how-to block ads
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
4 edits | reply to mededitor
Re: Limited User Account
mediator, i only know to set up a limited user account manually.. i don't know about "enabling the administrator account and then making your user account a limited user account"..
if you are going to use a limited user account, you might run into some problems with it, at first.. for example, i have to adjust some "permissions" for some folders so that i can modify files in them, or so that some programs will run the way that i want them to, in a limited user account.. you will learn as you go along..
which version of windows are you running? i am guessing that you are running win xp-pro.. i am running windows xpsp3-home and, in win xp-home, to adjust "permissions", i have to boot into "safe mode", then rightclick on a folder, click "properties", then the "security" tab, then "users", then adjust the permissions for "users"..
i learned about adjusting "permissions" from the "BOClean-support" webpage.. here is what it says about adjusting permissions for a particular "BOClean" folder:
"Cannot get BOClean to update on "limited user accounts"
This is strictly the result of restrictions which Microsoft has introduced over numerous "service packs" and bandaids for Win2000 and XP. The solution requires granting "modify and "write" permissions to the limited user(s) for the BOC426 BOClean folder. This will ONLY work with BOClean 4.25 or later ... This is how to modify the permissions to allow BOClean to be updated while a limited user is online:
First of all you need to be Logged in as an Administrator in Windows XP, this is CRITICAL! "Limited users" and Microsoft's failure to provide a single "common" point for file writes is the problem here. By MICROSOFT'S choice, "limited users" do NOT have the necessary permissions to update BOClean. THEIR choice, not ours! However, there IS a way around this!
Use the "search" feature to locate a FOLDER called BOC426. When you search, a number of "BOC426" items will likely appear, only ONE of them is a FOLDER. It SHOULD appear somewhere under an "All users" folder. Once the icon for BOC426's FOLDER appears in the search window, RIGHT click on the FOLDER icon and select "Properties." Can you SEE the security tab?
If you are running Windows XP PRO and cannot see the SECURITY tab, then you need to enable it which is done by going to Tools->Folder Options on most any open window. On the View tab click the Advanced Settings box; towards the bottom of the list that appears should be an entry "Use simple file sharing [Recommended]", you need to CLEAR the check box. You do NOT want to use simple file sharing. Click OK to close all the windows and follow the instructions above to alter the write permissions. All permissions are inherited from a master template, so doing this for just BOClean does NOT expose you to a security hazard, and in fact gives you FAR greater control over security by being able to make specific folders even more secure than Microsoft's "defaults." As Martha Stewart used to say, "this is a GOOD thing!" Any newly created items will still inherit the highly limited "limited user" settings regardless of this change.
If you're running XP HOME, Simple File Sharing is enforced by default and cannot be disabled. You must boot the computer into Safe Mode and log in with the Administrator account, in order to see the Security tab.
You need to alter the settings on this tab to change the permissions of the BOC426 folder, which should be self-explanatory (just click the box stating that you wish write permission and modify permission to be enabled for the SPECIFIC user(s) you are interested in).
Check the boxes marked "Write" and "Modify" for the BOC425 folder so that it can be updated by "limited users" or whoever happens to be online when an update is available. "Modify" should also enable "write" but if not, check that box as well. This change will ONLY affect the BOC426 folder wherein the BOC426.XVU update exists. No other folders will have their security settings changed. Once this is done, then any "limited user" will be able to collect BOClean updates and place the update where it's available to all.
NOTE: If you uninstall BOClean and RE-install BOClean, these special permissions will be wiped out by Windows. You will need to go back and provide these permissions again ANY time that the BOC426 folder is removed for whatever reason, and then restored should you have this problem. "Modify" and "write" permissions will not be available for updates or exclusions until those permissions exist in the "new" folder.
-end BOClean support
another tip is to run programs with "administrator" priviledges from within a limited user account.. to do that, rightclick on a program, or a program's shortcut, and select "run as".. then enter the account-name and password for whichever account you want the program to "run as", like if you wanted to run a program as an administrator, with administrator priviledges, from within your limited user account.. (or, you can use "run as" whenever you want to run a program as any particular user, which you might want to do, for various reasons)..
in order to use the "run as" feature, the "secondary login" service must be enabled, in windows' "services", which it normally is, by default, but, if you have disabled "secondary login", you will need to re-enable it, in windows' "services"..
you can tighten up your computer's security by using a "HOSTS" file, to block access to bad "websites"..i use a combination of HOSTS files, all merged together.. there are some HOSTS files listed in the sticky-post at the top of this forum, "security software updates"..
if you use "internet explorer", you could adjust the settings in it so that it is more secure.. in IE, for the "internet zone", i disable everything (except the popup-blocker).. then i add "trusted websites" to the "trusted websites" zone.. it is not a perfect solution (because "trusted websites" can be compromised, too), but it helps.. | |
mededitor
Premium
join:2004-07-04
Fair Lawn, NJ
·Optimum Online
| redwolfe, thanks for all of the information. I'm running WindowsXP-home(sp2).
For some reason I'm having problems switching my Administrator's set-up to a Limited User's set-up. I guess that's not entirely true, I [U]can[/U] do it by following Its a Secret's instructions, but then my Administrator account (which becomes the new account) reverts to all Window's (and Dell's) default settings. I was hoping to just mirror my current Windows set-up in two accounts, one Administrator account and one Limited User account.
I'm running BOClean (among other antivirus, antispyware, antiadware, and antimalware programs), so that information is helpful.
The only program that I'm concerned about regarding Limited User status is IE7. No one other than me uses this computer, so there is no one else to make any changes to any programs without my permission---and my computer is password protected so no one can "accidently" start it. I tried to right click on IE7 (and a few other program shortcuts), but I don't see the "Run as" option---I was curious to see if I could run it as a Limited User and leave everything else alone.
I updated some of my IE security settings based on your recommendations; I run it on medium-high, but I changed a lot of the "enable" settings to "disable" or "prompt."
I'll check the HOST files in the Security Software Updates. I'm not sure what they do, but if they'll help with Internet security, then that's a good thing.
Thanks for your help and suggestions.
--
When one door closes, another opens... | |
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
1 edit | said by mededitor :
I don't see the "Run as" option---I was curious to see if I could run it as a Limited User and leave everything else alone.
If you go to start>all programs>internet explorer and right click you should see the run as option. The desktop icon will not allow it.
Not sure why you'd want to run IE as an admin from a limited account though. Seems to defeat the purpose with all the nasties on the net. IE should run just fine w/o run as enabled from a limited user account.
If you want to add your IE favorites to a limited user IE browser, log into your admin account then go to start>my computer>local disk>documents and settings>current user and you'll see a star for IE's favorites. Just copy it to a floppy or cd or save it in the shared documents folder and then switch to your limited user account and follow the same path and paste it into the limited user's folder in documents and settings. All of your favorite sites will be there in that browser for you.
HTH 
edit: I see now what you were saying. You want to run IE from your admin account as a limited user. The run as feature is designed to be used by a limited user for admin priveleges, not vice-versa, sorry. | |
mededitor
Premium
join:2004-07-04
Fair Lawn, NJ
·Optimum Online
| said by planet  : said by mededitor :
I don't see the "Run as" option---I was curious to see if I could run it as a Limited User and leave everything else alone.
If you go to start>all programs>internet explorer and right click you should see the run as option. The desktop icon will not allow it. Not sure why you'd want to run IE as an admin from a limited account though. Seems to defeat the purpose with all the nasties on the net. IE should run just fine w/o run as enabled from a limited user account. If you want to add your IE favorites to a limited user IE browser, log into your admin account then go to start>my computer>local disk>documents and settings>current user and you'll see a star for IE's favorites. Just copy it to a floppy or cd or save it in the shared documents folder and then switch to your limited user account and follow the same path and paste it into the limited user's folder in documents and settings. All of your favorite sites will be there in that browser for you. HTH Sorry if I wasn't clear, I want to see if I can run IE as a Limited User while I am logged on to my computer as the Administrator; you're right, doing it the other way doesn't make any sense. IE is the only program that concerns me running with Administrator privileges, so I thought if I could change just IE to Limited User, that would resolve my concerns.
I tried to find "Run as" from the desktop icons, I'll try it again as you explained.
Thanks!
--
When one door closes, another opens... | |
planet
join:2001-11-05
Olmsted Falls, OH
1 edit | LOL, see my edit above. We both posted at the same time. | |
mededitor
Premium
join:2004-07-04
Fair Lawn, NJ
·Optimum Online
| said by planet :LOL, see my edit above. We both posted at the same time. Well, I guess I the expression "great minds think alike" is applicable! 
--
When one door closes, another opens... | |
OZO
Premium
join:2003-01-17
| reply to mededitor
said by mededitor :I want to see if I can run IE as a Limited User while I am logged on to my computer as the Administrator; Make a shortcut with the target:
psexec -l "C:\Program Files\Internet Explorer\iexplore.exe"
and run it when you need to run IE as limited user (strips the Administrators group and allows only privileges assigned to the Users group).
PsExec
--
Keep it simple, it'll become complex by itself... | |
therube
join:2004-11-11
Randallstown, MD
2 edits | reply to redwolfe_98
said by "redwolfe_98" :
to adjust "permissions", i have to boot into "safe mode", then rightclick on a folder, click "properties", then the "security" tab, then "users", then adjust the permissions for "users"..
I think that if you were to disable simple file sharing (in Folder Options), that would alleviate the need to reboot into Safe Mode. The Security tab should then be visible.
(See what "simple" does for you  .)
EDIT: I see that is mentioned in the BOClean quote.
(And that said, I don't know that I'll EVER understand Windows "permissions".)
"reduced rights" jogged a thought. A quick search turned up this, Drop My Rights. Now I know nothing about it, but ...
Greater detail on what OZO posted, Running as Limited User - the Easy Way. | |
-
|
