How To

If you're a “show-me” kind of person, watch the webcast of Aaron Margosis's session from TechEd 2005: “TechNet Webcast: Tips and Tricks to Running Windows with Least Privilege ” (from Other Resources)

Allow Users To Manage File and Print Shares

By default, the ability to manage file and print shares is granted only to members of the Administrators, Power Users, and Server Operators groups. See the blog post “How to allow users to manage file and print shares without granting other advanced privileges” for how to fix this using the TweakUI power toy (from Aaron Margosis).

Change The Time

See “Changing the system date, time, and/or time zone” for details on how to give a User account full access to the Date and Time applet (from Aaron Margosis's blog).

Change Privileges Without Logging Off and On Again

It's a common misconception that to change privileges you have to log out of your current logon session and back into a new one with different privileges. In fact, there are some Useful Tools such as RunAs and MakeMeAdmin, that enable you to do most administration tasks while logged on interactively under a LUA account. RunAs requires a second user account and runs the specified process under this alternate account. MakeMeAdmin temporarily adds your LUA account to the local Adminstrators group. Both require you to provide an adminstrator account and password to perform administrator tasks.

Fix A Program That Requires Admin Privs

Mostly you just have to pay a little more attention to how your programs are installing themslves, and occasionally go back and fix programs that don't follow the MS rules. The gist of those rules are:

After install, don't write to %systemdrive%/Program Files or %windir%
After install, don't write to HKEY_LOCAL_MACHINE

Oh, there's a couple of others (see Developing As Non Admin), but 90% of the programs that don't work right as a non-admin are breaking one of these two rules. In either case, it's easy enough to fix prgrams that break these rules - just adjust the permissions on the appropriate files or registry keys. You can sniff these out with FileMon and RegMon from sysinternals.com (free!), usually in 10 minutes or less. Problem solved (from “Windows admins, give up your privs!”).

Sometimes (only if the license agreement permits reverse engineering,) you can fix a program to work well under a non-Admin account. See my example here: http://www.leeholmes.com/blog/CrackingSoftwareToRunAsNonAdmin.aspx - Lee Holmes

Make Ctrl-C Work in a RunAs Command Shell

To interrupt a running process in a command shell spawned from RunAs or MakeMeAdmin, you have to use Ctrl-Break instead of Ctrl-C (from Aaron Margosis's blog).

Make The Calculator and Character Map Remember Their Settings

The calculator and character map are very old applets that normally save their settings in the Windows folder. See “Remembering Calculator and Character Map Settings” for how to fix this (from Aaron Margosis's blog).

Manage Your Power Settings

See “Managing Power Options as a non-administrator” for how to give a User account full access to the Power Options applet (from Aaron Margosis's blog).

Tell If You Have Administrator Privileges

See Am I Local Admin for how to work out this out with varying numbers of mouse clicks - or just run the PrivBar

Use Windows Update as a Non-Administrator

The current versions of Windows Update (and Microsoft Update) do not work when invoked through RunAs - the desktop shell needs to be admin for these to work.

Workarounds (from Aaron Margosis)

Use Automatic Updates instead (or an enterprise solution), or
Log out, log back in as local Administrator, run Windows Update, log back out again

Comments

From Jonathan [195.200.28.190] - 11/28/05 2:51 AM

Hi,

Is there any way the example for allowing users to edit their power settings could be expanded to include Win2k machines please. The help article on Aaron's site only works for XP machines. The registry option "Right-click on the “GlobalPowerPolicy” key and choose “Permissions”. " isn't possible through Win2k regedit.

I've tried to find a way to enable our users to be able to adjust their power settings without having Admin rights but I can't find a way anywhere. I hope you can help

Jon

From REG [65.121.44.78] - 1/3/06 10:11 PM

Open regedt32.exe and Navigate to the applicable key and set the permissions as described.

From And for developpers [142.213.66.212] - 1/25/06 7:07 AM

Here most of our users are locked down. With no problem at all. We are packaging (batch files) everything and testing the packages on computers with a locked down account (account with the least privileges).

The remaining problems is about how to deal with developpers. Actually developpers are local admin but they are installing what they want and changing their configurations. It is hell to reinstall them.

We thinked to install VMware and then locked them on their computers. But is it really the solutions? We are not sure because they will make their VMWare session unstable...

Actually SQl Developpers, Oracle Developpers, MS developpers are local admin. Do they all developpers need really admin rights???

FrancoisRacine@hotmail.com

From TOm Green [69.234.23.109] - 3/12/06 6:05 PM

Hi thanks for helping me if you did, but i was wondering how to install flash player 8 wihtout being an admin, its really nothing, any tricks to bypass or stuff like that??

From Aaron Margosis [208.29.145.75] - 3/13/06 6:45 AM

Flash Player installation -- like most program installations -- requires admin privileges. You're installing something that affects all users of the computer.

From PJDiller [66.170.138.3] - 3/14/06 9:36 AM

To get around the admin privileges needed for Flash, we've registered for a free "license" to distribute Flash and Shockwave on our network, which we are using SMS to publish in Add/Remove Programs if needed.

From woliver [167.7.28.140] - 4/17/06 1:58 PM

Here's one: I'm running XP Pro SP2 with all updates. Machines are on a domain all of whose servers are on Win Svr 2003 SP1 with all updates.

When I try to use the old MS Power Toy Wallpaper Changer (Wallpapertoy.exe, v.2000.0.0.6) as a non-admin user, it fails, throwing errors: "CreateFile", "WriteFile" and "HandleClose." I've tried using RunAs to run just this program as an admin with no luck, and have used RegMon to trace what's failing. I changed permissions on a few Registry keys, but the real problem seems to be that it requires write permissions to c:\windows. Even when I change permissions on the windows directory to allow the test user to do this, the program still fails. Anyone know of a workaround or of a properly-written desktop background changer?

Many thanks,

Walt

From woliver [167.7.28.140] - 4/17/06 1:59 PM

Here's one: I'm running XP Pro SP2 with all updates. Machines are on a domain all of whose servers are on Win Svr 2003 SP1 with all updates.

Many thanks,

Walt

From Aaron Margosis [208.29.145.9] - 4/18/06 7:08 AM

woliver - the wallpaper changer sounded like a good test case for the "LUA Buglight" tool I'm working on. LUA Buglight reports that the wallpaper changer is creating and manipulating a hidden "toyhide.bmp" file in the system32 folder. (It should be in the user's profile directory instead of in a system-wide location - I'll file a bug.) Changing the permissions on the toyhide.bmp file doesn't help, because while changing images the wallpaper changer deletes the existing file and creates a new one. The new one of course does not have the permissions of the previous one. If the wallpaper changer can't delete the old file, it displays an error message and doesn't proceed.

Running the wallpaper changer in a separate admin account won't help, because it will change the wallpaper for the other account, not for the one logged in. The only workaround I see is to run the wallpaper changer in your current account but with elevated privileges. See my latest blog post for options, including MakeMeAdmin and RunAsAdmin. BTW, one option you should not consider is to change the ACL to the system32 folder itself!

�

Last Modified 1/23/06 10:21 PM