News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Working outside an admin account: Safe but annoying

    Posted on Tracey Capen Comment on the AskWoody Lounge

    Home Forums AskWoody blog Working outside an admin account: Safe but annoying

    This topic contains 29 replies, has 20 voices, and was last updated by  petermat 2 weeks, 6 days ago.

    • Author
      Posts
    • #2007077 Reply
    • #2007114 Reply

      OscarCP
      AskWoody Plus

      Tracey Caper: “But let’s face it, most of us have ignored this advice because … well, juggling two accounts isn’t much fun.

      I completely agree. Same attitude here. If the price of complete safety is to get tied into knots, then give me risk, give me danger, so I can do my job and still have some time left to go out and get something of a life. (Exaggerating just a little here, not a lot, to make a point.)

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

    • #2007263 Reply

      gtd12345
      AskWoody Plus

      I have used standard accounts for most of my Windows computing for years, and it has hardly ever been annoying.  The only times I really needed to get into my Admin account was to install new or updated software, which I do rarely.

      Also, since my new laptop has a fingerprint reader, logging in to Admin is practically trivial; I set Windows Hello up so that my right finger opens the Standard account I use 99% of the time; my left finger opens my Admin account.  The left finger also works when I am logged in as Standard, and get a dialogue box requiring Admin credentials to do an install or update.

      I think the minor inconvenience (not annoyance) is worth it to give me another layer of protection from ransomeware, etc.

       

       

      1 user thanked author for this post.
      • #2007312 Reply

        mn–
        AskWoody Lounger

        I have used standard accounts for most of my Windows computing for years, and it has hardly ever been annoying.  The only times I really needed to get into my Admin account was to install new or updated software, which I do rarely.

        You may be fortunate in that you haven’t managed to end up with some critical piece of software that insists on extra privileges on every startup or so.

        I mean, really, I can sort of understand needing admin rights the first time you attach a weird USB instrument and install drivers, but on EVERY USE of the instrument or its dedicated application … sheesh.

        • #2007555 Reply

          wavy
          AskWoody Plus

          Right !!
          Why do not they (MS) have a whitelist and avoid that uac at every run??

          🍻

          Just because you don't know where you are going doesn't mean any road will get you there.
    • #2007337 Reply

      berniec
      AskWoody Plus

      Thanks for the good article. I’ve been preaching this for a long time.

      Let me just say that you should have a little talk with your colleagues here on Ask Woody — even though many of the tweaks and settings they recommend require admin privileges, they *NEVER* tell you that. Obviously, they’re always running as admin [BOO on them] and so don’t notice when they do something that really needs it

      • #2007434 Reply

        mn–
        AskWoody Lounger

        One thing that I’m constantly annoyed by, is that Windows approximately never tells you which specific privilege you need.

        I mean, I’d like to set up accounts that are elevated just enough to do whatever, but…

        And also, my most annoying scenario was kindergarten-level educational software on Windows XP. Copy protection or whatever meant it wouldn’t run as a regular user.

        That’s when I gave up on “Home” versions of Windows for home use.

        1 user thanked author for this post.
    • #2007437 Reply

      MrJimPhelps
      AskWoody_MVP

      I use a non-admin account for normal work in Windows 8.1, and an admin account when needed. It is very easy – whenever admin rights are needed (such as when I am installing a program), I am prompted for my admin password. I type in the admin password and hit OK.

      Not only is this very easy, but also I am alerted whenever Windows is trying to perform some privileged task.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      2 users thanked author for this post.
    • #2007483 Reply

      bbearren
      AskWoody MVP

      I have never routinely logged on as a member of the Administrators group.  Very, very few procedures require that logged-on level, such as running an in-place upgrade.  The vast majority only require Admin-level privileges.

      For those apps and utilities that require elevated privileges, I edit the shortcut by ticking the box by “Run as administrator”.  I have my Admin account setup for PIN, and when UAC pops up, it’s a quick trip to the number pad to launch a program.

      For installing apps/programs, I right-click and select Run as administrator, tickle the number pad, and it’s all go from there on out.  It’s much less interuption than clicking File > Save as… when I want to save a new file.  I dare say that I use that more often than run as administrator.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      1 user thanked author for this post.
    • #2007487 Reply

      samak
      AskWoody Plus

      “But let’s face it, most of us have ignored this advice”
      What is the basis for this assertion? I don’t believe it.

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      • #2007767 Reply

        anonymous

        The fact that UAC exists. Microsoft created it to give people running as admin some level of extra protection, because they knew people weren’t running as a limited user.

        I don’t do it, because having to type in my password rather than just click a button is inconvenient. It’s one of the things that I was so happy to get away from Linux, where the sudo prompt would always require a password.

        It also encourages me to use a less secure password that is easier to type if I actually have to type it all the time. Passwords are better handled by some sort of password manager.

    • #2007376 Reply

      anonymous

      https://makemeadmin.com/ a lifesaver (and timesaver).

    • #2007556 Reply

      OscarCP
      AskWoody Plus

      With Windows 7, I use an account with a level of privilege that allows me to right-click and choose “run as an administrator.” I need to do this rather often, to use the command console application, for such things as to start or stop a service, for example when installing patches as Group B, to stop Windows Update from running and blocking my own use of the installer.

      I have a separate “Administrator” account I use to create the other accounts, including the one I use regularly and have just described. Also to go to when logging in in Safe Mode.

      Windows 7 Professional, SP1, x64 Group B & macOS + Linux (Mint) => Win7 Group W + Mac&Lx

    • #2007568 Reply

      petermat
      AskWoody Plus

      I get as far as step 4 and select ” I don’t have…” and I just get a “Something went wrong” message. Is this because I have a ‘local” account?

      Peter

      • #2008786 Reply

        b
        AskWoody Plus

        No. Probably because you’re already using a standard user account, not an administrator.

        Windows 10 Pro Version 1909 (Group ASAP)

        • #2010367 Reply

          petermat
          AskWoody Plus

          I get as far as step 4 and select ” I don’t have…” and I just get a “Something went wrong” message. Is this because I have a ‘local” account?

          Peter

          No. Probably because you’re already using a standard user account, not an administrator.

          Thanks “b” but that’ s not the case. Anyone any other sugestions?

          1 user thanked author for this post.
          b
    • #2007618 Reply

      peterb001
      AskWoody Plus

      I already have this setup as advised by Lincoln. I’m on Win 10 1903. The difficulty I have is running the Windows utilities (especially those that appear on right click to the windows logo bottom left, such as Disk Management) as admin. The right click doesn’t work from this submenu. Does anyone have an easy answer for this? Thanks

    • #2007627 Reply

      zero2dash
      AskWoody Lounger

      Doing this is very simple, if you allow it to be that way.
      I’ve had several jobs where everyone had split accounts, named fairly inconspicuous things (users start with a u, admin accounts start with a) and the digits are all the same except the first letter. Easy peasy lemon squeezy. My current job, we have our account, plus an SA (SysAdmin) account, plus DA (Domain Admin). Again, same digits, other than the finishing letters being added. Very easy.

      I do not practice this at home, however, as an IT guy. 🙂 I have 1 admin account on every computer (mine), everyone else in the house is a standard user. No complaints with that setup.

    • #2007819 Reply

      Bundaburra
      AskWoody Plus

      You can login as an Administrator, but run selected programs as an ordinary user, via StripMyRights. It’s an old program, but still works with Windows 10.  For example, if you are an Administrator but you want to run Firefox as a normal user, the command line would be similar to

      C:\SMR\StripMyRights.exe /L N “C:\Program Files\Mozilla Firefox\Firefox.exe”.

      The /L N switch says to run the following  program at the Level of a Normal user.  Put the command in a batch file, call it (for example) Firefox.bat, then whenever you want to run Firefox, just execute Firefox.bat.  Should apply to any other program.

      Windows 10 Pro 64 bit 1903

      • This reply was modified 3 weeks, 4 days ago by  Bundaburra.
    • #2008607 Reply

      HATech19
      AskWoody Plus

      Lincoln, your article appears to apply to local accounts.  But here in my environment, a small private school, everyone logs in to their computers with a domain account.  So would your advice still apply, and it so, how?

      Thanks.

      Bob

    • #2008650 Reply

      RetiredGeek
      AskWoody MVP

      Hey Y’all,

      As one who has ALWAYS run with an Admin level account this thread intrigued me so I thought I’d do a little experimenting, it’s what I do after all … LOL.

      I setup a User level account on my test machine and did some testing. Now a great majority of my computer use revolves around programming (PowerShell, Excel & Access VBA, etc.) and tinkering with Windows. Well needless to say I was frustrated by my access level at every turn.

      When running PowerShell  to get Admin access I had to use the Run As Administrator right-click menu option and then provide the password for my Administrator account. This was of course expected. However, what was not expected was that PowerShell now thought I was the Administrator so when I used standard techniques to return directories it returned those for the Administrator not for the User. When I tried to run a program to create a Scheduled Task it created it in the Administrator’s account not the users. You can see where this is going.

      Almost all of the tinkering with the registry that I do via PowerShell requires Admin access.
      Even getting PowerShell to allow me to run scripts required different settings than with an Admin account.

      Instead of: Set-ExecutionPolicy RemoteSigned -Force with an Admin account.

      It’s: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force with a User account as that is the only level you have access to.

      So it didn’t take to long for me to realize that the way I use my computers the User account is a non-starter.

      Don’t get me wrong I have my UAC settings set to:

      UACSettings
      so I still have a few prompts to click. I do get around that by setting up a lot of Scheduled Tasks with shortcuts to run them that run with administrator access, thus avoiding those prompts for stuff I use all the time. Unfortunately, there was no way I could find to set those up in the User account.

      As always just my 2 cents and YMMV! 😎

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      Attachments:
      1 user thanked author for this post.
    • #2008682 Reply

      wavy
      AskWoody Plus

      Also some useful info
      https://www.tenforums.com/tutorials/63827-run-different-user-windows-10-a.html

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
    • #2008728 Reply

      RetiredGeek
      AskWoody MVP

      Wavy,

      I get this:

      C:\Users\UAxxxxx>%windir%\system32\runas.exe /user:localhost\xxxxx /savcred G:\BEKDocs\NonInstPrograms\SysInternals\Autologon.exe
      Attempting to start G:\BEKDocs\NonInstPrograms\SysInternals\Autologon.exe as user "localhost\xxxxx" ...
      RUNAS ERROR: Unable to run - G:\BEKDocs\NonInstPrograms\SysInternals\Autologon.exe
      740: The requested operation requires elevation.
      
      C:\Users\UAxxxxx>
      

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      • #2009045 Reply

        wavy
        AskWoody Plus

        I do not know why you got that. But maybe missing quotes? and why ‘Autologon.exe’ try another to test. Is user xxxxx an admin. It has been a while since I use this, I like you have been running as admin and trusting to UAC for a while. (maybe back to XP, when I setup my VM I will check, could be a while)

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
    • #2008768 Reply

      ibe98765
      AskWoody Plus

      I’ve been running in admin forever.  And I have turned off the UAC prompts.  I’m on the net hours every day.  Have never had a problem.  Your mileage may differ.

      • #2008779 Reply

        Kirsty
        Da Boss

        It has long been the advice to not run as an Administrator user for day-to day use, such as this advice from 2004:

        The #1 reason for running as non-admin is to limit your exposure. When you are an admin, every program you run has unlimited access to your computer. If malicious or other “undesirable” code finds its way to one of those programs, it also gains unlimited access.

        In another discussion on AskWoody a couple of years ago, @mrbrian posted this link:
        Why UAC is important and how it can protect you

        • #2010101 Reply

          ibe98765
          AskWoody Plus

          Yes, and that is because we live in a lowest common denominator world where everyone is considered equally dumb and everyone must be protected from themselves.

          I think that these harsh warnings tend to make people afraid of technology and computers.

          • #2010200 Reply

            Kirsty
            Da Boss

            The problem is less with the human user’s decision-making, than with automated processes that can run without the human being aware of their presence or effects (until it’s too late)…
            🙂

            1 user thanked author for this post.
            b
    • #2008807 Reply

      Paul T
      AskWoody MVP

      But here in my environment, a small private school, everyone logs in to their computers with a domain account.  So would your advice still apply, and it so, how?

      In a domain the “standard” is to have all users as non-admin users. If users want to make changes or install software it needs to go through the IT dept so that a, they know about it and b, they can support it. This is particularly important in a school environment because kids love tweaking.

      cheers, Paul

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Working outside an admin account: Safe but annoying

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.