ADMINISTRATOR vs Administrator USer
AIANDAS
is there a difference between the Administrator one gets when you log in in
SAFE MODE vs an account that is declared Administrator in a USER account
context?
My gut tells me the SAFE MODE Administrator takes precedence? But of course
I could be wrong and this is the reason I need to ask here. Thanks in advance!
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
Jim
"AIANDAS" <AIA...@discussions.microsoft.com> wrote in message
news:37684048-83C9-4E9F...@microsoft.com...
All accounts which are members of the administrators group are equal.
Your are doubtless describing XP Home, as the built in administrator account
can only be accessed in safe mode. In XP Pro, though, you can logon as
administrator in safe or normal mode.
Jim
Patrick Keenan
"AIANDAS" <AIA...@discussions.microsoft.com> wrote in message
news:37684048-83C9-4E9F...@microsoft.com...
The Administrator account is a specific named account. Other accounts with
Administrator rights are different accounts.
AIANDAS
administrator is still administrator.
OK then next question is there a way one administrator can supercede the
restrictions over another, where the other cannot supercede the previous?
I want to have an ALPHA Administrator and all other administrators on this
machine be secondary and tertiary in power.
Jim
the user wants whenever the user wants it done.
Jimnews:FBA013A3-2DEE-4043...@microsoft.com...
AIANDAS
ALPHA over another?
AIANDAS
designated as administrator or how do I define one administrator as a power
user and another not?
Is there a link that give me detailed info on administrators and various
flavours of users?
John Wunderlich
in news:9FDA5524-82B5-481F...@microsoft.com:
> OK so what I am hearing in XP Pro there is no way to make one
> administrator ALPHA over another?
>
>
Any adminstrator can, for example, deny access to a file by any other
user -- whether administrator or not (even himself). However, if
that other user is also a member of the "administrators" group, then
they have the power to change the access rights of that file back so
they can again access that file.
You can, if you want, create another group e.g. "subadmins" and grant
members of that group an admin privilege subset using the Group
Policy Editor (start->run->gpedit.msc). This assumes XP Pro.
"How To Use the Group Policy Editor to Manage Local Computer Policy
in Windows XP"
<http://support.microsoft.com/kb/307882>
HTH,
John
Patrick Keenan
> OK so what I am hearing in XP Pro there is no way to make one
> administrator
> ALPHA over another?
Well, that really wasn't your first question.
What you should be hearing is that the Administrator account is a built-in
account that should not ever be used as a regular account, only for
maintenance. You should be hearing that other Administrator-level accounts
can be created with full and equal rights, but those are *not the
Administrator account*, just as my car is not your car even if they are
identical models.
You can also via policies do things to alter the situation, but what exactly
is it that you wish to accomplish?
HTH
-pk
Shenan Stanley
> Aren't there various flavours of users, i.e., power user et al? Can
> these be designated as administrator or how do I define one
> administrator as a power user and another not?
> Is there a link that give me detailed info on administrators and
> various flavours of users?
Let's make this easy.
If a user is a member of the "administrators" group - they are all-powerful
(except in personalized worlds - like encrypted data - and even then, they
could (if the other users are unwise in their best practices) make said
encrypted data *lost* to the other user completely.)
If a user is a member of the "administrators" group - no matter their other
memberships - they can do what they want to whom ever they want on said
system. If another member of the "administrators" group changes something
on their account, they can retaliate and do the same.
As far as I am concerned (the following is my opinion, my take on things) -
despite some people's usage of the "power users" group - there are only a
few levels of users.
When dealing with users - you give them *as little* power as
possible/plausible and grant them only the additional power they need. You
do not give them 'all powerful' rights and then try to limit them.
- Guest (these people cannot do much of anything, fairly unused level.)
- User (very limited, no installation rights, etc.)
- Modified User (this is not a built-in group, but a user whom I have
granted an extra right or three...)
- Administrator (full ownage of everything in said system.)
Power Users is supposed to be a group that can install certain things, do
certain things - but I have always found their power too broad to be useful
in restricting people. Power Users still get infections that affect all
other users, they can install software that affect all other users, etc.
I'd rather not have that sort of user on a multi-user system and I would
rather only have a single administrator (although there may be multiple
adminstrator level accounts - for 'oops' situations.)
My suggestion is to limit the usage of the "administrators" group as much as
possible. Create all "users" and if you must, grant certain users 'special
powers'.
http://technet.microsoft.com/en-us/library/bb456992.aspx
http://support.microsoft.com/kb/279783
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
AIANDAS
Now in XP Pro we have 2 choices. Administrator and Limited Accounts. So there
is one user @ home that whines if I don't make them an Administrator but
don't trust their internet savvy to not get us into some kind of trouble. So
I do make them an administrator but I need to find a way to limit their
access without making them Limited.
Somebody mentioned Sub-Administrator. How do I make them a Sub-Administrator?
Shenan Stanley
> Well I want there to be one ADMINISTRATOR that can control all the
> others. Now in XP Pro we have 2 choices. Administrator and Limited
> Accounts. So there is one user @ home that whines if I don't make
> them an Administrator but don't trust their internet savvy to not
> get us into some kind of trouble. So I do make them an
> administrator but I need to find a way to limit their access
> without making them Limited.
> Somebody mentioned Sub-Administrator. How do I make them a
> Sub-Administrator?
You have to let them whine. If they cannot be trusted with power, then
certainly don't give it to them.
You have chosen badly by making them administrators. They do not *need* to
be adminstrators to utilize the computer. In fact - best practice is for
them *not* to be an administrator while performing daily tasks.
Patrick Keenan
> Well I want there to be one ADMINISTRATOR that can control all the others.
Then you have to limit the other accounts in some way, and not give them
administrator permissions.
> Now in XP Pro we have 2 choices. Administrator and Limited Accounts. So
> there
> is one user @ home that whines if I don't make them an Administrator but
But, there's a saying. "Too bad".
What exactly do they need Admin permissions to do?
> don't trust their internet savvy to not get us into some kind of trouble.
> So
> I do make them an administrator but I need to find a way to limit their
> access without making them Limited.
If they are administrators, their access is by definition unlimited.
Power User might be an option.
> Somebody mentioned Sub-Administrator. How do I make them a
> Sub-Administrator?
Never heard of it.
AIANDAS
Thank you very much this was very insightful.
C.Joseph Drayton
There is a program that was written by one of the MVPs here
called WindowsXP Security Console that will allow you to
achieve what you want.
You of course must install it as an administrator. Then the
next thing you do is load each users profile, and restrict
their use of the WindowsXP Security Console. Also make sure
that you load the default user profile and place the same
restriction there. Once you have done that, you can than
restrict the 'administrators' access without them being able
to over-ride that restriction. Of course if they get into
your account (which still has policy setting capability),
then all bets are off.
One word of caution do not accidentally restrict your your
access to the WindowsXP Security Console, or you will find
that you can no longer make any policy changes.
BTW, the WindowsXP Security Console works with all versions
of XP that I have tested including the 64bit version.
Sincerely,
C.Joseph Drayton, Ph.D. AS&T
CSD Computer Services
Web site: http://csdcs.site90.net/
E-mail: cjo...@csdcs.site90.net
Shenan Stanley
> There is a program that was written by one of the MVPs here
> called WindowsXP Security Console that will allow you to
> achieve what you want.
>
> You of course must install it as an administrator. Then the
> next thing you do is load each users profile, and restrict
> their use of the WindowsXP Security Console. Also make sure
> that you load the default user profile and place the same
> restriction there. Once you have done that, you can than
> restrict the 'administrators' access without them being able
> to over-ride that restriction. Of course if they get into
> your account (which still has policy setting capability),
> then all bets are off.
>
> One word of caution do not accidentally restrict your your
> access to the WindowsXP Security Console, or you will find
> that you can no longer make any policy changes.
>
> BTW, the WindowsXP Security Console works with all versions
> of XP that I have tested including the 64bit version.
Are you speaking of:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
??
If so - I don't think it does what you seem to be representing it does. An
administrative level user in Windows XP is all powerful and running the
given software or not - an administrative level account can do whatever they
desire to do on Windows XP. You can *attempt* to limit things on
adminstrative level accounts in many ways - all of which will be failures in
the end.
You either create limited users (just plain old user accounts) or you deal
with the consequences of everyone having elevated privs with non-technical
methods (because if they have _any_ technical skills (even if they don't
they can still infest/infect the machine) or just the normal propensity for
mischief - you've wasted a lot of time trying to take away rights they never
should have had.)
John Wunderlich
news:gnmpl9$q48$1...@news.motzarella.org:
You probably should have replied to the OP rather than me, but I'll go
ahead and provide the link:
<http://www.dougknox.com/xp/utils/xp_securityconsole.htm>
HTH,
John
C.Joseph Drayton
Yes, that is the application I am referring to, and if you
set restrictions as to applications that they can use, then
yes it does work as I described.
As to whether the program can be circumvented I don't know.
I know that I have had it used by different sites for a
number of years with no problems. The users at those sites
could simply not be technical enough to bypass the security
that the program uses. I do know that it works, and yes it
is a pain to set up the restrictions but from what the OP
said, I think it is as application that he might want to
look at.
Shenan Stanley
http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/204190216d338284
(archived indefinitely)
C.Joseph Drayton wrote:
> There is a program that was written by one of the MVPs here
> called WindowsXP Security Console that will allow you to
> achieve what you want.
>
> You of course must install it as an administrator. Then the
> next thing you do is load each users profile, and restrict
> their use of the WindowsXP Security Console. Also make sure
> that you load the default user profile and place the same
> restriction there. Once you have done that, you can than
> restrict the 'administrators' access without them being able
> to over-ride that restriction. Of course if they get into
> your account (which still has policy setting capability),
> then all bets are off.
>
> One word of caution do not accidentally restrict your your
> access to the WindowsXP Security Console, or you will find
> that you can no longer make any policy changes.
>
> BTW, the WindowsXP Security Console works with all versions
> of XP that I have tested including the 64bit version.
Shenan Stanley wrote:
> Are you speaking of:
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> ??
>
> If so - I don't think it does what you seem to be representing it
> does. An administrative level user in Windows XP is all powerful
> and running the given software or not - an administrative level
> account can do whatever they desire to do on Windows XP. You can
> *attempt* to limit things on adminstrative level accounts in many
> ways - all of which will be failures in the end.
>
> You either create limited users (just plain old user accounts) or
> you deal with the consequences of everyone having elevated privs
> with non-technical methods (because if they have _any_ technical
> skills (even if they don't they can still infest/infect the
> machine) or just the normal propensity for mischief - you've wasted
> a lot of time trying to take away rights they never should have
> had.)
C.Joseph Drayton wrote:
> Yes, that is the application I am referring to, and if you
> set restrictions as to applications that they can use, then
> yes it does work as I described.
>
> As to whether the program can be circumvented I don't know.
> I know that I have had it used by different sites for a
> number of years with no problems. The users at those sites
> could simply not be technical enough to bypass the security
> that the program uses. I do know that it works, and yes it
> is a pain to set up the restrictions but from what the OP
> said, I think it is as application that he might want to
> look at.
If a user is an administrator, they can circumvent almost everything you do
to try and limit them. The only exceptions are related to security that is
secondary (like encryption.)
I should also point out that technical savvy (or appearance of) is easily
gained with Internet searches - or at least enough to get around limitation
one might impose the way you have suggested. ;-)
IMO, it is *always* better to start with the lowest possible permissions and
grant only what is necessary than start by giving someone everything and
trying to take things away.
C.Joseph Drayton
Unfortunately there is software that will only run properly
when run on an administrator account.
As to getting past the limitations imposed by WindowsXP
Security Console. Once you have blocked the following with
it the person would have to be fairly clever to find a way in;
1) 'Run' & 'RunAs' commands
2) Regedit
3) GPEdit
4) Compmgmt.msc
5) Block running of executable through Explorer
6) Block use of WindowsXP Security Console
7) Block userpasswords2
8) Block command prompt
9) Block ActiveX and Javascript
There are probably a few more that I am leaving out, but you
get the idea. The idea basically is to simply block
apps/utilities that can allow the user to elevate or change
their privileges.
Shenan Stanley
There are very few - very very few - modern applications that require
administrative privileges to be used by the users of a computer and I would
venture to go so far that the ones that are left are for a very specific
audience (perhaps those working at the hardware level, perhaps the actual
system admins to do something system-wide/more risky than a normal user
would do, etc) and any other software that actually *requires* the user to
be an administrator to 'run properly' (truly requires it - cannot just be
granted access to some registry key, directory, etc and does not fall into
the exceptions list mentioned) might be better replaced with something else.
Why? It just opens you up to do the one thing I have never seen anyone say,
"You know what would be the best thing everyone could do on a computer is?
Run all day, every day as an administrative level user."
The program you are using was originally meant for Windows XP Home Edition
users - not Professional. Although it works the same either way. For the
Windows XP Professional Edition users, it evolved to be useful because the
Group Policy Editor did not have built-in ways to limit a specific user - or
"you'd have to fully understand what you are doing if you did not utilize
the tool." --> Something I think you should.
While I know there are things out there that have difficulties in running as
a non-administrative level user, I know there are programs that either
replace those or simple work-arounds that make them work properly under the
limited accounts. There may still be applications out there that require
the heightened privs all around - but as I said earlier - those are few
(very few) and I'll add that those applications should be put off onto a
computer not used for daily activities (and likely are anyway - just by
design.)
My point has still not changed. I believe you should not start with
administrative rights and start taking away things. You are just asking for
trouble. Here are some matches, here is some gasoline, but don't catch
anything on fire. Putting forth twice (or more) the effort to accomplish
something that is more smoke-screen than reality and that could have been
accomplished in a more easily repeatable way, likely faster, by figuring out
what the applications that have trouble running as non-admins really need
and changing just that - but leaving the users as just plain-old
non-powerful (built-in, less likely you missed something) user accounts.
*shrug* Just seems to be more work than it's worth.
Everything you listed there - the method by which it was done/can be undone
can be found on the Internet (likely by a registry change.) Sure - maybe
someone might have to start by booting the machine to a side-OS or hacking
it in some other way - but also - with a creative thought or two, maybe not.
If someone wants to come here and tell me why I should start telling people
to start with all administrative level accounts and just lock those accounts
down with group policy/registry hacks (either overall through HKLM or per
user via HKCU), I'll listen with curiosity and perhaps fascination. Perhaps
they'll have a point or two I can lock onto and agree with. I'm not so sure
it would be an easy argument on their side.
Until then, I will still say you are better off starting with the least
privileged level of accounts for most people and granting them specifically
what they need (fixing access for the broken applications in the
registry/file&folder structure (and taking note of it for the future))
instead of granting them administrative power over the machine and working
to remove the powers you don't want them using.
C.Joseph Drayton
TrueCrypt is an example of one that requires administrator
rights, and is a widely used application. Other than rHos, I
have never found a replacement application for TrueCrypt.
As to which direction to go in, I agree using 'RunAS',
limits the need for an administrator account. To me though
it is simply easier to remove things than to add things.