Running as non-Admin sucks? Not for me, it doesn't...

Saturday, April 12, 2003

Ok let's be honest here... Running as non-Admin ABSOLUTELY SUCKS. There is no doubt about this one. I've been on the running as non-Admin kick on my home machine for a while and quite honestly it's not easy. We're all used to the "god powers" on our machines. Running as non-Admin you are more like a peasant than a god. I find myself having to switch back and forth between account ALL the time. I have some setup somethings setup as "run as" according to Raj Chaudhuri's recommendations (look in the comments). That makes it easier but hell running as non-Admin is still hard and not everything works. Andrew is right however. Running as non-Admin teaches you not to cheat as a programmer and security issues you never knew existed. Follow Andrew, Anil, and Keith's recommendation but dont fool yourself into thinking it's easy. It's not.

[Samer Ibrahim]

I just have to disagree somewhat with the "ABSOLUTELY SUCKS" part. I'm not sure what, if anything Samer is doing that I'm not, but I just don't find running as a non-admin to suck even a little. Just for the record, though, I don't think I ever said it was easy. There are a few inconveniences I've noticed, which include:

You can't conveniently run Windows Explorer as an admin, so changing ACL requires either using XP fast user-switching to switch over to an admin login long enough to change the ACLs, or using CACLS from a command line opened using Run As...
Norton Antivirus cannot successfully run LiveUpdate from a non-admin account (how stupid is THAT?), so in order to update your virus definitions, you have to switch over to an admin login session (though I think you might also be able to run LiveUpdate standalone using Run As... I'll have to try that next time). What's particularly irritating about this is that LiveUpdate pops up automatically at specified intervals, trys to run, but fails to properly install the updates. Guess what? This software was almost certainly written by someone running as Admin, which highlights why it's so important for developers not to do this.

I'd love it if everyone who has tried/is trying this could post a list of the things that they've run into that "don't work", and any workarounds they have. The more we can build up a knowledgebase of how to make running as a non-admin work, the more likely it is that folks will do it, rather than think that they can't do it.

5 Comments

Does this qualify as convenient?

You can launch Internet Explorer as Admin and switch to folder view while remaining in admin mode.

In XP, you can't do a run as from the "Pinned" start menu. You have to use a shortcut from Program Files, Quick Launch, etc.

Now, if I could just find away to launch iexplore in folder view...any ideas?

Drew Robbins - Saturday, April 12, 2003 5:56:00 PM

First, I should have been more precise. Launch Internet Explorer as Admin and turn on the Folder explorer bar (View | Explorer Bar | Folders). That's what I meant by "folder view".

This is interesting. Once you have this admin explorer open, applications including control panels are all launched as admin. This could also be dangerous - at some point you are basicly running as Admin again.

I wonder if there is someway I can color the background or make some visual indication just for this Admin explorer. So that I can see clearly what mode I'm in for that explorer. A bright red background, although annoying, would sufficiently warn me when I go to launch an app from this admin iexplore instance.

And it should be said, never browse the internet as Admin.

Drew Robbins - Saturday, April 12, 2003 6:09:00 PM

About LiveUpdate I disagree with you. Software that updates my antivirus should definitely require admin permissions. It should however fail more gracefuly when ran from a non-admin account. Liveupdate replaces .exe, .dll files, I can't see how it could run as non-admin. Am I mistaken ?

Julien Adam - Monday, April 14, 2003 8:40:00 AM

Julien,

No, you're probably right. LiveUpdate *should* require elevated permissions to run (not sure that it should require full Admin perms, but that's another issue). You are also correct, and I should have been more specific that what's stupid is that it will try to run as non-Admin, and fall over in such a way that it is completely unclear why it fails. If you didn't know that it was failing as a result of low privilege, you would have no idea how to fix the problem. THAT'S stupid, in my mind, and likely the result of developing with elevated privileges, or at least poor testing.

G. Andrew Duthie - Monday, April 14, 2003 10:16:00 AM

Sorry for coming in so late here. The answer to LiveUpdate is the same as for WindowsUpdate - it should be done by a service, not a user.

Also, see my blog for different ways to differentiate privileged from nonprivileged cmd, Explorer and IE windows.

Aaron Margosis - Friday, July 30, 2004 3:44:00 PM

Comments have been disabled for this content.