Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Reverting an admin to a limited user?

15 Dec 2009   #1
Carbonyl

Windows 7 RTM
 
 
Reverting an admin to a limited user?

Sorry if this is the wrong place to ask this question. I'm not sure where else it should go, and since it's related to security I thought I might get the best answer here.

I've been running on a default account for Win 7 Professional (x64) since the RTM was released. I thought, at the time of installation, that the default user was not the administrator - But I've found that I was wrong on that point. I have the UAC set to maximum, by the way.

Anyhow, I'm interested in setting my user as a LUA now, and I've found fairly thorough instructions on how to do so online here. Before I take this plunge, though, I'm concerned about the impact this might have on my system stability and security. I have a number of applications that require administrator access during automated procedures - ESET NOD32 autoupdates itself, and obviously needs Admin access to do the automated scans that I have scheduled - not to mention the realtime access it requires. EVGA precision tool and RealTemp require Admin access to run. Beyond that, some programs autoupdate themselves, or record log files - Steam and my IM Client both engage in this behavior.

If I were to change my existing account to a LUA, would that break a lot of these programs? Would I still be able to run the programs I usually do, or patch the programs I need to? Would all of my programs fail to save logs, or fail to patch themselves, because they no longer have appropriate access levels?

In effect, would taking an administrator down to a standard user effectively break all of the applications installed under the Admin user?

Running as a standard user seems like a good security measure, but if it compromises stability and functionality, I'd like to avoid that before I fiddle with things I shouldn't.


My System SpecsSystem Spec
15 Dec 2009   #2
Blender

Windows 7 x86
 
 

From what I can understand, you want to have one account on the computer. That account shouldn't be an admin, right?

I don't think that there is a way to do this, but maybe (if this helps) run this (Win-key + R):
Code:
control userpasswords2
You can change a lot of settings through this...
My System SpecsSystem Spec
15 Dec 2009   #3
Barman58

Windows 8.1 Pro x64 x3 + Windows 10 Preview, Ubuntu
 
 

If you are running with UAC on full then in effect you are already running as a standard user

The default (first) user in win7 is using a dual token security system.
The normal state is that the user has the rights of a member of the users group and UAC will prompt you when it needs to gain membership of the Administrators group.

If you create a standard user and keep UAC at the same level then it will act the same except that it will prompt for the User name and password of a member of the administrators group.

You have to have at least one member of the Administrators group so if you wish to demote your current user you will need to create an second user as an admin.

I personally find the UAC a convenience as my former practice was to run as a standard user and manually "run as Administrator" UAC provides me with the same security without the hassle

It is possible through Group Policy to require the user to supply a password even when running the "admin" account under UAC if you require that extra step to prevent the automatic "click without thinking" response to the prompt
My System SpecsSystem Spec
15 Dec 2009   #4
Carbonyl

Windows 7 RTM
 
 

Thanks to you both for the information! Very useful stuff. I did not know that the default user with maximum UAC was actually a standard account. That gives me a little more peace of mind.

I should clarify - I intend to keep an administrator account around if I follow through with this plan. I would first make an admin-level account, one I don't plan to use for daily purposes. Afterward, I would then demote the current (default/first) account, so as to keep all my settings and files and whatnot. I realize that there's a possibility that I might lock myself out of the system by removing the admin if I don't do this first.

My main reasoning behind lowering the privileges of my current account is to set up SRP. I have professional, not ultimate, so Applocker is not accessible to me. However, manual SRP looks like something I can implement with a little research. So far, what I've been able to tell is that SRP will only work for an LUA, and can't be instated for an Admin user.
My System SpecsSystem Spec
16 Dec 2009   #5
Victek

Windows 7 x64
 
 

Quote   Quote: Originally Posted by Carbonyl View Post
Thanks to you both for the information! Very useful stuff. I did not know that the default user with maximum UAC was actually a standard account. That gives me a little more peace of mind.

I should clarify - I intend to keep an administrator account around if I follow through with this plan. I would first make an admin-level account, one I don't plan to use for daily purposes. Afterward, I would then demote the current (default/first) account, so as to keep all my settings and files and whatnot. I realize that there's a possibility that I might lock myself out of the system by removing the admin if I don't do this first.

My main reasoning behind lowering the privileges of my current account is to set up SRP. I have professional, not ultimate, so Applocker is not accessible to me. However, manual SRP looks like something I can implement with a little research. So far, what I've been able to tell is that SRP will only work for an LUA, and can't be instated for an Admin user.
.

Here is a quote from an article by Mark Russinovich:

"Even processes elevated from standard user accounts can conceivably be compromised because of shared state. All the processes running in a logon session share the internal namespace where Windows stores objects such as events, mutexes, semaphores, and shared memory. If malware knows that an elevated process will try to open and read a specific shared memory object when the process starts, it could create the object with contents that trigger a buffer overflow to inject code into the elevated process. That type of attack is relatively sophisticated, but its possibility prevents OTS elevations from being a security boundary.

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer."

http://technet.microsoft.com/en-us/m...07.06.uac.aspx

As I understand the above using an Admin account with UAC set to max does not provide the same security as using a LUA. If you want the best security and you're willing to put up with UAC prompts and entering passwords, then using a LUA is the way to go. Why not try it and see how it effects your applications? If it breaks something it's easy enough to change the limited user account back into an Admin account. As you've already noted make sure you create another Admin account before reducing privileges on your current account. By the way, "fast user switching" is a clever way to move between the accounts with minimal hassle - never occurred to me.
My System SpecsSystem Spec
Reply

 Reverting an admin to a limited user?




Thread Tools





Similar help and support threads
Thread Forum
Help icons show on admin but not limited user
i installed Tixati and theres no start menu icon or in the all programs menu. it shows in add/remove programs. also i can create a short cut by right clicking the desktop .but if i switch to admin user theres icons in the start menu. same happens if i try to install utorrent:mad:
Software
Admin User Error5. CMD solutions failed. New User with ADMIN works
Thank you! I am admin ( WIN 7 Pro 64 computer 4 years old): In admin user default account, any and ALL open, and .exe functions denied. CMD right click 'run as admin' (net user admin etc.) has no effect. Checking all folders I show FULL permission. Right click 'run as admin' has no effect...
General Discussion
TWO problems; allowing a limited user access to an admin folder
1. So when I try to that, it goes FILE BY FILE but some cause a window to show up which reads: access denied!! And I am admin, makes no sense! 2. When I am on a limited user and I try to access an admin folder or directory, or run application as admin I am asked to enter the admin's password....
Network & Sharing
New admin user acting differently than standard user changed to admin
I have created two new user accounts. The first I set up as a standard account, logged on, did a few things, then logged off, logged on as my administrator account and editted the account to be an administrator. When I log back on as this account, it appears that the user still does not have...
General Discussion
How to log in as Admin on a profile set to Limited
I have three profiles on my Win7 PC; myself (Administrator), my Wife, and the Kids; both of which are Limited. Every once in a while one of them needs to ask me to install a program or sometimes I log in to their account to clean up their desktop of shortcuts they dont need. My question is...
General Discussion
Limited admin rights? - access denied
Hi. I am running windows 7 ultimate and I have only one account (admin). I have no trouble installing programs, running programs or copying files from different locations on my hard drive, but if I try to save a file in a program, I get the message, that I do not have permission to save in...
General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:29.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App