using Windows LUA to admin XP

By jobeard
Oct 14, 2005
  1. I highly recommend this Windows LUA Article as a means to control systems with multiple users -- kids or others that have little real knowledge of systems administration.

    The concept is to run all users as a Limited Account and only use an Admin
    account for that intent.

    1. improved internet security
    2. controlled modifications to the system
    (1) is a result of not accessing the net with the Admin priviledge. If a worm or
    virus attacks via the net, only the user's environment can be compromised and
    the system itself remains unaffected. You can the get to the Admin account
    to effect the repair.

    (2) occurs by requiring the Admin password to use the Run As facility.
    Create a good admin password and keep it private and the kids can't do too
    much damage.

    Like most things in life, there's no free lunch (ie: there are some consequences to be aware of)
    (a) Some applications required Admin priviledge to run correctly. (eg: Norton, firewalls, Spybot S&D, Sypwareblaster, IE to run MS Software Update)
    (b) Applications which are already installed may be adversely effected due to (a)
    or they were installed in directories that are read-only for the Limited Account user. (eg: Quickbooks)
    (c) Applications which implement Autoupdate may no longer work correctly.
    A manual update may be required (eg: Norton Liveupdate).
    (d) You may get frustrated switching users or using Run As to do some updates or admin tasks. (eg: to use Cp->Admin Tools, you need to Switch Users because the Run As is not an option for Control Panel items).
    I went to the LUA environment on day-1 for my laptop and love it - - but I've done sys-admin for many years and (d) is not a bother to me.

    Create a new Account and make it Limited Priviledges. Login to it and test everything.
    Walk slowly thru this change with one login and try everything to make sure
    you're not going to be shocked with the consequences of (a-d).
    If you just can't live with it, all you need to do is to revert you LUA login to an Admin account.

    If you think you can live with this mode of operation, then here's the nuts and bolts of how-to.
    1. leave your personal login alone for now
    2. create a new login, assign a password, and make it a Limited Account
    3. switch users to the new login and test everything
    4. only when you're satisfied, use your login (ie the admin accnt)
      to change all existing accounts but yours to a Limited Account
    5. to get benefit(1) above, create a new Admin account (with a password),
      login at least once to let it get a profile, and while there, change your account to a Limit Account also.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...