Re: is it necessary for new users to be local admins?

Chip Orange wrote:
We are upgrading to xp, and we need to know should we limit our users so
that they are not local admins.


Yes, yes, a thousand times, yes. There's almost never a good reason to give regular users elevated security permissions.

HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418


Will this break any software in it's normal
day-to-day operations (aside from installation issues)?



WinXP's security paradigm won't "break" any properly designed and compatible applications. However, some poorly coded applications do sometimes require the user to have elevated privileges. If security is of concern to you, such applications should be removed and replaced.

You may experience some problems if the software was designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly designed. Quite simply, the installation routine for this application doesn't "know" how to handle individual user profiles, or the application tries to make changes to "off-limits" sections of the registry or protected Windows system folders. Quite often, you can make this software available to other users by _copying_ the Start Menu folder and Desktop folder shortcuts from the user profile from which the software was installed in the corresponding folders in the user profile(s) in which you'd like the software to be accessible. If the application is something that can/should be made available to all current and future users, copying the shortcuts into the corresponding locations of the All Users profile will do the trick.

For some obscure reason, game developers in particular seem to not understand WinXP's file security paradigm, and require even limited users to have unnecessarily high privileges to protected systems folders. For example, saved games are often stored in a sub-folder under the game's folder within C:\Program Files - a place where no inexperienced or limited user should have write permissions.

NOTE: This may not work if the software requires access to parts of the hard drive and/or registry that are not normally accessible to regular users. (This won't occur if the application was properly written.) If this does prove to be the case, however, you're left with two options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), or replace the application with one that was properly designed specifically for WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

    Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH
.

Relevant Pages

  • Re: Admin account but do not have full access to private folders
    ... HOW TO Create and Configure User Accounts in Windows XP ... HOW TO Set, View, Change, or Remove File and Folder Permissions ... saved data are often stored in a sub-folder under the application's folder within C:\Program Files - a place where no inexperienced or limited user should ever have write permissions. ... limited accounts, you can fix it to allow limited users to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: File Sharing (again - sorry, Pd)
    ... InTerminal, type umask. ... Back in the good old days, Mac OS X user accounts ... The reason that the file permissions are "resetting" each time the ... that folder inherit the ACLs from the folder. ...
    (uk.comp.sys.mac)
  • Re: limited account and installing software
    ... so now they can't install software, but they now can't play the game ... folder and Desktop folder shortcuts from the user profile from which the ... limited accounts, you can fix it to allow limited users to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Limited User program permissions
    ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Limited users and Internet access
    ... It's not sharing, it's permissions. ... Set, View, Change, or Remove File and Folder Permissions in Windows ... The problem lies in how they've written their supporting software. ... >>> Administrative accounts! ...
    (microsoft.public.windowsxp.general)