Benefits of Vista to an informed enthusiast?

[archcommus]

The UAC thing seems to be a pretty large new feature of Vista. But since I rarely (never?) have issues with letting destructive programs run on my system, I don't feel I need it.

The new integrated search is nice, but I never search. I know where everything is and I browse.

The new GUI is pretty but, like with XP, it's very likely I will revert to some sort of more professional-looking "classic" interface anyway.

Off the top of my head I can't think of many other major new features that'll really enhance my user experience.

So for people like us who don't need protected from the elements, will DX10 be the only thing to make me eventually switch?

 

[stash]

Read through this list and see if there's anything you like.

http://en.wikipedia.org/wiki/Features_new_to_Windows_Vista

 

[archcommus]

Well the list is impressive and makes me want it, but when I sit back and let those features sink in I can't imagine many of them changing my day-to-day usage of the OS much. And considering its current performance with games, and the lack of DX10 hardware and software support, I guess summer 2007 is the earliest I'd be giving this operating system a go.

 

[corkyg]

You can get IE7, WMP11, and prolly DX-10 without having to get Vista. I'm like you - eye candy does not impress me - I like XP Pro with Windows Classic mode.

 

[stash]

prolly DX-10 without having to get Vista

DX10 is Vista only.

 

[nweaver]

The UAC thing is to catch their security up. I haven't used it yet, but if's like using SUDO on a linux box, then it's good progress.

Even if you don't have a problem with stuff, you should still proactivly work to keep it that way. Sudo is a great tool, and if UAC works like it does (ability to provide your own, non admin password to run commands with admin rights, based on policy determining who can run what commands) then it could be very nice.

Not that I'm going to get Vista anytime soon....Deb Stable is working great for all my needs.

 

[stash]

UAC is not like SUDO.

 

[InlineFive]

Originally posted by: archcommus
The UAC thing seems to be a pretty large new feature of Vista. But since I rarely (never?) have issues with letting destructive programs run on my system, I don't feel I need it.

The new integrated search is nice, but I never search. I know where everything is and I browse.

The new GUI is pretty but, like with XP, it's very likely I will revert to some sort of more professional-looking "classic" interface anyway.

Off the top of my head I can't think of many other major new features that'll really enhance my user experience.

So for people like us who don't need protected from the elements, will DX10 be the only thing to make me eventually switch?

Informed enthusiasts shouldn't have to ask.

Originally posted by: stash
UAC is not like SUDO.

Not at all, in my opinion the RC1 implementation of UAC is much better than SUDO. It is very intuitive and I never need to login as an administrator anymore.

 

[Smilin]

Originally posted by: nweaver
The UAC thing is to catch their security up. I haven't used it yet, but if's like using SUDO on a linux box, then it's good progress.

Even if you don't have a problem with stuff, you should still proactivly work to keep it that way. Sudo is a great tool, and if UAC works like it does (ability to provide your own, non admin password to run commands with admin rights, based on policy determining who can run what commands) then it could be very nice.

Not that I'm going to get Vista anytime soon....Deb Stable is working great for all my needs.

UAC is not really at all like SUDO.

probably closest thing to SUDO would be the "runas" command (which has been effectively disabled unless you enable the built in administrator (root) account...which is disabled by default in Vista.

UAC basically lets you logon and run as an admin but it breaks your security token in half (or strips off half of it). If you do something that requires the stripped off part UAC will prompt you to let you know you are about to self-elevate. You don't really ever switch accounts.

Although not the same, if you dig SUDO, I'm pretty sure you'll dig UAC. The idea of both is to keep you at User level but let you do admin-level stuff without major contortions.

 

[CSMR]

Originally posted by: archcommusThe new GUI is pretty but, like with XP, it's very likely I will revert to some sort of more professional-looking "classic" interface anyway.

Resolution independence is something I find interesting. Anyone tried different scalings in the current release candidate?

 

[stash]

probably closest thing to SUDO would be the "runas" command (which has been effectively disabled unless you enable the built in administrator (root) account...which is disabled by default in Vista.

Runas is still there, but only from the command line. Right clicking on a shortcut gives you the 'run as administrator' command now.

You don't really ever switch accounts

You do if you run as a 'real' normal user (not an admin with a split token). If you run as a regular user and you do something that requires elevation, you will be prompted to enter the credentials of an admin account.

This all can be controlled by policy of course. For instance, in corporate environment, you might not want users getting prompted to enter admin creds. That will generate a lot of helpdesk calls ("hey, what's the password?"). Instead, you can configure it so that they'll just get a "you don't have permission to do this" type message.

To me, UAC is much more effective if you actually run as a normal user, and not as an admin with a split token. The consent UAC dialog justs requires an admin user to click ok, whereas the credential UI that a normal users gets requires them to enter credentials.

 

[Smilin]

Originally posted by: stash

probably closest thing to SUDO would be the "runas" command (which has been effectively disabled unless you enable the built in administrator (root) account...which is disabled by default in Vista.

Runas is still there, but only from the command line. Right clicking on a shortcut gives you the 'run as administrator' command now.


kinda depends on the definition of "still there". Sure an .exe still exists but without enabling the builtin\administrator it doesn't do anything.

 

[stash]

Sure an .exe still exists but without enabling the builtin\administrator it doesn't do anything

Sure it does. Runas isn't just for running something as the administrator. You can use it to run something as any other user.

 

[Genx87]

The only thing that interests me atm is the ability to create virtual folders and DX10.
But the stories I am hearing about the clamp down on digital content far outweighs those features.

 

[archcommus]

Originally posted by: stash

probably closest thing to SUDO would be the "runas" command (which has been effectively disabled unless you enable the built in administrator (root) account...which is disabled by default in Vista.

Runas is still there, but only from the command line. Right clicking on a shortcut gives you the 'run as administrator' command now.

You don't really ever switch accounts

You do if you run as a 'real' normal user (not an admin with a split token). If you run as a regular user and you do something that requires elevation, you will be prompted to enter the credentials of an admin account.

This all can be controlled by policy of course. For instance, in corporate environment, you might not want users getting prompted to enter admin creds. That will generate a lot of helpdesk calls ("hey, what's the password?"). Instead, you can configure it so that they'll just get a "you don't have permission to do this" type message.

To me, UAC is much more effective if you actually run as a normal user, and not as an admin with a split token. The consent UAC dialog justs requires an admin user to click ok, whereas the credential UI that a normal users gets requires them to enter credentials.

See I don't want either of these things, though. My computer is not used in a corporate environment. It is mine and I am the only one that uses it. I use an admin-level account because, well, I consider myself an admin and don't have issues with shady software. I know the security guys will yell at this and say it's not safe, but sorry, I don't feel like declaring myself a regular "user" and switching to an admin account every time I want to install certain things. Same goes for UAC in Vista. I don't want to run in a limited account and have to provide credentials every time I want to do certain tasks. Hell, I don't even HAVE credentials (read: password) set for my admin account.

I'm sure many here feel similarly. I'm the only user of my system and I know what I'm downloading and what I'm running. I want to be an admin, period, not a restricted user who has to "self-elevate" all the time.

 

[stash]

So don't. The first user on the system is still in the admins group with a split token. You won't need to enter creds by default, and you can disable UAC completely if you want.

 

[nweaver]

sudo isn't switching accounts, that's SU

The problem with entering credentials of an admin, is that I might not WANT the users to know the credentials for an admin account. Sudo can be set up so that you have groups that can do things (or users). So user1, group2, and user5 can change the IP address (admin function). User 2 cannot. User 2 can restart Apache services, as can group1, user 5 and 1 cannot. All of this is accomplished without them knowing anyone credentials but their own.

Just so I understand this....

User1 wants to restart IIS. He has a standard user account. He goes to restart IIS, and is prompted for...(His password, Aministrator password, Username and password of an admin user...?)


IN the case of SUDO, he runs the command, and it prompts for his OWN password. If he is in the list of allowed to do this..then he does, if not, it tells him he isn't allowed and logs the attempt (changable, I think)

 

[stash]

User1 wants to restart IIS. He has a standard user account. He goes to restart IIS, and is prompted for...(His password, Aministrator password, Username and password of an admin user...?)

He's prompted for the creds of a user with administrative rights. If he doesn't have or know those creds, he'll be denied.

Like I said, UAC is not SUDO.

However, you can control most of these things with user rights and/or ACLs. So you should be able to change the ACL on the IIS service to grant the user permissions to restart. But in that case, he won't be prompted at all, it will just work.

 

[archcommus]

Originally posted by: stash
So don't. The first user on the system is still in the admins group with a split token. You won't need to enter creds by default, and you can disable UAC completely if you want.

I was not aware of this split token feature of the admin account. Perhaps that is the best route, then, so that I do not have to run a restricted account, nor do I have to even set credentials for my admin account, but I DO still have to give the okay for certain tasks, which I suppose is good in the rare event some nasty software gets in there. And simply clicking "OK" won't bother me when doing stuff like installing programs.

 

[Smilin]

Originally posted by: stash

Sure an .exe still exists but without enabling the builtin\administrator it doesn't do anything

Sure it does. Runas isn't just for running something as the administrator. You can use it to run something as any other user.

Try this from a (non-elevated) command prompt:

net stop beep (it will throw an error)
runas /user:anyadminaccount cmd.exe

then from the newly spawned command prompt:
net stop beep (still fails)

Short of enabling the actual administrator account (bad idea) the runas command is now useless.

 

[Smilin]

Originally posted by: archcommus

Originally posted by: stash
So don't. The first user on the system is still in the admins group with a split token. You won't need to enter creds by default, and you can disable UAC completely if you want.

I was not aware of this split token feature of the admin account. Perhaps that is the best route, then, so that I do not have to run a restricted account, nor do I have to even set credentials for my admin account, but I DO still have to give the okay for certain tasks, which I suppose is good in the rare event some nasty software gets in there. And simply clicking "OK" won't bother me when doing stuff like installing programs.

Yep.

You are still technically logged on as an admin, but it splits your token so you run like a user all the time. If something is needed from the admin half of your token it will hit you with a UAC prompt. By default this is simply a "continue" button. You can set it to truly ask for your credentials again, or make it go away altogether.

You know when a UAC prompt is coming because the button you just clicked to do something has a little shield icon on it. After you become used to it you'll hit the continue button quickly because you know it's coming. Yet it doesn't happen in such a way that you just blindly click continue every time you see it. If you get UAC prompted out of the blue something bad is happening and you'll notice.

I was very wary of UAC before I used it for a while because: 1) it *sounded* like a hassle...which is really isn't. 2) I thought I might get used to clicking 'continue' so much it would defeat the purpose and I would monkey-click myself into something I didn't intend.

Once you try it for a while I think you'll be a fan too.

 

[archcommus]

Originally posted by: Smilin

Originally posted by: archcommus

Originally posted by: stash
So don't. The first user on the system is still in the admins group with a split token. You won't need to enter creds by default, and you can disable UAC completely if you want.

I was not aware of this split token feature of the admin account. Perhaps that is the best route, then, so that I do not have to run a restricted account, nor do I have to even set credentials for my admin account, but I DO still have to give the okay for certain tasks, which I suppose is good in the rare event some nasty software gets in there. And simply clicking "OK" won't bother me when doing stuff like installing programs.

Yep.

You are still technically logged on as an admin, but it splits your token so you run like a user all the time. If something is needed from the admin half of your token it will hit you with a UAC prompt. By default this is simply a "continue" button. You can set it to truly ask for your credentials again, or make it go away altogether.

You know when a UAC prompt is coming because the button you just clicked to do something has a little shield icon on it. After you become used to it you'll hit the continue button quickly because you know it's coming. Yet it doesn't happen in such a way that you just blindly click continue every time you see it. If you get UAC prompted out of the blue something bad is happening and you'll notice.

I was very wary of UAC before I used it for a while because: 1) it *sounded* like a hassle...which is really isn't. 2) I thought I might get used to clicking 'continue' so much it would defeat the purpose and I would monkey-click myself into something I didn't intend.

Once you try it for a while I think you'll be a fan too.

How does Vista set it up on default after install? Does it create a user account with admin priveleges alongside an Admin-labeled account (like in XP)? Or does it create a restricted user account that I'd want to abandon after installation and initial setup?

 

[nweaver]

Originally posted by: stash

User1 wants to restart IIS. He has a standard user account. He goes to restart IIS, and is prompted for...(His password, Aministrator password, Username and password of an admin user...?)

He's prompted for the creds of a user with administrative rights. If he doesn't have or know those creds, he'll be denied.

Like I said, UAC is not SUDO.

However, you can control most of these things with user rights and/or ACLs. So you should be able to change the ACL on the IIS service to grant the user permissions to restart. But in that case, he won't be prompted at all, it will just work.

hmm...not quite what I was hoping for from UAC. THe best part about SUDO (imho) is that you don't have to give admin credentials/rights system wide to users. How in depth would changing ACL's/etc be to make someone a "web" admin, so they can modify IIS stuff, start/stop the service, but not have admin rights on the box? Are we talking a couple GPO's, or are we talking registry editing, gpo's, etc?

 

[Smilin]

Originally posted by: archcommus

How does Vista set it up on default after install? Does it create a user account with admin priveleges alongside an Admin-labeled account (like in XP)? Or does it create a restricted user account that I'd want to abandon after installation and initial setup?[/quote]

You provide a first account that is given admin rights (and runs split-token). The "real" administrator account is disabled.

 

[stash]

How in depth would changing ACL's/etc be to make someone a "web" admin, so they can modify IIS stuff, start/stop the service, but not have admin rights on the box? Are we talking a couple GPO's, or are we talking registry editing, gpo's, etc?

With that particular scenario, I'm not exactly sure. You should be able to push out the changes to the service permission with a GPO, but you may need to grant more rights to IIS-specific bits.

Delegation in IIS7 will be a lot easier: http://technet2.microsoft.com/WindowsSe...97-a183-a0798b9a111e1033.mspx?mfr=true