author for this post.

b

Reply | Quote

HATech19 wrote:

But here in my environment, a small private school, everyone logs in to their computers with a domain account.  So would your advice still apply, and it so, how?

In a domain the “standard” is to have all users as non-admin users. If users want to make changes or install software it needs to go through the IT dept so that a, they know about it and b, they can support it. This is particularly important in a school environment because kids love tweaking.

cheers, Paul

Reply | Quote