Built-in admin account

External Since: Nov 23, 2006 Posts: 310

I created a standard user account to use for my daily activities thinking I
could just use run as administrator when necessary. I was thinking that
this "best practice" might actually be more practical on Vista whereas on XP
its not possible to "run as..." on control panel apps, active x installers,
etc but in vista since these are marked as requires admin it should prompt
me even when I am logged in as a standard user.

I was doing okay for short while with uac enabled but then had issues
accessing my usb drive. When I attempted access the files I recieved no
prompt and an access denied error, and windows exporer does not provide a
run as administrator to access files, so I grumble a bit and login as
administator, but guess what... thanks to the UAC split token my
administrator account is not really an administrator so when I attempt to
access the drive I again recieve an access denied error and no elevation
prompt. It took me a bit to discover that I had removed Everyone from the
ACL on my USB drive when I was using XP as I use it for backups and I didn't
want some application writing to it when I was logged in as a standard user,
had I realized that was the problem I could have changed the ACL via
elevation when logged in as my standard user but it brings up an interesting
question....

What exactly is the advantage (if you can call it that) of the split-token
except the ability to elevate by pressing continue instead of typing in
credentials, yea!, but at the expense of numerous application compatiblity
issues. Why UAC decided best practice is to create administrative accounts
that are actually standard user accounts with credential-less elevation is
beyond me, instead they should have created a third type of user Standard
User With Approved Admin group for credential-less elevation and leave the
administrator account alone! Correct me if I'm wrong but with UAC enabled
if I can't perform the task as a standard user then I won't be able to
perform the task as an administrator either! And so, if I need to login as
administrator I want every process I run to actually run as administrator
even when (especially when) the application is not marked as requiring
administrator privilages (if it was I could have performed the task via
elevation from my standard user account), as far as I know the only way to
do that is disable UAC because automatic elevation still requires the app to
be marked as requires admin or the use of run as administrator.

I thought the solution to this would be rather simple, just disable UAC.
However once I disabled UAC I found my standard user account no longer
prompts for credentials when I click run as administrator (just runs
normally as my standard user) and IE Protected mode no longer works! So my
question can I somehow login as the built-in adminstrator when I really want
and/or need a real administrator token due to some compatibility issue with
an app not marked as requires admin rather then disable UAC?

- Kurt

External Since: Nov 23, 2006 Posts: 310

I created a standard user account to use for my daily activities thinking I
could just use run as administrator when necessary. I was thinking that
this "best practice" might actually be more practical on Vista whereas on XP
its not possible to "run as..." on control panel apps, active x installers,
etc but in vista since these are marked as requires admin it should prompt
me even when I am logged in as a standard user.

I was doing okay for short while with uac enabled but then had issues
accessing my usb drive. When I attempted access the files I recieved no
prompt and an access denied error, and windows exporer does not provide a
run as administrator to access files, so I grumble a bit and login as
administator, but guess what... thanks to the UAC split token my
administrator account is not really an administrator so when I attempt to
access the drive I again recieve an access denied error and no elevation
prompt. It took me a bit to discover that I had removed Everyone from the
ACL on my USB drive when I was using XP as I use it for backups and I didn't
want some application writing to it when I was logged in as a standard user,
had I realized that was the problem I could have changed the ACL via
elevation when logged in as my standard user but it brings up an interesting
question....

What exactly is the advantage (if you can call it that) of the split-token
except the ability to elevate by pressing continue instead of typing in
credentials, yea!, but at the expense of numerous application compatiblity
issues. Why UAC decided best practice is to create administrative accounts
that are actually standard user accounts with credential-less elevation is
beyond me, instead they should have created a third type of user Standard
User With Approved Admin group for credential-less elevation and leave the
administrator account alone! Correct me if I'm wrong but with UAC enabled
if I can't perform the task as a standard user then I won't be able to
perform the task as an administrator either! And so, if I need to login as
administrator I want every process I run to actually run as administrator
even when (especially when) the application is not marked as requiring
administrator privilages (if it was I could have performed the task via
elevation from my standard user account), as far as I know the only way to
do that is disable UAC because automatic elevation still requires the app to
be marked as requires admin or the use of run as administrator.

I thought the solution to this would be rather simple, just disable UAC.
However once I disabled UAC I found my standard user account no longer
prompts for credentials when I click run as administrator (just runs
normally as my standard user) and IE Protected mode no longer works! So my
question can I somehow login as the built-in adminstrator when I really want
and/or need a real administrator token due to some compatibility issue with
an app not marked as requires admin rather then disable UAC?

- Kurt