nonadmin

Known Problems

This is a list of problems encountered by users, plus possible workarounds. Please add your own problem, or solve someone else's! If you don't want to register as a user to edit the page, just add a comment.

You may want to Return Admin Only Software for a refund. Or you may be able to solve some problems using one of the Useful Tools. For example, SafeDisc lets you run more games as a non-adminisitrator.

Other sources of information:

Active Reports for .NET

ActiveReports has a problem with licensing. If you run the LicensePro as non-administrator it silently fails to update the proper registry entries (via Don Kiely's blog)

ActiveSync

I've found that to use activesync as a non-admin that I first have to add the device to a partnership in adminstrator mode then switch into my non-admin account and add the device there again. - Ian Ceicys

A few days ago I installed Windows XP Professional on a newly bought laptop. I installed Office Professional 2003 and ActiveSync 3.8 from the Administrator account, then I switched to my user account. I was able to set up a partnership with my Orange SPV C500 smartphone without any quirks. I think the problem is fixed in ActiveSync 3.8. - Ovidiu Platon

Adobe Photohop

Adobe Photoshop 7.0/CS/CS2 requires these permissions: http://www.adobe.com/support/techdocs/328409.html

-  Anton Vishnyak

AntiSpyware Beta

Microsoft AntiSpyware Beta does not like multiple users on a machine, meaning if you have one administrator account and one or more limited user accounts it repeatedly, over and over and over and over and over and over and over and over and over and over and over, issues warnings about default settings having been changed when all you've done is signed on to an account other than the one (administrator) that installed the software. I believe MS is aware of the problem, but it has been months and months since the beta was released and still no fix. - Mike Dworkin (dworkinmg2"at"(delete this).msn.com)

ATI Mobility Radeon graphics cards

If you have a MESH Computers D480W notebook with a ATI Mobility Radeon 9000 graphics card and you use a limited user account, you'll get the same message every time you log in telling you that you can use a TV display in conjunction with the notebook. According to ATI this message should only appear right after you install the driver for the Radeon card, and there’s a "Do not show this message again" checkbox that you can tick so you don’t see it every time - but with a limited account it can't write the Registry key to save the fact that you don't want to see it again. Ticking the box as an administrator should solve the problem; if not you have to find the relevant Registry key and change it under HKEY_USERS (not HKEY_CURRENT_USER). Or change the limited user accounts to administrative users, tick the checkbox and then put them back to being limited user accounts. - Mary Branscomnbe

Mary: You can unlock the security on that part of the registry so that a user can update it as an alternative to your suggestion. This would be more appropriate if the fix was required on more than one device. - Alex Milne

AutoCAD (prior to version 2004)

If you are using Autodesk AutoCAD, or AutoCAD-based products (Map, Mechanical, Raster Design, etc.), prior to version 2004, they write transient/user values to HKLM and therefore cause non-admin users a lot of grief.  This was resolved in version 2004 products and later.  A lot of small AEC and manufacturing shops still use older versions and tend to grant their users admin rights to work around this issue. - skatterbrain

Avantgo Client (ships with ActiveSync)

The Avantgo client that ships with Windows Mobile and ActiveSync does not allow the access to or storage of synchronisation profiles when running as a limited or least privileged user. This is solved by the current version of the Avantgo Client which can be downloaded from the Avantgo website. - Oliver Carr 

Belkin Wireless G Desktop Network Card

You can add the Belkin Wireless G Desktop Network card drivers to your list.  The wireless card will not operate unless logged in with an Admin account...so much for using XP Home with limited access accounts. - Whoopi

Broderbund Print Shop

Requires Administrator access, with no apparent workaround - Christian

Ceridian HR/Payroll Jet

Ceridian installs with the assumption that it will be run as an admin user.

Dell Modem-on-Hold Software

I tried and tried and TRIED to get my machine to work in non-admin mode, but the Dell modem-on-hold wouldn't work in non-admin, at least for me, and I finally had to give up, cussing. The other software worked okay in non-administrator mode. [If anyone has any ideas for Tom, please e-mail DrJonest6d7h8@alum.MIT.edu]

EasyShare

I am seeking a way of allowing EasyShare to run in a non-administrative account... I mean come on...  who the hell writes this stuff...  Software Development for the HOME user is one thing...  but in an Enterprise Network where regular users don't get Administrative rights is a totally different issue...  any suggestions/assistance would be most appreciated.  mchadwic@water.ca.gov

EDconnect and EDExpress

Requires directories permission changes to run non-admin.

eMbedded Visual C++ 3.0 and 4.0

Numerous directory and registry permissions changes are required to run non-admin. Problems include writing vccedb.ldb file to %ProgramFiles%\Microsoft eMbedded Tools\Common\EVC\bin when multiple instances are opened, writing to vccedb.mdb file on first run and when new processor types are installed, Platform Manager registry is accessed with KEY_ALL_ACCESS permissions.

If user does not have permission to write to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Tools\Platform Manager, eVC (or possibly Platform Manager) will make a partial copy in HKEY_CURRENT_USER. However, certain values - such as the Executables Path values for locating build tools - are not copied.

Fiberlink Global Remote  (VPN dialer)

Determined that this will only work when the user has rights one way or another to change a single binary value in "HKEY_LOCAL_MACHINE \ SOFTWARE \ Fiberlink"  -PJDiller

HP Photo and Imaging

Runtime Error in Microsoft Visual C++ Runtime Library.
Program:  c:\program files\Hewlett-Packard\Digital Imaging\bin\Hpqdirec.exe
FIX by adding permissions to the referenced executable:

http://h10025.www1.hp.com/ewfrf/wc/genericDocument?lc=en&cc=us&docname=c00043804 

The suggested fix worked just fine... except I didn't have to use Full Control.  Change rights work just fine.  You could use the user in question, or Interactive Users, Authenticated Users, Users, etc.  -PJDiller

Jenzabar EX

Requires directories permission changes to run non-admin. Running Jenzabar without Admin privileges is not supported by Jenzabar (the company).

Kodak Easyshare

The first time Easyshare runs it must be under an administrative account. If you leave their update notification system on it will throw an error message whenever a non-administrative user logons in. If you have Easyshare itself to run on startup then it will display a dialog box complaining you are not an administrator and some functions may not work. You cannot turn this dialog box off.

MacroMedia Flash

Flash player (+ Mozilla Firefox) no longer installs properly as of version 8.x. When you click on install_flash_player.exe it automaticallly installs the files to wherever it thinks you need them (without prompting for ANY interaction) - then its done. You can not do this as a non-admin account, and non-admin users no longer get the function of the installed flash player on the admin account.

I'm talking about version 8,0,22,0 available here: http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash - J.

Macrovision Copy Protection

I'm trying to let my children run as LUA (xp-pro sp2 ) and encounter this problem :

I have a game disk (Rayman2) with Macrovision copy protection. I have run the fix for the secdrv.sys. With Filemon (sysinternals) I see that an administrator account finds the c:\windows\system32\drivers\secdrv.sys. But as a restricted user (actually not any more, have opened up everything trying to find my problem) it finds F:\secdrv.sys (where F is the dvd). Apparently finding drivers is not the same for the different users.

Anyone have a clue ??

Regards, Marcel (Marcel.Olij@essent.nl)

Maxthon 1.3.x

Maxthon, a tabbed web browser based on IE6 (formerly named "MyIE2") does not like running with limited, not even Power User, rights.  They have a few workarounds, but even those are "kludgy".  Sharing it on a single machine with multiple users is even more difficult.  - skatterbrain

MediaFour XPlay

MediaFour XPlay, a Windows Explorer add-in to support the iPod, must be run with administrative priviledges. A workaround is to use MakeMeAdmin and a command script that launches a shell rooted at the \XPlay Music folder on the drive hosting the iPod.

In http://blogs.msdn.com/kevinha/ Kevi W. Hammond gave a link for  what you need to do so XPlay works when running from a non-Administrator (LUA) account at assist.mediafour.com. - w.ewert at gmx.net

Mozilla Firefox & Mozilla Thunderbird

Installing these programs in the default C:\Program Files folder will not work for limited users if they don't have write privileges to that folder.  However, they WILL install and run if you change the default installation folder to one for which the user has write privileges. - nonadmin@wrcraig.com

The preceding information must be for an old version of these programs. I run a network of 70 users who use Firefox as their primary browser; they run as regular users and have only read and execute privileges to the Program Files folder. We've used this configuration for over a year with only one minor problem: If you use Firefox to set your desktop wallpaper it stores the bitmap in the Windows directory.  If you give the user Change permissions to c:\Windows\Firefox Wallpaper.bmp then even that problem disappears. I have less experience with Thunderbird, but have used it as a regular user with no problems.

Motorola Wireless Network Utility

The Motorola wireless network utility will not work unless running as an administrator. It does not give any error messages, it simply will not function. (Verified with v3.40.24.0).

MyNetWatchman

Needs write access to the HKLM/Software/myNetwatchman key to run as a limited user.

MySQL Query Browser 1.1.5

This has issues when installed as Admin and then running as non-admin - Eric

Norton One Button Checkup

Anyone had any luck getting Norton One Button Checkup to run using "Runas" from non-admin account? - bwessner

I usually do all my "maintenance" signed in on my Admin account, but did try to use my One Button Checkup via RunAs from my LUA. And yes, it worked. - Callie Jordan

OpenOffice 1.1.4

You have to use the Network setup on a multiuser system, setup.exe -net. For OpenOffice.org 2.0, the Windows Installer is being used so this will not be necessary. - Brant Gurganus

Palm Software

If you've tried to do it, you know whereof I speak. - philcrissman.com

The trick to this problem is in the setup.  Someone who has administrators rights must first add the user of the PDA\Palm software temporarily to the Administrators group on the local machine.  Then the user, who now has administrator rights, logs back in and can install the software and MUST perform a successfull synch to the PDA.  Log off the user have the administrator log back in, make sure that the PDA is recognized and then take the user out of the administrators group.  When the user logs back in the PDA will still work correctly. -VANADM

Picasa

Installing this in the default C:\Program Files folder will not work for limited users if they don't have write privileges to that folder.  However, it WILL install and run if you change the default installation folder to one for which the user has write privileges. - nonadmin@wrcraig.com

PTC Pro/ENGINEER

Discovered multiple executables try and fail to get through the Windows Firewall in XP SP2.  You can use a GPO to open the firewall for the executables.  pro_comm_msg.exe, nmsd.exe, xtop.exe

An additional change was to grant permissions to the special user "INTERACTIVE" for permissions to %programfiles%\proeWildfire 2.0 (Change rights).  The problem this solves is that before this you could not modify the ModelCHECK config file, stored in Program Files. -pjdiller

QuickBooks

QuickBooks needs to be installed as an administrator, however, QuickBooks can be run as an LUA (i.e. a member of the local Users group in Win 2K+) by performing the following three actions:

  • Fire up regedit (Start->Run->regedit) or the registry editing tool of your choice and grant the desired LUA user/group(s) full control permissions to the entire HKEY_CLASSES_ROOT tree. You can assign these permissions by right-clicking on the HKEY_CLASSES_ROOT tree located in the left pane and choosing "Permissions..."
  • In your registry editing tool again, grant the desired LUA user/group(s) full control permissions to the HKEY_LOCAL_MACHINE\Software\Intuit key.
  • Navigate to the C:\Program Files folder substituting the drive letter with whatever may be appropriate for your installation of QuickBooks. Assuming that you used the default installation path, right-click on the Intuit folder and choose Properties and then go to the Security tab. Add the desired LUA user/group(s) and grant them "Modify" permissions. In the GUI for the security tab, assigning Modify permissions also grants all lesser priviledges which is the desired behavior for this case. You can also make the permissiosn changes in this step using the command-line cacls tool.

In my non-exhaustive test, you can't get away with anything less than full control in the first two steps above. File & directory ACL's don't aren't exactly the same as registry ACL's.

I have successfully used these steps on several QB installations versions 2002-2004 all on Window$ XP. However, that doesn't necessarily mean that they will or will not work on older or newer versions of QuickBooks. Feel free to email me if you have questions or issues.- Jonathan Nalley

[CAUTION: Access to HKCR is a significant portion of what you would want to deny by using a LUA account, and with full control of HKCR a user can make himself/herself a local administrator. Also, when adding permissions to objects you may not want to use domain accounts, as permitted users would be able to connect to these computers remotely and access/modify the objects (registry, files, QB data, etc).]

Real Alternative

Real Alternative will crash if it doesn't have write access to the %Program Files%\Real Alternative directory. This can be corrected by giving write access to the desired users. - Tim Meser

I just installed Real Alternative 1.41 on more than 120 Windows XP SP2 desktop machines formatted as NTFS, and I don't see the crash that Tim Meser describes. The installation itself was run under administrative rights but regular users can successfully play Real audio and video. They can also use the "RealMedia Settings" applet. I have verified that none of them are Power Users nor Administrators; they are strictly members of the Users group. I have double checked the NTFS permissions at the folder and individual file levels. These machines were all freshly imaged within the past 60 days and strictly managed via Group Policy, so I know there are no special user rights that have been granted at the local or domain level.

In the past, however, I have seen weird system behavior on machines where the full Real Player was previously installed-uninstalled before Real Alternative, and there have occasionally been some careless releases of Real Alternative (such as 1.40 which referred to itself as QuickTime Alternative in some places...doh!) so those might explain Tim's experience. AFAIK, Real Alternative 1.41 is Non-Admin friendly (after installation). - Ronny Ong

Sage Accounting

I have just spent about an hour trying to get Sage accounting software to run under a non Power user mode. the system is still not locked down as much as I would like but I cannot seem to find all the files that need write access. The windows folder needs write access as does the folder that the program resides. i cannot believe that a company as big as Sage could commit the cardinal sin in insisting the Windows folder needs write access. As I was so anoyed at what I was having to do to get it working I allowed all the error reports to be submitted to Microsoft. - Helen.

Sims 2

The Sims 2 will refuse to run as non-admin, but this is corrected with the installation of the University expansion pack. - Tim Meser

Sonic Innovations EXPRESSfit 5.0 Innova module

It is a module for a system called NOAH which is for hearing aids. Most major manufacturers of hearing aids have software that is compliant with NOAH. These guys are not. The module in question will not run without Administrator permissions.

They are very unhelpful too, and their "tech support" people have no advice other that "reinstall it" which (obviously) doesn't work. They in fact, don't even understand what I'm talking about.

THIS IS SO ANNOYING!!!!!

Bryan McNally, qmacker@yahoo.com

Toshiba Power Saver for Satellite notebooks

This is a shotgun approach rather than a more surgical approach but it works.  Give permissions in the registry to users or to interactive to the following keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\TOSHIBA\Power Management
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg

TurboTax

Earlier versions of Intuit TurboTax must be run as Administrator. TurboTax 2004 now lets you run as a user. However, you have to be an administrator to install updates to the program, and the “ItsDeductible” add-on does not work as non-admin at all.  It just vomits up a big ODBC error message and dies.

Uru (of the Myst series)

The following locations must be writable to run as a limited user: plClientSetup.cfg, dev_mode.dat, log/, init/, MyJournals/, KIimages/, sav/, and dev_mode/

Webroot Spy Sweeper v3.0

Must be run as an administrator; will give an error and shut down if not.

WinAmp 5

WinAmp stores its settings in an ini file in the installation directory. Unless the directory permissions are changed, non-privileged users will be unable to change the preferences and some actions (accessing streaming media) will crash the program.

There is a multiuser plugin for Winamp that can be used to give each user their own settings.

Windows 2000 and Windows XP Printing

If you get an error message that says "Current printer is unavailable. Select another printer" when you try to print an Excel document, or one that says "No printers are installed" when you try to print from PowerPoint, this may happen because your user account doesn't have sufficient permissions to create a file that's necessary for printing. You can get a hotfix that will solve the problem. To find out how to get the hotfix, see KB article 873396 at: http://www.wxpnews.com/rd/rd.cfm?id=050802CO-KB_873396 - Callie Jordan

Windows Explorer

Attempting to launch explorer.exe via RunAs rarely works as expected.  In many/most cases, it simply does nothing, even when invoked from a cmd.exe shell which was already launched via RunAs (scenario: open cmd, type runas user cmd, enter your password, launches another cmd as expected.  Type in explorer and hit Enter....nothing). - skatterbrain

Windows Explorer can be run in a separate context without the usual tricks of running iexplore or changing the "Launch folder windows in a separate process" option.  The trick is to run "explorer /separate". - Scott Crawford

To get RunAs working securely with Explorer, see this definitive article from [Aaaron Margosis]: "RunAs with Explorer" - How to get Windows Explorer to work with RunAs (and why you might want to).

Windows Installer 3.x

MSI packages do not expose a "Run As" option on the right-click menu by default.  You can enable it with a registry hack under HKCR as shown below.  This modification requires local administrative privileges in order to execute successfully.  This default behavior imposes some limitations on administrators who attempt to perform such "out-of-band" tasks while a non-admin user is logged on. - skatterbrain

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@="\"%1" %*"

The same is also true for VBscript (.vbs), Javascript (.js), Batch and CMD scripts (.bat and .cmd respectively)

Windows Wireless Networking

For the longest time I've been frustrated by my laptop wireless network connection losing its DHCP IP address and reverting to the auto-IP 169.x.x.x address in WinXP Pro. Unfortunately, there doesn't seem to be a way to invoke the 'repair' function to reset the DHCP info from a non-admin account. Is this a "known problem" or is there a workaround? - tcwan

Comments

From Bryan (http://adminfoo.net) [216.231.47.55] - 2/2/06 8:43 AM

Has anyone found a solution for allowing LUA to unblock programs that Windows Firewall is blocking?

From Richard Hardwick [87.65.174.107] - 2/4/06 7:55 AM

Non-admin confusing error message 

I have a HP xw 4300 workstation, running Win XP professional.
If as Non-admin I try -- "Learn more about your PC" in "Windows XP Professional Help and support Centre", then I get the message
    >Page not found
    >If you clicked on a link to get here, there may be a problem with the
    >link. Sorry for the inconvenience this might have caused.

of course, as Admin, the link works

From Sylvain Demers [206.47.122.59] - 2/10/06 12:04 PM

Earthlink Pro Dialer

The Earthlink Pro Dialer only works as a member of the Administrator group.  Power User isn't even enough. Of course, when I called Earthlink about this, and their response was that "it is a problem with your operating system."

Yeah, right!

From Spudgun [81.132.102.51] - 3/11/06 11:14 PM

Windows Wireless Networking

Assuming you are using XP pro you can invoke the 'repair' function of wireless by making users or group members in to Network Configuration Operators under local group policy. In theory this can also be applied through a network policy as well but i've never tried.

From Sean McGovern [72.139.46.189] - 3/16/06 8:35 AM

Not for the faint of heart, and of course the usual warnings apply about messing around with the registry, but I got Flash 8.0.24.0 to work by giving my user 'Full Control' on the CLSID registry key for Flash.

 In Regedit (as a user with admin priviledges), go to HKCR\MacromediaFlashPaper.MacromediaFlashPaper and note the value in the CLSID subkey. Go to HKCR\<that CLSID> and right click it, select Permissions, add your non-administrative user (or the whole Users group... not sure why this is missing) and give them Full Control. Close regedit and try to load a page with Flash content as your non-admin user.

Those of you feeling experimental can see if you can get away with lesser permissions on that key, as Full Control probably opens it a bit wider than is necessary.

From Grateful XP user [207.202.172.6] - 3/24/06 2:40 AM

(wrt Flash 8)

 Thank you!  This worked perfectly.  And yes, you're right, maybe Full Control is more than is actually required (and maybe you don't even need to change the permissions on the CLSID key in question...there may just be one sub-key under it that needs fixing).  But what the heck.  For now, it works, and I can look into the "minimal" fix later.

I can't believe I wasted so much time thinking this was related to security settings or some such issue.  Grrr...

On the bright side, I have learned of a new resource on the Internet.  This page looks great!  Just what the world needs, until software developers can get in the habit of testing their software on limited user accounts (not holding my breath).

From Grateful XP User [207.202.172.6] - 3/24/06 3:34 AM

Update:

Okay, I got curious, so now I have something that is pretty close to the minimal permissions required.  You can get by with enabling the "Query Value", "Enumerate Subkeys", "Notify", and "Read Control" permissions on just four keys:

* The main GUID key (whatever you looked up in the previous step)
* "Implemented Categories" (under the main GUID key)
* "InprocServer32" (likewise), and
* "MiscStatus" (likewise)

It's possible even fewer permissions are really required, but I think the above is pretty minimal. In fact, given that none of the needed permissions allow writing (overwriting the InprocServer32 key would be one of the biggest things I'd be concerned about, and that won't happen with these settings), I think it's reasonably safe to just set the main GUID key and allow all of the sub-keys to inherit the new permissions.

From Aaron Margosis [66.92.150.174] - 3/26/06 5:15 PM

For some reason, I haven't had the Flash problem on my system.  Grateful XP User, the permissions you describe are the standard Read permissions for registry keys, which *should* be in effect without doing any tweaking.  On my system, I found that their CLSID key had some unusual permissions on it, including denying Everyone and ANONYMOUS the Set Value and Delete permissions.  I don't know what set those permissions on the object, but the Users group is granted Read, which should be enough.  Other than those two DENY ACEs, the rest of the DACL appears to be inherited from HKLM\Software\Classes\CLSID.

From paulblair - 3/27/06 9:43 AM

FYI: The latest version of WinAMP 5 supports per-user settings.

From shirazuet@yahoo.com [203.175.101.154] - 4/4/06 11:21 PM

i am working on Pro-E on the XP Windows.

there is a problem encounter me that when i click on the pro-e to open for working . there is messages "pro_comm_msg" appears on screen.when i close it ,then i normally workd.

can this cause roblems for me in future.

solution of it??

From Grateful XP User [207.202.172.6] - 4/6/06 11:54 PM

"For some reason, I haven't had the Flash problem on my system.  Grateful XP User, the permissions you describe are the standard Read permissions for registry keys, which *should* be in effect without doing any tweaking.For some reason, I haven't had the Flash problem on my system.  Grateful XP User, the permissions you describe are the standard Read permissions for registry keys, which *should* be in effect without doing any tweaking."

Well, that wasn't the default permissions on my XP installation.  It is unclear to me what the normal defaults are.  I do know that, without me having fiddled with them, my various XP installations sometimes seem to have different permissions set.  I don't know whether this is an XP versioning or security update issue, or if I have at some point along the way installed software that "adjusts" the settings on my behalf without my knowledge (during an admin-enabled install, for example).

I presume that the reason you don't have trouble with Flash 8 is that your settings already allow it to run fine.

All I know is that on my own XP installation, the existing permissions did not include granting read access to non-admin users, and doing so allowed Flash 8 to work for non-admin users.  Perhaps this is supposed to be the default all along, but it wasn't on this install nor on at least one other I checked, and there's at least one other guy posting here for whom it wasn't the default either.  :)

The next time I install XP fresh on a PC, you can bet I'm going to look more closely at what the permissions are by default.  One of my frustrations has been not having done so before, and coming along a year later (more than three years later now, but at least a year had gone by before the first time I thought to look) only to find something set in a way that I think doesn't look right.  I never know if this was "by design" with respect to XP or the result of some ill-behaved software that I unwittingly ran.  I do hope to correct that gap in my knowledge one day.

From Liudvikas Bukys [67.138.185.114] - 5/8/06 4:45 AM

On my XP system, for getting Flash to work non-admin, it sufficed to find the CLSID key and give it an additional "Everyone Read" permission.

From Steve [141.158.20.2] - 5/8/06 7:16 AM

Norton Internet Security 2006 - Firewall

Problem: When opening a new program (or new version of an installed program) the firewall will not allow the software out to the internet, will not notifiy you that it was blocked, nor will it prompt you to allow or deny it.  This includes programs that it would automatically configure firewall rules to allow (aka "safe list" programs).  You are also unable to configure any firewall rules.

Workaround: To allow the program to access the internet, you must log in as admin and run the program so a new rule can be created.

Comments: It's not a big deal other than for non-technical users who are mystified as to why a program can't get to the internet or perform its intended purpose.

 I think the best solution woud be within the software there could be an administrators list, where a local admin could allow other accounts to administer the software (or portions of it).

 Oh well, I guess by not fixing it they give you an incentive to upgrade!

From Aaron Margosis [66.92.150.174] - 5/9/06 7:06 AM

Steve -- Outbound filtering is at best a very weak defense against malware, and mostly just serves to annoy users with meaningless dialog prompts.  Jesper's explanation is good:  http://blogs.technet.com/jesper_johansson/archive/2006/05/01/426921.aspx

 

From Smiegel [64.219.124.132] - 5/9/06 3:24 PM

I solved the EasyShare access problem by using the following command in a DOS prompt (As administrator):

cacls "C:\Program Files\Kodak" /e /t /p Users:F

This grants regular user accounts the permission to write to the program directory.  When you launch the program, it still complains that it's being run as a limited user, but it runs fine.

From Aaron Margosis [66.92.150.174] - 5/10/06 6:34 AM

Smiegel - that's probably overkill and excessive exposure.  See "Fixing LUA Bugs, Parts I & II" for guidance:

http://blogs.msdn.com/aaron_margosis/archive/2006/02/16/533077.aspx

http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx

From Josh Barrick [71.244.144.94] - 5/24/06 8:30 AM

Argali:

Requires directories permission changes to run non-admin.

From tilaye [213.55.95.4] - 5/25/06 12:33 AM

I have a w2k domain controller and w2k clients. Since users do not have the privilege to install USB drivers, we have to log in with admin, install the driver and log in with the user's account again. I know that that I can give "load and unload drivers" permission (in GPO) to users but that is unecessarily powerful privilege. Is there any policy setting which can allow non admin users to install USB drivers?

From terry [24.11.218.134] - 7/10/06 6:08 AM

Re: Belkin Wireless G Desktop Network Card and "limited user" account under Windows XP

 I managed to get through to a second-level supervisor at Belkin tech support.

He told me that for this card to work for non-admin accounts, you need to set up so that Windows, not the Belkin wireless utility manages the connection. In the Belkin utility, disable the setting that says for Belkin to manage the connection. In windows TCP/IP properties, wireless networking tab, check the box that says for windows to manage the connection. Configure the connection using the windows wireless networking settings. As long as you let windows (not Belkin utility) manage the connection, and do all of your configuration as an admin, any user -- limited or admin will be able to use the connection without problems.

From terry [24.11.218.134] - 7/15/06 9:47 AM

Merely telling the belkin wireless utility not to manage the connection turned out to be insufficient.

I had to uninstall the belkin wireless utility (which also uninstalls the driver). Then install just the driver (device manager "update driver") without installing the Belkin utility. The files for the driver can be found if you extract the Belkin utility   installer (F5D7001_1212.exe) and look in the FILES\DRIVERS\WINXP2K directory (note that the FILES directory is hidden so you may need to take special steps to see it). With just the driver installed, not the utility and windows managing the connection, all users, limited or not, can connect OK.

From mdimmick - 8/20/06 8:09 AM

I can't seem to edit the page at the moment (I get a complaint about JavaScript in the page) so I'll add this as a comment.

Visual Studio .NET 2003 "smart device" deployment and debugging has an issue when connecting to a device for the first time (or a device that has been cold booted, hence losing its association data). If you're not running as an administrator, the connection fails. It seems to need to write the desktop side of the encryption keys to some location that a low-privileged user cannot write to. Using 'makemeadmin' just for one session to set up the device connection fixes the problem; after that, a low-privileged VS.NET can connect to that device.

From FrancoisRacine - 9/4/06 6:20 AM

About Quickbooks, it is possible to make it run without admin rights.  What is happening is Quickbooks is creating HKCR keys and deleting them at end.

So what you need to do is to identify those keys, create them and remove the delete right for those key only.  Then add full control for all subkeys.

So Quickbooks will not be able to delete/create keys in HKCR but will be able to populate subkeys. 

 

From AaronMargosis - 9/5/06 6:56 AM

Francois - QuickBooks non-admin bugs are much more extensive than just writing to HKCR.

From FrancoisRacine - 9/6/06 6:43 AM

About Quickbooks

Actually we are packaging Quickbooks 2001.

If a user is not admin then the software will just not run.  If you create all HKCR and then prevent quickbooks to remove them but permit quickbooks to populate them the software will run.

I would like to know what others problem you are thinking.

From kwwall - 3/25/08 8:07 PM

Regarding TurboTax and nonadmin...just finished using Intuit's TurboTax Basic 2007 on Vista Home Premium and am pleased to announce that, other than the initial install and running updates, it works great running as LUA. No registry or other permissions hacks required. (For the record, last year I tried H&R Block's TaxCut Deluxe 2006 and it not only required admin priv to install, but also to run. I wasn't even able to make similar hacks that I had to XP to get it to work. Complained to H&R Block, but only received excuses, so this year I switched.)

Menu

Home
.. Definitions
.. Site News
.. Why Non Admin

Running As Non Admin
.. How can I lock down the Control Panel...
.. Browsing As Non Admin
.. Developing As Non Admin
.. Gaming As Non Admin
.. How To
.. Known Problems
.. Other Resources
.. Press Articles
.. Useful Tools

Wiki Contributors

 
 
 

Last Modified 5/30/06 1:56 PM