Benefits of Vista to an informed enthusiast?

[stash]

Short of enabling the actual administrator account (bad idea) the runas command is now useless.

I agree that it is useless for running tasks elevated (that's what the run as admin is for, although it sucks that there is no command line equivalent). But it is still useful for running things that don't require admin rights as a different user.

 

[archcommus]

Originally posted by: Smilin

Originally posted by: archcommus

How does Vista set it up on default after install? Does it create a user account with admin priveleges alongside an Admin-labeled account (like in XP)? Or does it create a restricted user account that I'd want to abandon after installation and initial setup?

You provide a first account that is given admin rights (and runs split-token). The "real" administrator account is disabled.
[/quote]Sounds perfect. I have no problem with this. Again, though, I don't see it as necessary for myself, and to get back on topic, remember we are discussing Vista features that are useful and make the upgrade worthwhile for common AT folk.

 

[InlineFive]

Originally posted by: stash

probably closest thing to SUDO would be the "runas" command (which has been effectively disabled unless you enable the built in administrator (root) account...which is disabled by default in Vista.

Runas is still there, but only from the command line. Right clicking on a shortcut gives you the 'run as administrator' command now.

You don't really ever switch accounts

You do if you run as a 'real' normal user (not an admin with a split token). If you run as a regular user and you do something that requires elevation, you will be prompted to enter the credentials of an admin account.

This all can be controlled by policy of course. For instance, in corporate environment, you might not want users getting prompted to enter admin creds. That will generate a lot of helpdesk calls ("hey, what's the password?"). Instead, you can configure it so that they'll just get a "you don't have permission to do this" type message.

To me, UAC is much more effective if you actually run as a normal user, and not as an admin with a split token. The consent UAC dialog justs requires an admin user to click ok, whereas the credential UI that a normal users gets requires them to enter credentials.

How do I modify those settings? I haven't been able to find that yet.

 

[stash]

gpedit, under computer config, windows settings, security settings, local policies, security options. All of the UAC settings are at the bottom of the list.

 

[nweaver]

bleh...I like sudo better, I was hoping Vista would mimick that behavior better.

 

[Zebo]

I don't know. I'm still trying to figure out why people moved to XP.

 

[gsellis]

Originally posted by: Zebo
I don't know. I'm still trying to figure out why people moved to XP.

So I can quit tweaking settings to run some software and games.

In Vista, a new cool mention in the Wiki is the DVD maker. I tried it a few weeks back with an firewire to WMM, then export after edit to DVD Maker. Encode was fairly quick and the default gives you a motion background (no audio) with motion Picons of all the chapter points. Really cool and easy.

 

[PlatinumGold]

Originally posted by: nweaver

Originally posted by: stash

User1 wants to restart IIS. He has a standard user account. He goes to restart IIS, and is prompted for...(His password, Aministrator password, Username and password of an admin user...?)

He's prompted for the creds of a user with administrative rights. If he doesn't have or know those creds, he'll be denied.

Like I said, UAC is not SUDO.

However, you can control most of these things with user rights and/or ACLs. So you should be able to change the ACL on the IIS service to grant the user permissions to restart. But in that case, he won't be prompted at all, it will just work.

hmm...not quite what I was hoping for from UAC. THe best part about SUDO (imho) is that you don't have to give admin credentials/rights system wide to users. How in depth would changing ACL's/etc be to make someone a "web" admin, so they can modify IIS stuff, start/stop the service, but not have admin rights on the box? Are we talking a couple GPO's, or are we talking registry editing, gpo's, etc?

i have't played with UAC myself, but if i understand correctly, you don't have to give Admin rights to ANYONE, you can assign the rights to a group of users (what 2000 and up calls Organizational Unit) and then put the user in that group.

so, anyone in that OU would have rights to admininster IIS but wouldn't have Admin rights to the whole domain / system.