Guide to limited accounts in Windows XP

Andvari

Senior member
Jan 22, 2003
612
0
0
I recently tried to set up a limited account after a fresh format, and I don't see how it could have been any more complicated. I consider myself pretty computer savvy, and when I couldn't get things how I wanted with two accounts, I felt pretty stupid heh. After all most advice with setting up additional accounts simply entails "Go to control panel, user accounts, add new account."

I guess it depends on the level of "OCDness" a person has, to determine how much of a walkthrough they need with setting up new accounts. The advice I mentioned above certainly didn't cut it for me. I had my Administrator account (Matt), and made the limited account (Losers). I ran into many "problems", to name a few:


  • I had My Documents/Pictures/Music/Videos in Matt's folder, but in Losers's folder it had Losers's Documents/Pictures/Music/Videos. I tried renaming them to "My" instead of "Losers" and realized that Windows was simply displaying it that way since I was on the Matt account, and not that the folder was actually named that. Well, except for the Videos folder. "My Videos" was literally named My Videos in the Losers's folder, regardless of which account I was on. Why the heck would it be like that in the Losers's folder, but not in the Matt's folder? If that made no sense, good, because it didn't make sense to me either and doesn't really matter, but little stupid things like that bug me.

    Couldn't change the power schemes in the limited account, and I never want my computer to go in standby. Couldn't figure out how to change that from the administrative account.

    University requires Cisco Clean Access Agent, and when I tried to log in at startup on my limited account, I clicked the "Remember me" checkbox in Clean Access Agent and it popped up with an error saying "Can't write to file." What a stupid little annoyance.

Anyway, that's not to mention how tedious it is to duplicate settings across the accounts. Backgrounds, folder views, etc etc. People just say to edit the group policies, and I know where that is but it's not exactly intuitive.

People say to do daily use on a limited account and use the administrator account when you need to, but I can't figure out how to effect the limited account FROM the administrator account. SO, is it feasible to instead just raise the limited account to administrative level when needed? For example create the second account, but make it an administrator as well and then you can set everything up how you like it, and then lower it to a limited account?
 

scottws

Senior member
Oct 29, 2002
468
0
0
Unfortunately limited accounts just don't work as well in Windows as regular user accounts do in Linux.

The problem is two-fold:
1) Microsoft makes new users members of the Administrators group by default (if you use the Control Panel applet).
2) Software vendors seem to assume that everyone is running on an account that is a member of the Administrators or Power Users groups, and sometimes documentation regarding running the software as a simple User is non-existant.

I understand why Microsoft defaults everyone to an administrator account in Windows XP, but it keeps everyone lazy, from the enduser to the software programmer.

You can create a limited account and do Run As on executible files. Then it's almost like the prompt for the Root password in Linux. There are limitations though. I don't think you can Run As on MSI files. Also, there are lots of things you just can't do without being logged in as an administrator account. There is no way to Run As for some of them.

My main account at home is a limited user account. It works fairly well. If I need to install or update something, I just log out and log in as Administrator. I have permissions to download files and save them to a certain folder. So I can download what I need, and then either Run As on them, or log in as Administrator.

I haven't quite figured out how to get games to work right as a limited user. I created a Gamers group, that has every permission except Full Control on a folder called C:\Games (where all games are installed), and I am a member of that group. Yet on F.E.A.R., cutscenes don't play, and new levels don't load. I haven't tested much with other games.

Here is a link for creating a mandatory profile in Windows XP: http://support.microsoft.com/default.aspx?scid=kb;en-us;307800&sd=tech
 

Andvari

Senior member
Jan 22, 2003
612
0
0
I could do like I said though, right? Just raise the limited account to administrative levels to set everything up, then lower it back down?
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
There are limitations though. I don't think you can Run As on MSI files. Also, there are lots of things you just can't do without being logged in as an administrator account. There is no way to Run As for some of them.

You can do pretty much anything from a command prompt running as the privileged user. 'runas /u:machinename\adminuser cmd'
 

scottws

Senior member
Oct 29, 2002
468
0
0
Originally posted by: Andvari
I could do like I said though, right? Just raise the limited account to administrative levels to set everything up, then lower it back down?
Yeah, you could do that. In fact, I had to do just that to turn off Quicktime from loading when I logged in. It didn't complain when I turned it off in the Quicktime preferences, but I guess since I'm a limited user it just doesn't save the setting. I had to log in as Administrator, add my user account to the Administrators group, then log out as Admin and back in as my user, then turn it off, then go back into Admin to remove myself from the group.

Originally posted by: STaSh
There are limitations though. I don't think you can Run As on MSI files. Also, there are lots of things you just can't do without being logged in as an administrator account. There is no way to Run As for some of them.

You can do pretty much anything from a command prompt running as the privileged user. 'runas /u:machinename\adminuser cmd'
I wasn't aware you could use Run As from a command line. I was actually referring to the right-click context menus. Good tip!

 

cleverhandle

Diamond Member
Dec 17, 2001
3,566
3
81
Originally posted by: Andvari
I could do like I said though, right? Just raise the limited account to administrative levels to set everything up, then lower it back down?

For issues that involve one-time writing of a file or registry key, that works fine. (And the Cisco issue sounds like that kind of thing.) I've done similar tricks to set up utilities that touch the hardware (like PowerStrip) for Limited Accounts.

For situations that require broader powers, then you would probably need to use some runas: /savecred tricks.