jaybaz [MS] WebLog : Admin vs. Normal User

RANU: Running Admin Tasks easily

jaybaz_MS — Wed, 14 Jul 2004 17:01:00 GMT

A while back I described the set of shortcuts I use to run things as Administrator, even though I'm logged on as a Limited User.

I've packaged them up for dowload. Enjoy.

Overview

Logging on as a restricted user greatly increases security, protecting you from certain virus & trojan horse attacks, and adheres to the "principle of least priviledge".

However, if your domain user account is a normal user on your machine, it can be challenging to perform certain administrative tasks, like:

Control Panel applets
Administative Tools
Install software from Corpnet
Edit HKLM reg keys

This collection of shortcuts make it easier to run these tools as Administrator.

Setup:

I like to use it as a toolbar on my Windows Task Bar.

(Optional) Copy to your local machine
RClick on the Windows Task Bar
Select Toolbars->New Toolbar
Point to the Admin Tasks folder

Also, it's a good idea to teach windows to run each explorer window as a separate process. This way you can have both Administrator and User explorers open at the same time. See Aaron Margosis' blog for more info.

Details:

CMD

Launch a command prompt as Administrator

CMD w Network Launch a command prompt as Administartor, but with your network credentials

Explorer w Network

Launch explorer.exe as Administartor, but with your network credentials. Requires setting ExplorerSeparateProcess (see above).

Page Defrag

A sysinternals tool that I like for defragmenting my pagefile.

Regedit

Runs regedit as Administrator (relies on a possibly undocumented option to regedit).

Task Manager

Runs Task Manager as Administrator

Control Panel

Runs CPL control panel applets.

Administrative Tools

MMC Snap-ins that appear in Control Panel->Administrative Tools

Administrative Tools->More

Most of these appear under the the Computer Management MMC snap-in, but here you have direct access to them

RANU: smarter CPL and MSC

jaybaz_MS — Mon, 21 Jun 2004 20:43:00 GMT

I wish that .CPLs and .MSCs were smarter about normal users. I want to be a normal user, open a Control Panel applet, and have it prompt me for credentials if needed. Same thing for the administrative tools.

Here's what I do instead.

I create a set of shortcuts in a folder called “Control Panel”:

runas.exe /user:Administrator "control access.cpl"

I even set the icon by pointing it back at the .CPL file.

I do something similar with a folder called “Administrative Tools”:

runas.exe /profile /user:Administrator "mmc %windir%\System32\compmgmt.msc"

Both folders go into the “Admin Tools“ folder, along with

CMD w/ network

runas.exe /env /user:Administrator "runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \"cmd\""

There’s a bug in Windows XP where certain controls running in this mode just won’t paint. It seems to be fixed in Windows Server 2003. Don’t know about Windows XP SP2.

CMD

runas.exe /env /user:Administrator "cmd"

Explorer w/ network. Enable “Launch folder windows in a separate process”, as both yourself & Administrator.

runas.exe /env /user:Administrator "runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \"explorer\""

Task manager

runas.exe /user:Administrator taskmgr.exe

Regedit

runas.exe /user:Administrator regedit.exe –m

The Admin Tools folder then becomes a toolbar on my taskbar. With all this in place, I can get by as a normal user.

RANU: Give me another TS session

jaybaz_MS — Mon, 21 Jun 2004 20:32:00 GMT

If you want to user Windows Terminal Services, Microsoft says you need a server OS. Seems like overkill.

I don't need my Windows XP-based email machine to support 500 concurrent users. I shouldn't need a licensing server & a $1500 OS.

Here's what I really want Windows XP TS to do:

Let me TS from the console to localhost, and get a second session.
Let me TS in remotely to my machine, and select either the console or a second session.

I can almost do this with Fast User Switching, but I'm on a domain.

If I had this, I could keep Administrator logged in to the second session, and myself (User) in the console. Minimal hassle.

While I'm at it, let the second session shadow the console, and vice versa. The Remote Assistance experience is very painful.

RANT: Run as Normal User

jaybaz_MS — Mon, 21 Jun 2004 18:48:00 GMT

AKA “Run as non-admin”. We call it “RANU” around here, or sometimes “why would you do that?”

I have a Linux background. There it seemed obvious to run as 'jbazuzi' sometimes and 'root' other times. But making it work in Windows is just hard.

I don't mind that I can't install most software as a normal user. That's something we'll get to in time. Right now I'm just annoyed that I can't run most apps without being an admin.

I used to play a lot of Everquest. Great game, terrible devs. They save your player-specific and character-specific data in the installation directory (%ProgramFiles%\Sony\Everquest). In the early days it was all in custom binary files, later they moved to text files. They've never heard of %APPDATA%, %HOME%, and the registry? You need to have write access to the application install directory.

I'd like to tell Sony to get on the ball with EQ, and make it work for normal users. It runs in a home environment, often without a firewall or an network guru. It attracts non-techno-geeks so, the audience is particularly susceptible to scams & hoaxes. (Even the scammers get scammed!) Microsoft & Sony need to do our parts to give these users a safe, secure environment.

I bet you run as administrator. I do it, too. I tried hard to run as normal user, on both my development & email machines. It was a big hassle, go figure! Every time I ran into a problem with a tool or VS component, I'd tell the owner. They'd look at me funny & tell me “too bad”.

You really want me to run as normal user, because that'll give you the best chance of a VS that works well as normal user.

Your users really want you to run as normal user, for the same reason.

OK, out of breath, time to take a break from the rant.