is it necessary for new users to be local admins?

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

We are upgrading to xp, and we need to know should we limit our users so
that they are not local admins. Will this break any software in it's normal
day-to-day operations (aside from installation issues)?

Thanks.
2 answers Last reply
More about users local admins
  1. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Chip,
    Unfortunately, yes. Many applications behave irregularly (or not at all)
    without local administrator priveleges. There are workarounds for this, but
    they should be implemented on a case-by-case basis. My best advice would be
    to configure a few machines in a lab environment with the software you use
    and establish several users with different privelege levels, and see what
    your users require. Hope this helps.

    Aaron Firouz

    "Chip Orange" wrote:

    > We are upgrading to xp, and we need to know should we limit our users so
    > that they are not local admins. Will this break any software in it's normal
    > day-to-day operations (aside from installation issues)?
    >
    > Thanks.
    >
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Chip Orange wrote:
    > We are upgrading to xp, and we need to know should we limit our users so
    > that they are not local admins.


    Yes, yes, a thousand times, yes. There's almost never a good reason to
    give regular users elevated security permissions.

    HOW TO Create and Configure User Accounts in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

    HOW TO Set, View, Change, or Remove File and Folder Permissions
    http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418


    > Will this break any software in it's normal
    > day-to-day operations (aside from installation issues)?
    >


    WinXP's security paradigm won't "break" any properly designed and
    compatible applications. However, some poorly coded applications do
    sometimes require the user to have elevated privileges. If security is
    of concern to you, such applications should be removed and replaced.

    You may experience some problems if the software was designed for
    Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
    designed. Quite simply, the installation routine for this application
    doesn't "know" how to handle individual user profiles, or the
    application tries to make changes to "off-limits" sections of the
    registry or protected Windows system folders. Quite often, you can make
    this software available to other users by _copying_ the Start Menu
    folder and Desktop folder shortcuts from the user profile from which the
    software was installed in the corresponding folders in the user
    profile(s) in which you'd like the software to be accessible. If the
    application is something that can/should be made available to all
    current and future users, copying the shortcuts into the corresponding
    locations of the All Users profile will do the trick.

    For some obscure reason, game developers in particular seem to not
    understand WinXP's file security paradigm, and require even limited
    users to have unnecessarily high privileges to protected systems
    folders. For example, saved games are often stored in a sub-folder
    under the game's folder within C:\Program Files - a place where no
    inexperienced or limited user should have write permissions.

    NOTE: This may not work if the software requires access to parts
    of the hard drive and/or registry that are not normally accessible to
    regular users. (This won't occur if the application was properly
    written.) If this does prove to be the case, however, you're left with
    two options: Either grant the necessary users appropriate higher access
    privileges (either as Power Users or local administrators), or replace
    the application with one that was properly designed specifically for
    WinNT/2K/XP.

    Some Programs Do Not Work If You Log On from Limited Account
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

    Additionally, here are a couple of tips suggested, in a reply to a
    different post, by MS-MVP Kent W. England:

    "If your game or application works with admin accounts, but not with
    limited accounts, you can fix it to allow limited users to access the
    program files folder with "change" capability rather than "read" which
    is the default.

    C:\>cacls "Program Files\appfolder" /e /t /p users:c

    where "appfolder" is the folder where the application is installed.

    If you wish to undo these changes, then run

    C:\>cacls "Program Files\appfolder" /e /t /p users:r

    If you still have a problem with running the program or saving
    settings on limited accounts, you may need to change permissions on
    the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
    where "vendor\app" is the key that the software vendor used for your
    specific program. Change the permissions on this key to allow Users
    full control."


    --

    Bruce Chambers

    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on having
    both at once. - RAH
Ask a new question

Read More

Configuration Microsoft Windows XP