Why are you logging in as God?

God_ComputerOK, not God, but the computer equivalent, the almighty Administrator.
Home computer users start up their computer and do stuff.  If you want to run a program, you can.  If you want to install a program, you can.  If you want to change some setting, you can.  Because this is how it has always been for most users, we think nothing of it and assume it’s normal.

We want to get things done so why would you restrict what can be done by the all powerful User.

It turns out there are good reasons.


What is an Administrator?

When you fire up a computer you are assigned rights to do stuff by the operating system (windows) based on the user account that logs in.  The highest level of rights is owned by a built in account called the Administrator account.  The Administrator can run anything, delete anything, install anything — has absolute power over your computer.  It is possible to create additional accounts and assign them the same high level rights possessed by the administrator account with users assigned such referred to generally as administrator accounts.


Logging into a computer lets you choose between accounts

In some cases the login process might be invisible.  You turn the computer on and you go straight to the desktop and start working.  What is happening is that windows is logging you in with a default user account.  This account may or may not have full administrator rights, but if you are not sure, it is likely an administrator account.

Modern versions of windows encourage you to dump the default account and set one up per user.  When you start the computer you will be asked to login with a specific user name to prove to the computer that you have access to the rights given by that account.  Unfortunately in most cases Windows will give that account admin rights by default.


Stop stepping on toes with multiple user accounts

In a family environment you can set up one user account per person and each account will provide a different “profile” and potentially different rights.

When Dad logs in, he may have the standard boring desktop wallpaper.  When his son logs in later, he may change his wallpaper to some garish horror.  Fortunately when Dad logs back in later on his own user account, his boring old wallpaper will still be there.  The same applies to other aspects of the interface, such as shortcuts in your web browser and icons on your desktop.  Multiple accounts prevents you stepping on each other’s toes, to a point.

Multiple accounts on the same computer will still be able to share any files saved or programs installed by any account.

Unfortunately damage caused on one account will impact all users of the computer.


Don’t suffer the kids screwing up your computer – assign limited rights

I know a youngster that spends a lot of time on his grandfathers PC.  He likes playing various games and is in the habit of installing new games and add-ons on most visits.  Pretty typical kid.

His computer use is fine, except when alongside those installed programs he leaves behind bloatware, malware, and viruses.   One particular day I spent some hours stripping out the junk after the machine had ground to a near halt.  Fortunately no serious damage done, but that was more by luck than good planning (also was no recent image backup, always have an image backup!).

Requires_Admin2The better setup is to give the kids a dedicated account with restrictions.  They can still use the web browser and run games, but if they try to install new software or perform various other tasks more likely to cause problems, they will be blocked.  Annoyance on the kids part, but setting the requirement to get approval from an adult to make dangerous changes greatly reduces potential damage.


Limited rights accounts are not only for kids

I use a limited access account on my personal machine at home and at work.

Run_As_AdminIf I want to install something or make other changes that need administrator permissions, I can select “Run as administrator” and enter credentials for an administrator account to allow the install to work.  In some cases I might need to log in with an administrator account to make certain changes.

UAC2Why bother?  Using an account with limited rights reduces the risk of some malicious attack using my credentials.  I know my way around a computer, but I can still be caught out.  If I am silly and click on an email attachment containing a virus, visit a infected web site, or otherwise something hijacks my account then the nasties may do much less damage or no damage at all with a limited account.  Its simply not allowed to install stuff, change or create various files, or make many changes that can cause damage.  It is safer than using an admin account, and it is what you should be doing at home.

Its also worth noting that when executed by an administrator account, some tasks will still not be given full administrator rights in order to reduce potential harm.  You still may need to right click and “Run as Administrator”, even if logged as the administrator, confusing! Hope someone got fired after introducing that nomenclature, though the idea is sound.


Problems with limited accounts

There are some badly written programs which require administrator rights in order to function correctly.

The examples we have come across tend to be old business applications written in the XP era, but some modern applications also inherit this bad habit from older versions.  It is possible to still use a standard account with those programs, but you need to go to the hassle of setting up the program to “runas” an account with administrator credentials.  This isn’t difficult and once set up it will just work.  In the unlikely chance you run into this issue, try googling “runas administrator” on follow the links at the bottom of this article.


User Access Control (UAC)

UAC is a recent security feature, turned on by default on Windows computers.  When introduced, it was extremely annoying, didn’t seem to serve a purpose, and most people turned it off.

UACIts job is to place some limits on administrator power and let you know when substantiative changes are being made to the computer.

If you are on an administrator account installing a new program, it will pop up and make you click yes to continue.  Again and again!  It is more usefully obvious on a limited user account where it offers you the ability to type in admin credentials to continue with tasks such as installing a new program, meaning you don’t need to log off and onto a different account to install software.

It does serve a purpose.  On rare occasion it will save you by popping up and letting you know something is not right.  It will limit the rights you are giving programs when you run them so they can do less harm (even as an administrator).  It does not replace limiting access to administrator accounts but should be used alongside that strategy.

Best Practice – Use limited accounts, UAC on

control_panelCreate an account and set it to full administrator rights (look for “User accounts” or “Edit local users and groups” or similar in settings/control panel).  Create or change your current user to a standard user account.

When you need to make changes, use the administrator account, either by logging in as it or by using “run as Administrator”.

At the same time, keep UAC on the default for all users, or crank it up to the highest level if it doesn’t annoy you too much.

Where it suits your situation, create multiple limited (standard) accounts for different family members and don’t give the kids access to a administrator account!


Further Reading

User Access Control @ Wikipedia

How to Create Standard and Administrator Accounts in Windows @ Toms Hardware

Run as Administrator @Microsoft

Run as Administrator @ 7Tutorials

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *