From DrJonest6d7h8@alum.MIT.edu [66.44.1.8] - 7/6/05 1:08 PM

I tried and tried and TRIED to get my machine to work in non-admin mode, but the Dell modem-on-hold wouldn't work in non-admin, at least for me, and I finally had to give up, cussing. The other software worked okay in non-administrator mode.

Win XP Home Edition
Dell Dimension 2400 Desktop; about 1.5 years old; plenty of CPU and RAM capability
Firefox 1.0.4

Please reply to the above e-mail address.

Tom

From Carlos Cabañero [80.58.53.170] - 7/7/05 5:45 PM

I've been running windows as nonadmin for a while now, and although -almost- everything is right now, I still have the sensation that we're trying to convert xp in what wasn't designed for. I think WXP SP2 has become a very secure and stable os, with some flaws, but nothing that could be fixed using a normal user account.

Nevertheless, I want to ask you a question about UI personalization. All the sessions share the same shell32.dll and this is a problem when you, for example, want to have different icons for your everyday user account and administrator account. Does anyone have found a way to do this? Any ideas?

Thank you for your time!

Carlos Cabañero

From mls [68.89.145.222] - 7/26/05 6:48 AM

Is there a way to change the user's file associations and values like editflags (in HKCU\Software\Classes) without using a registry editor? 

Explorer, and all of the existing tools that I could find, assume that the user is running as admin and try to update HKLM\Software\Classes.  

How about a UI like the file types tab in the folder options menu under tools in explorer?  One that updates HKCU rather than HKLM.

From kobak - 7/26/05 10:50 AM

I guess this is a rhetorical question, but has Microsoft considered adding a concept like Unix's "SUID" concept? I know there are a lot of security problems with that feature, but it seems to me that it would beat having to make everyone in your household an Administrative user just to run (take your pick: The Sims, Nero, Photoshop Elements, ....).

(If you're not familiar, the SUID file flag says "execute this program with the privilege of the file's owner, instead of the user running the file".)

From iloym@msn.com [203.120.178.225] - 8/23/05 11:40 PM

Hi, I've got pretty much the same problem as Tina.. I need to install MSN Messenger on my computer (along with other stuff) but my Administrator has restricted my privileges.. Need help in getting around that.. There was something about the registry thing that  I read in one of the pages but I don't quite know how to do it... Pls reply to my email.. THanks!

From Walter [70.153.139.75] - 10/9/05 7:10 AM

Where can one find a list of specific registry branches and file system areas that LUA's cannot modify or write to?  Or, conversely what specifically  can and cannot a LUA do from a registry and file system perspective?

From Charles Parker [68.228.114.233] - 10/21/05 6:18 PM

Hi,

I have wierd one for ya, and I'll even take a few guesses with open arms. I have been running a program (nascar simracing) using only the admin account for quite some time. I moved my PC to my RV and then back again a few weeks later (prolly not related but of note), anyway since then the game initiates but immediately crashes as though it had never started. On a whim I ran the game using my guest account, guess what it runs fine,although I cant save games. I have since created a new account with admin privelidges - with the same results as running the game under the admin account. I have heard of games NOT running under the user accounts and working under the admin accounts but never the other way around...any thoughts on that?

From tzachyb - 11/1/05 6:54 AM

OK, here is a toughy for you: How do I give restricted users the rights to modify the wireless network settings, both in the Windows control panel as well as the IntelProSet Wireless tools?

From Richard Hardwick [87.65.181.63] - 1/27/06 2:40 AM

 Thirteen evil things that happened when I tried to be a good non-admin user

 http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx
 says
    * Create a Computer Administrator account called “Admin”.  No password.
    * Create a Limited User account for each person who will be using the computer.  No passwords.
    * Enable the Guest account if it is anticipated that visitors may need to go online.

So I did that. Read on

(1.)  All original settings have disappeared
      There is an account called Admin (new) but there is no account called Administrator (original) on the welcome screen

(2.)  Path has been hosed

(3.)  Environment has been hosed
      (e.g. environment variables for TeXLive are gone)

(4.)  Most of my desktop icons (shortcuts) have disappeared

(5.)  And of the 8 desk top icons that are left, 3 have lost their settings ...
   (Mozilla Firefox, Google Earth, Alcatel Speedtouch)

(6.) Language settings are hosed
     And whatever I do, Firefox thinks I am a belgian (wrong)  who speaks  flemish (doubly wrong - some would take this as an insult)

(7.)  Some exe files are completely hosed
      .. MultiEdit programmers editor doesnt work at all  for ordinary users (though works for Admin)

(8.) Some exe files are partially hosed
      (e.g. Google Earth, Mozilla Firefox Sage, Outlook, V file viewer, have all lost settings or files)

(9.) Some exe files worked after re-installing
      (e.g. RapidFile database; Compass bookmarks manager)

(10.)  But other exe files  work as before,
    (e.g. gnu loc.exe; TreePadLite.exe; WinDB.exe; Dr Scheme)

(11.)  Settings for new desktop shortcuts to bat files are hosed
         bat files open in full screen and the desktop disappears

(12.)  Switch users and the internet connection drops

(13.) Switch users and  mysterious file "desktop.ini" opens in notepad

      Your help in how to revive Administrator account would be appreciated 

    Meilleures salutations - 
    Richard Hardwick

rch aroba skynet.be

From FrancoisRacine - 5/15/06 10:00 AM

On Windows XP Sp2, anyone found a way to use IIS 5 without admin rights.  I tried using it with .Net 2003, add the user to the vs developper group and debugger user, gave the rights to c:\inetpub  then ran a filemon/regmon.  When my test user is trying to debug a web page this is still not working and if I do the same test with local admin rights everything is working fine.

From Aaron Margosis [12.45.39.248] - 5/16/06 11:34 PM

To FrancoisRacine:  The issue you are probably running into is that in order to debug a web app (or any process) running under a different user account, you need to be an admin.  Some people recommend running the web app under your own user account for debugging purposes, but personally I recommend against this approach.  I prefer to run the debugger under my own account locally, but authenticating with an admin account on the server.  You can probably do that with a NET USE command, but I usually use RUNAS with the /NETONLY option.

From 24.200.158.13 - 5/17/06 3:52 AM

To AAron, IIS is install locally and they are creating their web page on their computer and debugging it locally.  Making them local admin is a big problem as:

1. they are uninstalling our certified antivirus and installing the one they want

2. Uninstalling our SQL 2000 Sp3 english and installing their SQL 2000 SP0 french... and infect with Slammer. 

 So we would be happy to solve that issue and removing the local admin needs for IIS. 

From Aaron Margosis [12.45.39.248] - 5/17/06 11:18 PM

To 24.200.158.13 -- some options:

* Have them run the web app under the same account.  I don't know off the top of my head whether they can create or delete web sites/apps with that - I'd have to check.

* Have them work in their own environment -- give them an isolated network, or Virtual PC/Server environments without access to the rest of the network.

From Making IIS developpers running IIS on their own account [24.200.158.13] - 5/19/06 5:14 AM

How can I do this?

From Aaron Margosis [66.92.150.174] - 5/24/06 10:37 PM

To "Making IIS developpers running IIS on their own account [24.200.158.13]":

Personally, I don't prefer the approach of using the same account that the developer is interactively logged on with.  The easiest way to do it with Server 2003 is to make the web app run in a separate pool, and configure it to run with the user's credentials.

From Making IIS developpers running IIS on their own account [142.213.66.212] - 5/25/06 7:42 AM

How are you making them run from a different account?

From Aaron Margosis [66.92.150.174] - 5/25/06 11:24 PM

To "Making IIS developpers running IIS on their own account [142.213.66.212]":

I run locally as my regular account, but connect to the web server with an admin account.  The way I usually do this is to run devenv.exe with "runas /netonly", specifying the admin account.  /netonly essentially says "keep using the same account I'm using locally, but when I do SSPI-based authentication to a remote machine (like the web server), I use these alternate credentials."

From Francois Racine [142.213.66.212] - 5/26/06 8:07 AM

But when you are trying to debug a web page from VS.Net, there is an access denied error.  I unlock some registry keys and Inetpub directory.  As I understand, the debug is trying to use asp.net account and then this is where the error occur.  Is it possible to make it work?

From François Racine [142.213.66.212] - 6/19/06 5:30 AM

From AaronMargosis - 6/19/06 11:25 PM

François Racine -- you need to change the access control list (ACL) of the service to grant start and/or stop rights to a user/group.  subinacl is one tool that can do that for you.  Make sure to download the latest version from microsoft.com, as the one that shipped with the Windows Resource Kit had bugs.

From a.h. [192.18.240.12] - 6/28/06 9:28 AM

How can I give a non-admin user access to perfmon?

When running perfmon the GUI pops up but no data are drawn.
I think that relates to non-admin users not having access to Win32_Perf tables

(in fact I wrote a VBScript which accesses Win32_Perf tables and it runs fine as admin but doesn't run as non-admin and I think perfmon accesses these tables so it's justanother way to show the inaccessibility) .

And to phrase this issue more general: can windows differentiate between read and write access to WMI tables (and how can you script this)? 

The background is a little different to the original purpose of this site: in essence I would like to enable non-admin users access to admin stuff without giving away the admin pw (so runas is not a solution, it falls more into the area of the 'suid' question which was posted previously). 

From brain.nz [203.173.177.72] - 7/3/06 1:23 AM

Hey all,

I want to know if there is a way to install an application that usually requires an Administration account using a Limited User Account? The program in question that I want to install is MSN Messenger. When I try to install, it tells me that I do not have sufficient privileges. Is there a way i can install this program using my account? Even if I can appear to be admin or something without hacking the password?

 Cheers,

brain.nz 

From AaronMargosis - 7/4/06 12:50 AM

To brain.nz:  No, you need to be an admin to install MSN Messenger.  No way around that.

From François Racine [142.213.66.212] - 7/12/06 6:23 AM

Oracle10gDS - Report builder question 

Actually, I am trying to make my Oracle users not admin on their computers. 

Everything seems to be fine except with Report builder.  When we are trying to run as a web presentation, I get the error below.

Them tmp file is there as the jsp.  If the user is admin then everything is working.  I cannot find a access denied on a file or registry key (regmon/filemon).  Any suggestion will be appreciate.

500 Internal Server Error

OracleJSP: oracle.jsp.provider.JspCompileException:

Erreurs de compilation :C:\Program Files\Oracle\SctHomes\ids904\j2ee\home\default-web-app\reptmp\docroot\3000\default\defaultWebApp\persistence\_pages\\_MODULE1000801888.java

From BobK - 7/24/06 2:43 PM

I have recently upgraded from Microsoft Office 97 to Microsoft Office XP standard edition installing via my administrator account on my laptop (which uses Windows XP home edition with SP 2). I do my day to day computing using a limited access account on the laptop. When I log on as the limited user and attempt to access either Excel or Word the windows installer continuously tries to install the office program for about a minute even though it has already been installed. After the minute has passed the installer gives up and everything is fine. For some reason I don't have this problem with PowerPoint.

When I switch the limited user to administrator privileges the problem is fixed i.e., the installer no longer runs repeatedly when I attempt to access Word and Excel and instead each program displays immediately. I have already tried uninstalling and reinstalling with the limited user account being changed to an administrator account, but once I switch an account from administrator back to limited privileges and then either log off or shut down, the problem begins again in any and all limited user accounts upon logging back into a limited user account.

From lossOfSignal - 7/29/06 8:43 AM

I have a question about using sudoWn on Windows XP Home. The sudoWn website suggests that it can be used on XP Home ("It is also handy for Windows XP Home Edition users where the Group Policy tool is not available so making precise security settings is difficult.") However, sudoWn requires that the nonadmin user be added to the Sudowin group in order for that user to be able to use the service. I can't figure out or discover how in XP Home to add a user to a group. (I can change groups if I directly run 'netplwiz.dll,UsersRunDll', but I can't add.)

Can someone either describe or point me to a resource for how to add a user to a group on XP Home, or confirm that it isn't possible and that I've misinterpreted the sudoWn website?

08/12/06 : I found the answer to my question and added it to the sudo Wn page.

From FrancoisRacine - 9/3/06 10:28 AM

I am looking to find the article about:  Making IIS developpers running IIS on their own account and I am finding nothing.  Any help will be appreciate.

François Racine

From JordanBrown - 9/9/06 12:33 AM

I've been trying to work around LUA issues (generally with games) using the Application Compatibility Toolkit, and in particular with Compatibility Administrator's LUA features.

 Often this works great, but occasionally AppFixes and AppHelp messages just don't seem to match the application, at least when I run it as a limited user.  If I run it as an admin, the AppHelp message comes up and the AppFix works, but when I run it as a limited user it doesn't.  Any clues?

 Blatant plug:  I'm trying to collect fixes for various compatibility issues (usually either 640x480 issues or LUA issues) at http://wincompat.com.  There's no traffic there yet, but it seems like it'd be nice to have a place to collect and discuss them.

From AaronMargosis - 9/9/06 11:24 PM

JordanBrown:  I don't quite understand your comment about the AppFix working if you're running as admin.  If you're running as admin, the LUA app fix isn't needed, so how can you tell whether it's working?

The LUA shims on XP are poorly documented and have hit-and-miss success (often "miss").  Have you looked into other remediations?  See the "Fixing LUA Bugs" series on my blog:
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

From JordanBrown - 9/10/06 9:52 AM

I agree that an LUA fix is tough to demonstrate as an admin, but a 640x480 fix remains relevant, and an AppHelp message seems like a clear way to tell whether or not the compatibility framework is triggering.

I've looked at other remediations - in particular, I used to open up access on the relevant files and directories using CACLS.  I'd like to use ACT techniques when possible, though, because they can be neatly packaged up in .SDB files to be applied to any of the several computers in the house, or to new computers on upgrades.

Right now my biggest issue seems to be with the ACT mechanisms failing to trigger at all for some applications, rather than with a subtle problem with the LUA fixes.

From FrancoisRacine - 9/13/06 12:42 PM

To make it clear.  Is it a good document about how to run IIS without the need of being a local admin?

From rajneeshhegde - 9/18/06 8:28 PM

Hi all,

Thanks for making LUA access a bit easier for all of us. One thing that I haven't been able to resolve so far:

The connection manager for my company's VPN needs admin privileges. However, when I'm connected to the VPN, browsers (or e-mail clients) that I run from my LUA don't have connectivity. However, running mstsc from my LUA still works. I'd appreciate any pointers to what the issue is, and to a work-around. Thanks,

 Rajneesh.

From mjerry - 11/1/06 1:40 PM

I have a situation I have not been able to solve.

We have a manufacturing plant with 1000 computers. 

• The plant runs 24/7 and wants to minimize any downtime. 
• All the users are setup with "Limited Privileges." 
• The computers are grouped by "Line." 
• There are between 2 and 25 computers on each Line. 
• We have a custom software application ("Line Application") that we want to update on each one of these computers. 
• Each Line is independent of the other Lines.
• When we update the software we want to update one Line at a time, and within the Line we want to update the "Red Dog" Computer before we update any other computer on that Line.
• Each Line has its own "Red Dog" computer. 
• I wrote another program ("Wrapper") that the Limited User will intiate. 
• Wrapper checks for updates to Line Application and ensures that all computers on the same Line are updated simultaneously (almost). 
• When updates are available, Wrapper invokes msiexec with an .msi file for Line Application updates. 
• The last step Wrapper does is it uses Process.Start to kick off Line Application. 
• Within Wrapper I am using CreateProcessWithLogonW and providing it with the userid and password for an Administrator. 
• When I use CreateProcessWithLogonW, and if there is an update, it takes 25 minutes for Wrapper to complete. 
• When I do not use CreateProcessWithLogonW, it takes 30 seconds. 
• And when I have used CreateProcessWithLogonW with the Administrator's userid, I have not had a successful install. 

Does anyone have any idea of what I can try to solve my dilemma? 

• I do not think a GPO would solve my problem. 
• A logon script will not solve my problem because I need to ensure that all computers in the same line are updated at the same time.
• Currently, a person from IT is sent to login as Administrator and update all the computers. 
• The Wrapper (if we can get it to work) would make the update hands-free. 

Any help would be greatly appreciated.

From tlyczko - 11/4/06 5:30 AM

With regard to:

"From Richard Hardwick [87.65.181.63] - 1/27/06 5:40 AM

 Thirteen evil things that happened when I tried to be a good non-admin user..."

I find that the best time to set up this sort of thing is on a NEW setup, not after the box/software have already been set up.

HTH Tom 

From tlyczko - 11/4/06 5:33 AM

Has anyone experimented with Microsoft Shared Computer Toolkit to determine which are the best settings to use??

We have used it in our company to create "de facto thin clients" that can only run the Citrix client and IE (to use our Citrix gateway server). Because it can lock the user profile and turn on Disk Protection (disk can't be written to!!!) we don't worry about stuff happening regardless of where people surf.

Thanks, Tom 

From MichaelHoffman - 11/7/06 1:56 AM

I can't seem to edit the Known Problems page, but here's a tip for use with PC-Pine:

 Set HKEY_CURRENT_USER\Software\University of Washington\PC-Pine\4.0 to be something like "%AppData%\PC-Pine" replacing %AppData% with what is actually in your %AppData% environment variable. For me this is "C:\Documents and Settings\Michael\Application Data".

In Control Panel > System > Advanced > Environment Variables, set USER_DICTIONARY to "%AppData%\PC-Pine\User Dictionary.txt". Again, you must replace %AppData% with its actual value or this will not work.

Why these are not the default is beyond me.

From sillymellon - 1/11/07 6:23 AM

Anyone know how to get BeInSync to run as non admin. Love the site! Steven

From testaredescript - 8/22/07 4:33 AM

Hello all. I'm trying to play a small mmorpg game called The Realm (www.realmserver.com) under a Limited Account in Windows XP. After i run a red screen with the logo of the game comes up and it just stands there eating 50% of the CPU. At home works perfect. It's not an install problem because i copied the 2 versions from the site and 1 version from home. If anyone is ready to do some testing just let me know. I'm behind a strict firewall too but i can work around it and i don't think that is causing the game to not start. I think it has to do something with ActiveX and not being able to write on "C:\WINDOWS\Downloaded Program Files". Feel free to come with ideas. Thank you.

From kwwall - 12/17/07 11:49 AM

Not sure if this is the proper place to post this or not, but I don't see anywhere else appropriate.

Two years ago, I used  TaxCut Deluxe 2005 to prepare my taxes on WinXP, and with the assistance of a post to this Wiki (probably now moved to [[OlderQuestions]]), I was able to get it to run in limited-user mode on WinXP. Last year, I upgraded to Vista. I received a prepaid update to TaxCut Deluxe 2006. Before opening, I saw on the package that it was compatible with Vista. What they didn't tell you in the fine print on the box was that in order to use it, you had to run it as an Administrator account. Unfortunately, I didn't find out until about 4/13 (who me? procrastinate?) so it was too late to get something else. I did send an email to the vendor (H&R Block), complaining, but never really received any satisfactory response. I made several attempts to get around this (registry hacks, file permissions, etc.) but was unable to run as any non-admin account.

Anyhow, I was wondering if anyone out there reading this has used some personal (USA) tax preparation software that does not require one to run as Administrator in order to work. Or perhaps has H&R Block seen the light and TaxCutwill no longer require Administrator privileges? I'd like to know before I go and purchase any such software this year.

Thanks,

-kevin

P.S.- Obviously, please inform me via this Wiki before 4/15/2008.

From AaronMargosis - 12/18/07 3:43 AM

I've been using TurboTax for personal taxes for a long time.  A few years ago they made changes to it so that it ran correctly for the non-admin user -- for the most part.  There is an add-on that comes with it called ItsDeductible to help with deductible contributions, etc (particularly non-cash contributions); the last time I tried it, it didn't like running as a non-admin.  And now I can't remember, but I think Vista's built-in legacy app-compat technologies (like file/registry virtualization) allowed it to work without elevated privileges.

From afx - 1/12/08 3:09 PM