chakravyuha

Introduction

I am writing this document to facilitate Windows users switching from running from an administrator account to a restricted user account. Most Windows users run as an administrator. Though this insures hassle free computing, it is not a secure practice to follow. This is because in case your computer gets infected with a piece of malware, that malware will run in the context of the current user. If you are running as an administrator, then the malware will be able to install itself and gain complete control of the computer. All other operating systems run regular users as restricted users. Most things that people need to do such as e-mail; word processing and surfing the Internet do not need administrative user privileges. These privileges are usually required to carry out operating system level activities such as updating components of the operating system, setting operating system level settings such as security related settings or updating device drivers.

Despite what you may read in the popular press, Windows from Windows 2000 onwards is very secure especially when a user runs under a limited user account. The trouble is most of us by default are set up to run as an administrator when we think about switching to running as a limited user, we find that the process can be intimidating and perhaps complex. What if a particular application does not work? Usually, the answer of experts would be that the application has been badly written. This indeed may be the case but, just because of that, we really cannot stop using a given application. It would be nice to find alternatives but, we may not have the time or the inclination to do so. This document will show you how to start running as a restricted user.

The challenges of running as a restricted user

The primary challenge of running as a restricted user is to identify what special access a given program needs to run effectively. There is no easy way to do this except monitoring the event logs in Windows. You need to use the group policy editor to ensure that you have set the correct audit privileges to monitor access to different objects in Windows. An object could be a running process or a file. Once you launch an application under a limited user account, it will bring up an error message. Or, if it is really badly written, it will crash. Immediately after this crash, you must log back on as the administrator, review the security and or application logs and, make relevant changes to Windows permissions.

Another challenge is to migrate settings from one user profile to another. Settings would include both operating system settings and application level settings. For example, you could have a number of e-mail accounts and message rules set up in Microsoft Outlook. You need to ensure that the transition from the administrator account is as painless and seamless as is possible.

My computer is currently running Windows XP professional, all updates applied as of this writing, Microsoft Office 2007, Dragon naturally speaking and a host of other applications. I’m going to be outlining how I carried out the migration to another profile and will also tell you a little about the challenges I faced with some of the utilities and applications I use regularly. This list of course is not complete but I will add to it as and when I encounter anything new.

How to migrate to a limited user

In an ideal world, the best way to do this is actually not to have to migrate at all. You must start running as a limited user. Given that this is not possible for most of us, there are a few ways that this can be accomplished.

1. |Copy the administrators profile to that of the limited user,
2. Create the user account; configure the applications individually in that account and then export whatever data is required from the administrator’s profile.

I’m going to follow the second approach. I did try copying my user profiles but, this method was not very successful. This is because some applications such as Abbey fine reader had their program data corrupted.

Steps to migrate to the limited user account

1. Creating the restricted user’s

account

To create the restricted user’s account, you log in to the account you are currently using. You then navigate to the users applet in the Windows control panel. This applet looks something like a web page. All you need to now do is choose the relevant options. You need to select “restricted user” when you are asked about the type of the account you want to create. Once you have created this account, you can then close the applet and navigate to the “users and groups” item under the “computer browser.” The computer browser is found in the administrative tools applet of the Windows control panel. Here, you can right click the user that you have created and set its password. While you are here, navigate to the “groups” item and create a group. This group can be called anything. In my case, I have called it “regular users). We will use this group to give our user relevant permissions.

2. Assigning permissions

The crucial thing to remember is that your limited user is not the owner of the files that have been created on your computer. It is the administrative user who owns the files. Of course, if you create documents under the limited user account, then that limited user will be the owner of those documents. The result of all this is that when you try and delete or modify the files that have been created under the administrative user’s login, you would be unable to do so from the limited user login. Therefore, you create a group and allow full access to the relevant files and folders that you have created under the administrative user’s login. Please ensure that these files and folders are only documents such as word processing files, spreadsheets and in some cases media. I usually keep all my data outside the “my documents” folder. Therefore, I had to give full permission to the group to manipulate the folders where I had stored the documents I had created. This folder in fact was on a separate partition. The advantage of creating a group is that you can add as many users as you like and, they will all have the same set of permissions.

3. Exporting settings

It is now time to export your bookmarks or favorites and any RSS feeds you may be having in Internet Explorer. You carry out the export using the “import export wizard). This is accessed from within the file menu of Internet Explorer. Do ensure that when you are saving the favorites and feeds, save them to a location other than the default location suggested by the wizard. Otherwise, you will have to launch Windows Explorer using administrative credentials from your limited user account and then copy them into the limited user’s profile. Also be warned, the favorites will be organized alphabetically once you import them into Internet Explorer.

4. Your first login as a limited user

When you log on for the first time as a limited user, you might be forgiven for thinking that you have actually re-installed Windows. A number of the prompts you get this time round are those that come when Windows is being installed. This is because the new user is being created and certain settings need to be customized. Answer the prompts as best as you can. You now need to import your favorites and feeds. You can do so from Internet Explorer.
Note:
At the time of this writing, Internet Explorer version 7 has a bug. The menu bar does not display when you are running under a limited user account. You need to click on the “links” toolbar to enable it. Once you’ve enabled that, the menu bar comes up automatically. You can then check the “menu bar) item under the “toolbars” menu item which is under the “view” menu of Internet Explorer version 7. You can then disable the “links) toolbar.

5. Configuring various programs

as a limited user
1. One of the most tedious things you will need to do once you have logged in as a limited user is to configure the rest of your programs. The only easy way to do this than I have found is to launch every program and set it up afresh.

\Programs and their behavior under limited user credentials

Abbey find reader version 9

This program works seamlessly even under accounts that have limited user credentials. However, if you try and copy user profiles, then the program will warn you stating that “program data has been corrupted”.

The Microsoft office suite

If you are using Microsoft Office 2003, you can use the files and settings transfer wizard to transfer your office settings to your newly created account. If you are using Microsoft office 2007, you will need to re-customize Microsoft Office. Having said that, there is a way to import settings from your account with administrative privileges to your limited user account especially for Outlook 2007. Be warned that this method does not import the passwords that belong to your e-mail accounts. You will need to re-type those passwords. See the following link for details. Exporting Outlook 2007 settings

Note:
As a general rule, it is advisable to store your outlook e-mail in a separate folder. This way, you will be able to use Outlook in both profiles.

The FileZilla FTP client

You will need to re-customize this application. Alternatively, you can copy the FileZilla settings from the relevant folder under the administrator account. See the FileZilla project Wiki for more information on where the FileZilla settings are stored.

Dragon NaturallySpeaking along

With J-say and Jaws for Windows

You will need to customize your settings for Jaws for Windows. By settings I mean settings related to speech rate, pitch, the reading of graphics and so on. Dragon NaturallySpeaking does indeed work seamlessly even under limited user credentials. However, you need to ensure that you have backed up your user profile. This is so because Dragon NaturallySpeaking will be unable to access your user profile if it is stored in the default location. The default location is user specific and will be mapped to your initial user who has administrative credentials. Another way around this is to export your vocabulary and commands and then create a fresh profile under limited user credentials. This is what I chose to do. J-say for the most part is also working seamlessly. I am unable to create text notes when running as a limited user.

The vOICe

You will need to reconfigure and also reregister this application.

Adobe Acrobat Reader

You will need to reconfigure this application. When you launch it for the first time, it will install itself in your currently active user profile.

Windows Media Player version 11

You will need to reconfigure this application. When you launch it for the first time, it will install itself in your currently active user profile.

<h4The Opendns client for Windows

You will be able to install this application. However, I was unable to install it is a service while running from my limited user account. I could however do so when I logged in using my account with administrative privileges.

Apcupsd

This program works seamlessly under a limited user account. No action was required on my part. It was just there in the system tray. I still need to test it’s kill power functionality. It is able to send e-mail notifications without any difficulty even when running under a limited account.

Carrying out administrative tasks when running as a limited user

when running as a limited user, you use the “runas” utility to carry out administrative tasks. See the following Microsoft knowledge base article for details.
kb294676

Installing and removing programs

one of the biggest headaches you will encounter when running as a limited user is that it is difficult to install or remove programs. Many programmes right to the “program files” folder. You could either redirect these or, ideally, run the installation as an administrator. Always try installing a programme from the limited account first unless of course the programme explicitly states that it needs administrative credentials for installation. be warned that you will encounter several programs that do not state this explicitly but still require those credentials based on the locations they write to in Windows.

The account titled “administrator”

When Windows XP displays a list of possible accounts you can run from, in some situations, you may encounter an account called “administrator”. This is a hidden account which is usually visible only in safe mode. It is not password protected. You should login into safe mode and set a password for this account to maximise your computer security. See the following link for more information on how to do this.
Windows XP Administrator Account Passwords

Coping with scheduled tasks

If you use the scheduled tasks feature of Windows, you would need to recreate the tasks that you have created under the administrative account. Alternatively, you can set those tasks from the administrative account to run under the credentials of the limited user account. If you do this, be aware that you may have to set special permissions for files and folders to allow these tasks to run successfully. In some cases, if your scheduled tasks do not require any user intervention, you would have to make no changes except that you must ensure that the option to allow the tasks to run without that user being logged on is checked.

Migrating to a restricted user account from an administrator account by Pranav Lal is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Norway License.
See the below links to older downloadable versions of this post.
Click here to download migrating to a restricted user account from an administrator account in Word 2003 (*.doc) format
Click here to download migrating to a restricted user account from an administrator account in PDF
Click here to download migrating to a restricted user account from an administrator account in RTF
Note
My Thanks to Wayne Johnson for creating the initial tagged PDF version of this document.

Trackback URI | Comments RSS