Run As Adminstrator - why hasn't it saved us?

  • Thread starter Thread starter riix
  • Start date Start date
R

riix

Guest
Hi all, I'm totally confused and wondering if I got this wrong or, after
2 decades of NT its still microsoft that's got this wrong.

- I figure that better than UAC would be to run as Power User, and use
the "Run As Administrator" when needed - which is often - Visual Studio,
Event Viewer, IIS, SQL Server, etc.

- so I enabled the Administrator id, turn off UAC (after all, won't
need it anymore and might speed up this doggy), downgraded my id to 'PU'
and try it out.

- Boots and I log on (so far so good). Go to run VS - what? "Run As
Administrator" is grayed out ??? so I google this and find out you
gotta have UAC running to get this to work .. DUH Microsoft ??? what's
the connection between these two concepts ??

- But ok, log on as Administrator, turn UAC back on, reboot and log on
again as a 'PU' . OK, let's try VS again - "Run As Administrator" works
! and voila a (big) box pops up (what ever happened to respect for
screen real estate?) and I have to select an id - it lists my PU id even
if its not an administrator (so why??) but, anyhow, I select
"Administrator", enter password and ..

.. sure bloody enough it works - I'm now running VS as the
"Administrator" id ..

.. err ... you gotta be kidding right? Because I'm running as
"Administrator" .. like I have the Administrator's (My) Document and
preferences etc ..

.. Unbeliveable - what's wrong with this picture Microsoft?

I didn't want to run as the Administrator ID - I just wanted to run
with Administrator RIGHTS - i.e., to be ethereally in the Administrators
Group for the life of this single process !!!!!

Jumping heck, I can't believe we've been with this since NT3 and
Microsoft still don't seem to get it.

Wouldn't this solve so many darn problems? Even to the point of making
UAC unnecessary????

SO .. I'm bitterly disappointed in MS, in Vista. Back to being
Administrator and the ever constant UAC nag.

Or back to XP .. (anyone have XP64 experiences?)

Or just give up, and jump over to Eclipse, Java and Linux ..


--
riix
 
Re: Run As Adminstrator - why hasn't it saved us?


UAC is a complete must for your average day to day user as Vista is very
easily seriously corruptible. Particular programs can save to protected
system directories which could lead to complete system malfunction. As
far as XP is concerned I feel the benefits gained by using such a great
system like Vista by far outweighs a downgrading to XP because of a UAC
prompt ?

To learn a new operating system because of this would be obsurd, I have
been using Linux for 14 years and still feel that I am an average user
due to the complexity of the Unix based operating systems.


--
Ultimate User
 
Re: Run As Adminstrator - why hasn't it saved us?


"riix" <guest@unknown-email.com> wrote in message
news:916a34dd41239df1dc7665f27879e302@nntp-gateway.com...
>
> SO .. I'm bitterly disappointed in MS, in Vista. Back to being
> Administrator and the ever constant UAC nag.
>

http://news.softpedia.com/news/Admin-Approval-Mode-in-Windows-Vista-45312.shtml

<http://www.computerperformance.co.uk/vista/vista_administrator_activate.htm#Summary_of_Vista_Administrator_-_Super_User_(Hidden_Account)>
 
Re: Run As Adminstrator - why hasn't it saved us?

Here's what to do: just make your normal user account an Administrator
account, and re-enable UAC.

You still run as a normal user, except that when elevation is required you
just get a confirmation box, rather than the whole "Administrator's username
and password" prompt.

It takes one click of the mouse, or two key presses. And to be honest you
give nothing away in terms of security, unless other people can get
unauthorised access to your machine.

Like you, I run a few programs that need elevation, and this is how I run my
machine. It's great: whenever something that might affect the integrity or
security of the OS is about to happen, UAC gives me a single "are you sure?"
prompt. This should have been implemented years ago, to be honest. It's
known as Administrator Approval mode, and is very low hassle.

SteveT
 
Re: Run As Adminstrator - why hasn't it saved us?


To all that replied - thanks for your comments and no disrespect
intended please, but seems we missed the issues:

1) when attempting to run as a Power User, the "RunAs Administrator"
seems to be completely wrong in concept, yet has been around since ..
NT3? Can this really be? Or am I totally not understanding how its
supposed to work?

2) Why does disabling UAC also disable "RunAs.." - again: these are
totally different concepts, why are they coupled?

3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
members of a development shop. Its not just a click. Its the constant
jarring effect of the screen going dim (or even black) for a second or
two, the box, the click, the blink back to reality, then a few seconds
later .. Event Viewer, IIS Admin, SQL studio, etc.

Doing this, maybe 30-40 times a day? When XP just worked?

And all this because the Vista product, and Microsoft narrow-mindness,
won't allow me to work in a more intelligent fashion - which is: as a
Power User and *not* as an Administrator?

4) and maybe that's a bottom line - why does Vista install and create
its users as Administrators? A while ago my son bought a new Acer
computer with Vista Home Exceptional (or whatever its called). First
thing I did was create an Adminstrator id, write the password on his
monitor, then downgraded his ID to Normal User. He's now been using it
for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
that is, it hasn't affected him at all.

Why doesn't Vista do this by default ?

5) I've just found references to "UAC Manifest" files - does anyone
have real, honest, practical experience with this as a way of calming
UAC?

Cheers.


--
riix
 
Re: Run As Adminstrator - why hasn't it saved us?

On Fri, 15 Aug 2008 07:53:00 -0500, riix wrote:

> To all that replied - thanks for your comments and no disrespect
> intended please, but seems we missed the issues:
>
> 1) when attempting to run as a Power User, the "RunAs Administrator"
> seems to be completely wrong in concept, yet has been around since ..
> NT3? Can this really be? Or am I totally not understanding how its
> supposed to work?
>
> 2) Why does disabling UAC also disable "RunAs.." - again: these are
> totally different concepts, why are they coupled?
>
> 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
> members of a development shop. Its not just a click. Its the constant
> jarring effect of the screen going dim (or even black) for a second or
> two, the box, the click, the blink back to reality, then a few seconds
> later .. Event Viewer, IIS Admin, SQL studio, etc.
>
> Doing this, maybe 30-40 times a day? When XP just worked?

TweakUAC for Windows Vista.
http://www.tweak-uac.com/home/

> And all this because the Vista product, and Microsoft narrow-mindness,
> won't allow me to work in a more intelligent fashion - which is: as a
> Power User and *not* as an Administrator?

Windows Vista Secret #4: Disabling UAC
"...you probably consider yourself a power user. You pride yourself in the
responsibility of having full and absolute control over your machine
environment..."
http://blogs.msdn.com/tims/archive/2006/09/20/763275.aspx

> 4) and maybe that's a bottom line - why does Vista install and create
> its users as Administrators? A while ago my son bought a new Acer
> computer with Vista Home Exceptional (or whatever its called). First
> thing I did was create an Adminstrator id, write the password on his
> monitor, then downgraded his ID to Normal User. He's now been using it
> for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
> that is, it hasn't affected him at all.
>
> Why doesn't Vista do this by default ?

Speed Vista: Turn off UAC, or at least make it less annoying
http://www.pctipsbox.com/speed-vista-turn-off-uac-or-at-least-make-it-less-annoying/

> 5) I've just found references to "UAC Manifest" files - does anyone
> have real, honest, practical experience with this as a way of calming
> UAC?

Understanding and Configuring User Account Control in Windows Vista.
http://technet.microsoft.com/en-us/library/cc709628.aspx

User Account Control Step-by-Step Guide.
http://technet.microsoft.com/en-us/library/cc709691.aspx

How to disable UAC
http://www.vista4beginners.com/How-to-disable-UAC
 
Re: Run As Adminstrator - why hasn't it saved us?

Your question, seems more an indictment than a genuine question. My comment,
much as yours, is offered as an opinion or view, except from an
administration point of view, no disrespect intended or hidden agenda. The
fact that development is hindered by having to respect secure calls should
be a warning to development that your intended audience will similarly be
affected. Business as usual, shortcuts and all is not acceptable in Vista.
Just as users are having to deal with a more secure environment, seems
development is going to have to learn a new way building code.

As I'm sure you already know, Vista Home(?) is built with the intent of
servicing less knowledgeable consumers/users. Further it is intended to run,
seamlessly without use of administrator, due to its limited target user.

Back on topic, I continue to find it strange when the biggest historical
complaint against Microsoft client OS's has been lack of security, yet when
it finally assumes a much more secure posture, the reward is more complaints
about it being "too" secure.

I would expect, that if developers complain enough, Microsoft may take a
step toward making a developers version Vista with all the offending
safeguards removed. However, I would expect it would lengthen the test
cycle, since at some point the code must run in the real world of the
ultimate consumer.

Bottom line - You can turn UAC off. If you are the administrator, why would
you need "run as"? It does not seem logical to want the rights and not want
to accept the responsibility.

Power user had been inactivated/removed, since W2K/XP/XP-Pro, when client is
installed on a domain...hasn't it?

"riix" <guest@unknown-email.com> wrote in message
news:e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com...
>
> To all that replied - thanks for your comments and no disrespect
> intended please, but seems we missed the issues:
>
> 1) when attempting to run as a Power User, the "RunAs Administrator"
> seems to be completely wrong in concept, yet has been around since ..
> NT3? Can this really be? Or am I totally not understanding how its
> supposed to work?
>
> 2) Why does disabling UAC also disable "RunAs.." - again: these are
> totally different concepts, why are they coupled?
>
> 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
> members of a development shop. Its not just a click. Its the constant
> jarring effect of the screen going dim (or even black) for a second or
> two, the box, the click, the blink back to reality, then a few seconds
> later .. Event Viewer, IIS Admin, SQL studio, etc.
>
> Doing this, maybe 30-40 times a day? When XP just worked?
>
> And all this because the Vista product, and Microsoft narrow-mindness,
> won't allow me to work in a more intelligent fashion - which is: as a
> Power User and *not* as an Administrator?
>
> 4) and maybe that's a bottom line - why does Vista install and create
> its users as Administrators? A while ago my son bought a new Acer
> computer with Vista Home Exceptional (or whatever its called). First
> thing I did was create an Adminstrator id, write the password on his
> monitor, then downgraded his ID to Normal User. He's now been using it
> for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
> that is, it hasn't affected him at all.
>
> Why doesn't Vista do this by default ?
>
> 5) I've just found references to "UAC Manifest" files - does anyone
> have real, honest, practical experience with this as a way of calming
> UAC?
>
> Cheers.
>
>
> --
> riix
 
Re: Run As Adminstrator - why hasn't it saved us?


Beoweolf;805441 Wrote:
> Your question, seems more an indictment than a genuine question.

Others can say it more succinctly that me:
'Am I at risk if I disable UAC?'
(http://www.tweak-uac.com/am-i-at-risk-if-i-disable-uac/)

Beoweolf;805441 Wrote:
> The fact that development is hindered by having to respect secure calls
> should be a warning to development that your intended audience will
> similarly be affected.

I'm not sure what you're referring to; certainly I don't anticipate our
product buyers ("intended audience") to have to use Event Viewer, IIS
Admin, or SQL Server Studio (at least not to use our product).

Beoweolf;805441 Wrote:
> seems development is going to have to learn a new way building code.

Yes a tedious, non-productive and irritating way ..

Beoweolf;805441 Wrote:
> As I'm sure you already know, Vista Home(?) is built with the intent of
> servicing less knowledgeable consumers/users. Further it is intended to
> run, seamlessly without use of administrator, due to its limited target
> user.

I don't disagree. This is why I wonder that Vista Home doesn't
'promote' creation of basic accounts but instead creates Administrator
accounts?

Beoweolf;805441 Wrote:
> Back on topic, I continue to find it strange when the biggest
> historical complaint against Microsoft client OS's has been lack of
> security, yet when it finally assumes a much more secure posture, the
> reward is more complaints about it being "too" secure.

Are you referring to my post or to comments 'out there' in general? My
issue is not about it being "too" secure (refer again to above link for
a better stating of facts than I could ever do), my issue instead is how
intrusive and irritating this supposed 'safeguard' is.

Beoweolf;805441 Wrote:
> Bottom line - You can turn UAC off. If you are the administrator, why
> would you need "run as"? It does not seem logical to want the rights and
> not want to accept the responsibility.
>
> Power user had been inactivated/removed, since W2K/XP/XP-Pro, when
> client is
> installed on a domain...hasn't it?

You missed the point. I do not want to run as administrator. I don't
think I should need such lofty privileges just to write programs. And if
I turn off UAC then RunAs doesn't work.

However .. to end this thread - thank yous Kayman for pointing out
Tweak-UAC; I think its an acceptable compromise.


"riix" <guest@xxxxxx-email.com> wrote in message
news:e100bf9a5d61a24164a35762cccd0b06@xxxxxx-gateway.com...


--
riix
 
Re: Run As Adminstrator - why hasn't it saved us?

In the spirit of friendly and informative dialogue I submit this:

First thing one needs to do when migrating from XP to Vista is to forget
about XP. Vista is not an upgraded version of XP. Vista is a new and
different OS with more powerful features than XP.

I've had Vista for a year now. No blue screen. No need to reinstall OS
because of a corrupt file. I think that the UAC has contributed to protecting
the integrity of the OS.

I've run Vista with various kinds of UAC configurations.
Right now I find the best set up for me is using a standard account
everyday with the administrator account sitting on the sideline in case I
ever need to access it (which I rarely do.)

Yes, the UAC will ask me for the administrator password once in a while but
only for global operations that will affect other users. I do not find the
occasional UAC prompt a nuisance anymore than I find my home security
lighting system.

If I had the money I’d replace all of my XP machines with Vista.

--
oscar :)

....Right click is your very good friend...


"riix" wrote:

>
> To all that replied - thanks for your comments and no disrespect
> intended please, but seems we missed the issues:
>
> 1) when attempting to run as a Power User, the "RunAs Administrator"
> seems to be completely wrong in concept, yet has been around since ..
> NT3? Can this really be? Or am I totally not understanding how its
> supposed to work?
>
> 2) Why does disabling UAC also disable "RunAs.." - again: these are
> totally different concepts, why are they coupled?
>
> 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
> members of a development shop. Its not just a click. Its the constant
> jarring effect of the screen going dim (or even black) for a second or
> two, the box, the click, the blink back to reality, then a few seconds
> later .. Event Viewer, IIS Admin, SQL studio, etc.
>
> Doing this, maybe 30-40 times a day? When XP just worked?
>
> And all this because the Vista product, and Microsoft narrow-mindness,
> won't allow me to work in a more intelligent fashion - which is: as a
> Power User and *not* as an Administrator?
>
> 4) and maybe that's a bottom line - why does Vista install and create
> its users as Administrators? A while ago my son bought a new Acer
> computer with Vista Home Exceptional (or whatever its called). First
> thing I did was create an Adminstrator id, write the password on his
> monitor, then downgraded his ID to Normal User. He's now been using it
> for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
> that is, it hasn't affected him at all.
>
> Why doesn't Vista do this by default ?
>
> 5) I've just found references to "UAC Manifest" files - does anyone
> have real, honest, practical experience with this as a way of calming
> UAC?
>
> Cheers.
>
>
> --
> riix
>
 
Re: Run As Adminstrator - why hasn't it saved us?


"riix" <guest@unknown-email.com> wrote in message
news:e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com...
>
> To all that replied - thanks for your comments and no disrespect
> intended please, but seems we missed the issues:
>
> 1) when attempting to run as a Power User, the "RunAs Administrator"
> seems to be completely wrong in concept, yet has been around since ..
> NT3? Can this really be? Or am I totally not understanding how its
> supposed to work?


There is no more Power User on Vista, as stated in the article.

<http://technet.microsoft.com/en-us/magazine/cc160882.aspx>

>
> 2) Why does disabling UAC also disable "RunAs.." - again: these are
> totally different concepts, why are they coupled?

UAC and Run As Administrator are tied together on Vista and are the new
security profile for the Admin and Standard user accounts. Even Admin on
Vista is locked down to Standard User and must have its rights escalated, as
stated in the link.

<http://technet.microsoft.com/en-us/library/cc709691.aspx>


>
> 3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
> members of a development shop. Its not just a click. Its the constant
> jarring effect of the screen going dim (or even black) for a second or
> two, the box, the click, the blink back to reality, then a few seconds
> later .. Event Viewer, IIS Admin, SQL studio, etc.
>
> Doing this, maybe 30-40 times a day? When XP just worked?
>
> And all this because the Vista product, and Microsoft narrow-mindness,
> won't allow me to work in a more intelligent fashion - which is: as a
> Power User and *not* as an Administrator?

1) You disable UAC.
2) You use something like TweakUac.
3) You set your account to be Super Admin so that you still have UAC enabled
because some applications will not work correctly with UAC off, those
applications using the Vista UAC manifest as an example, and by being Super
Admin, UAC will not prompt you as Super Admin, as stated in the link.

<http://www.computerperformance.co.uk/vista/vista_administrator_activate.htm#Summary_of_Vista_Administrator_-_Super_User_(Hidden_Account)>

>
> 4) and maybe that's a bottom line - why does Vista install and create
> its users as Administrators? A while ago my son bought a new Acer
> computer with Vista Home Exceptional (or whatever its called). First
> thing I did was create an Adminstrator id, write the password on his
> monitor, then downgraded his ID to Normal User. He's now been using it
> for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
> that is, it hasn't affected him at all.

That's because Standard user on Vista has more rights than Limited user on
XP as an example, which was preventing a Limited user on XP from doing
things. This as been corrected on Vista. However, if the user your son was
running a solution as Standard user or as Admin, because Admin on Vista is
locked down to a Standard user, and UAC is enabled, the user is going to be
prompted for credentials for privilege escalation.
>
> Why doesn't Vista do this by default ?
>
Ask MS.

> 5) I've just found references to "UAC Manifest" files - does anyone
> have real, honest, practical experience with this as a way of calming
> UAC?
>

A programs running on Vista with UAC enabled, the developer can present the
UAC credentials to Vista for privilege escalation by using the manifest.
That UAC challenge box is still going to pop in the user's face, to allow or
disallow as Admin or if Standard user give user-id and psw for an Admin
account.

<http://community.bartdesmet.net/blogs/bart/archive/2006/10/28/Windows-Vista-_2D00_-Demand-UAC-elevation-for-an-application-by-adding-a-manifest-using-mt.exe.aspx>
 
Re: Run As Adminstrator - why hasn't it saved us?

>
> You missed the point. I do not want to run as administrator. I don't
> think I should need such lofty privileges just to write programs. And if
> I turn off UAC then RunAs doesn't work.
>


The whole point of UAC is to allow you to run with an administrator account
when needed (as in a development environment) but still maintain better
security than previous versions of Windows. With UAC enabled when you logon
with an administrator account you get two tokens, a standard user token, and
an administrator token. The administrator token is never used unless UAC
steps in and allows it. In effect you are running as a standard user until
you see a UAC prompt. When you see a UAC prompt if you respond in the
affirmative the admin token is unhidden and the process will run with the
admin token. The key point is only that process has the admin token.
Everything else is still running as a standard user.

For development either turn UAC off or leave it on and run with an
administrator account. With UAC off you will need a different computer
(possibly virtual) for testing.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/
 
Re: Run As Adminstrator - why hasn't it saved us?

In message <10878302a19c380ba0d55200d531a8a9@nntp-gateway.com> riix
<guest@unknown-email.com> wrote:

>I don't disagree. This is why I wonder that Vista Home doesn't
>'promote' creation of basic accounts but instead creates Administrator
>accounts?

This is *exactly* what UAC does. Users are using a basic "user" level
token at all times, until a program requests administrator privileges.
 
Re: Run As Adminstrator - why hasn't it saved us?

In message <e100bf9a5d61a24164a35762cccd0b06@nntp-gateway.com> riix
<guest@unknown-email.com> wrote:

>To all that replied - thanks for your comments and no disrespect
>intended please, but seems we missed the issues:
>
>1) when attempting to run as a Power User, the "RunAs Administrator"
>seems to be completely wrong in concept, yet has been around since ..
>NT3? Can this really be? Or am I totally not understanding how its
>supposed to work?

First, there is no such thing as a power user in Vista. If the group
exists from an AD context, it has no particular rights on the desktop.

Second, if you're running as a standard user, "Run As Administrator"
hasn't changed, it still allows the user to run a program under a
different security context.

If you're running as an administrator already, then the UAC popup by
default doesn't require credentials (it already knows who you are, and
that you are authorized), so this is technically a regression as you
used to be able to run programs as any user. Luckily you can use group
policies to change this, if you need to be able to launch programs in a
different user context.

>2) Why does disabling UAC also disable "RunAs.." - again: these are
>totally different concepts, why are they coupled?

UAC controls the elevation process, and is largely what allows processes
from two different security contexts to interact on the same console.

>3) UAC is _not_ a minor inconvenience, it is a *major* hassle for
>members of a development shop. Its not just a click. Its the constant
>jarring effect of the screen going dim (or even black) for a second or
>two, the box, the click, the blink back to reality, then a few seconds
>later .. Event Viewer, IIS Admin, SQL studio, etc.
>
>Doing this, maybe 30-40 times a day? When XP just worked?

If XP "just worked" then you were running with administrative access
already, or you're using a program that requests administrative access
but doesn't need it.

>And all this because the Vista product, and Microsoft narrow-mindness,
>won't allow me to work in a more intelligent fashion - which is: as a
>Power User and *not* as an Administrator?

A Power User is just an administrator who hasn't promoted themselves
yet.

>4) and maybe that's a bottom line - why does Vista install and create
>its users as Administrators? A while ago my son bought a new Acer
>computer with Vista Home Exceptional (or whatever its called). First
>thing I did was create an Adminstrator id, write the password on his
>monitor, then downgraded his ID to Normal User. He's now been using it
>for over a month and HAS NOT EVEN NOTICED he's not an Administrator,
>that is, it hasn't affected him at all.
>
>Why doesn't Vista do this by default ?

Because the majority of users actually use their computers. They
install software (Flash come to mind anyone?), upgrade software, stuff
like that.

iTunes, Adobe Reader, Adobe Flash have all had security updates
recently, so either your son is horribly insecure, or uses the
administrator password. If he users the administrator password when
doing these activities then he's doing what UAC would have done for him.

UAC doesn't pop up randomly, it only happens when Vista detects an
activity happening that requires administrative privileges, or an
application or user specifically requests administrative privileges.
 
Re: Run As Adminstrator - why hasn't it saved us?


thank you. please no more responses. i'm buying a mac for me and my son.


--
riix
 

Similar threads

T
MpCmdRun.exe Failing When Run as SYSTEM User
Replies
0
Views
154
tramzee
T
S
Help with VirTool:Win32/DefenderTamperingRestore
Replies
0
Views
175
sebastian_display_name
S
M
SAntivirus
Replies
0
Views
112
Magfrog41
M
M
SAntivirus slow down my PC
Replies
0
Views
126
Magfrog41
M
U
Cannot run Windows Offline Scan
Replies
0
Views
94
UrSupremeOreo
U
Back
Top