redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
4 edits | Automatic Updates as a Limited User
Here are a few references:
»Catch-22 Limited Account vs. Auto Updtes
»auto updates and limited user
It is possible! However, this guide is geared towards 2000/XP Pro because a certain group policy setting has to be enabled. XP Home users will have to import this registry entry. XP Home users cannot use the builtin Administrator account except in Safe Mode.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ElevateNonAdmins"=dword:00000001
Prerequisites:
-Windows Update V6
-One of the following:
--XP SP2
--XP SP1
--2000 SP4
Setup:
XP Pro SP2
Windows Update V6
Logged into an account under the Users group
Here's a shot of Add/Remove of XP Pro without any updates other than Service Pack 2:
First of all, as an administrator, you need to enable Automatic Updates. For my purposes, I chose the option to "Notify me but don't automatically download or install them." You can use whatever option you wish, the fully automated and scheduled install will also work.
The easiest way in your limited account to enable Automatic Updates without logging off into an admin account is to go into the Control Panel and hold shift, and right click on Automatic Updates and choosing RunAs. You'll need to run it as an account with admin privileges. Using an admin account without a password will not work!
Next, you need to open the Group Policy editor as an administrator. Alternatively, you may import the ElevateNonAdmins registry entry as admin and skip the group policy editor.
runas /user:Administrator cmd (press enter)
(enter admin password then press enter)
gpedit.msc (press enter)
Browse to the following: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.
Windows 2000 users will have to right-click Administrative Templates, and choose to add a template. Click "Add" and add wuau.adm.
XP Home users will have to, as admin, import the registry entry for ElevateNonAdmins.
You may need to log off to get the process going, or you may not have anything to update at all. Rebooting is not required!
Select updates to download:
Updates begin to download:
After updates are finished downloading, I selected Custom. I was going to pick all the updates anyway, but just wanted to see the list:
Updates are installing:
This is just to assure you that I am still running as a limited user, and wuauclt.exe running as SYSTEM and my account.
Updates are done! All installed successfully. Time to reboot.
After rebooting, all the updates appear in Add/Remove. For extra assurance, one update (in this case MS05-039) is shown to have properly been installed:
As you may or may not know, you won't be able to install new versions of programs this way. Say you decide to install WMP 10 or new version of DirectX, you can always go to »www.microsoft.com and download the setup. Use RunAs to install, and you are still saved a trip from *logging out, logging into admin, running Windows Update*.
Some might argue, that strictly only the administrator account needs to update Windows. For home users, this will be VERY helpful for non-admin users. Not all IT staffs may find this suitable where a large number of the users are non-admin, and strip to the bone of their account rights (especially schools). |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| So now there are no excuses not to run as limited user  , ok there are some but overall.
A great post and a great workaround. Good stuff!
Cudni
--
What is now proved was once only imagined.Help yourself so God can help you |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA
·AT&T Yahoo
1 edit | reply to redxii
said by redxii  : XP Home users cannot use the builtin Administrator account except in Safe Mode. Excellent post, but I think the above *might* be wrong. If you press Ctrl+Alt+Del twice at the logon screen, the classic logon screen will come up and you can log in as administrator.
This works in XP pro, and it might very well work in XP home too. Can someone here with XP Home tell me if it works or try it out with XP Home? |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| said by toadlife :This works in XP pro, and it might very well work in XP home too. Can someone here with XP Home tell me if it works try it out with XP Home? Having used Home, and having tried it, I am correct in that you cannot do it that way either. It says something about being restricted. I can't give a verbatim error message since I use XP Pro now.
--
"If you like linux then use it otherwise stop preaching about linux we all already know about it and if we like it we'll use it. If you keep pestering people you look like those annoying Jehovah's witnesses... [..] with nothing better to do." |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA | reply to redxii
Ok. Good to know. I've had very litle experience with XP Home - only Pro. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | reply to toadlife
No, pressing Ctrl+Alt+Del twice, will not work in XP Home as it does in XP Pro. That admin account can only be accessed in SafeMode
Cudni
--
What is now proved was once only imagined.Help yourself so God can help you |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA
·AT&T Yahoo
| The solution to that would be to simply create a second admin account in XP home. There are some things that you just can't do using runas...changing your network connection settings (try and change your IP address using runas ) is one of them. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | said by toadlife :changing your network connection settings (try and change your IP address using runas ) is one of them. I launch a command prompt as admin, then type "control panel". Voila, a control panel where everything will run as admin  Including Network Connections.
Yeah, XP Home users will have to create an admin user.
--
"If you like linux then use it otherwise stop preaching about linux we all already know about it and if we like it we'll use it. If you keep pestering people you look like those annoying Jehovah's witnesses... [..] with nothing better to do." |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
|  reply to redxii
This is a good thread. Instead of concentrating on what anti-malware detects this and that, I think it would be much more worthwhile for everyone to pay more attention to the concept of least privilege. I do my Linux and Windows work as regular user, and have had little trouble with the practice, even though I also occasionally play games on both platforms - and I don't mean Solitaire. I'm sorry, folks, but I can't resist spamming this thread with a link to this very good Windows non-admin wiki: »nonadmin.editme.com/
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA
·AT&T Yahoo
| reply to redxii
said by redxii :said by toadlife :changing your network connection settings (try and change your IP address using runas ) is one of them. I launch a command prompt as admin, then type "control panel". Voila, a control panel where everything will run as admin Including Network Connections. Yeah, XP Home users will have to create an admin user. Oh crap! I didn't know there was a command to launch control panel from the command line. 
--
"With other distros when you have problems they are problems with Redhat or with SuSE or with Lindows. But if you have problems with Gentoo you have problems with Linux. That's because with Gentoo you have returned to the source."-Some Gentoo Fanboy |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| Here's that error Home Edition will give, if anyone is interested.
If I do so happen to find a way around it without using Safe Mode, i'll be sure to post it but it isn't of much priority. |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA | I have a feeling this might be fixable by tweaking a some local security policy option.
I don't have an XP Home CD avialable to me...just pro, so I can't investigate.  |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Cudni
still one reason to run as admin. Programs that use program files to store settigns in plane text. But i have a idea for that if some one is willing to test. What you will need is a fat 32 partion or drive put program files on it and change the path to point there. Now if im right just like restore partions on fat 32 there should be able to write to the dir just fine.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA | Can you not edit file permission in XP Home? Why not just edit the ntfs permissions of the offending program so you can use it as a non-admin? |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
3 edits | said by toadlife :Can you not edit file permission in XP Home? Yes, you can. But not with the GUI.
Run command prompt as admin, and use cacls command to change permissions. You need admin for cacls if you are changing permissions on files/folders that you don't have the ability to change ACLs.
Example, I want to giver Users full access to C:\Program Files\mIRC:
cacls "C:\Program Files\mIRC" /e /t /p Users:F
"Users:F" -> <group name or account>:<permission> where permission is (N)one, (R)ead, (W)rite, (C)hange (write), and (F)ull Control
Well, just type cacls in a command prompt and see the syntax for yourself. Definitely not user friendly for Home users (but you get to look l33t using the command line).
Hint: Instead of using Program Files, create a subdirectory in the root of the drive (limited users can do this). Create it as your limited user, and you have full control over that folder and all subfolders and files in that folder. That way, such thing can be avoided unless you really want to use Program Files.
On this subject of FAT32, let's keep it ended here: »Re: for those who say "get a mac if you want secur
--
"If you like linux then use it otherwise stop preaching about linux we all already know about it and if we like it we'll use it. If you keep pestering people you look like those annoying Jehovah's witnesses... [..] with nothing better to do." |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA
·AT&T Yahoo
| said by redxii :said by toadlife :Can you not edit file permission in XP Home? Yes, you can. But not with the GUI. That blows. Microsoft should not have crippled XP home so much.
--
"With other distros when you have problems they are problems with Redhat or with SuSE or with Lindows. But if you have problems with Gentoo you have problems with Linux. That's because with Gentoo you have returned to the source."-Some Gentoo Fanboy |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| reply to redxii
Well, actually, that's not correct. You can edit file permissions in XP Home, with the Explorer GUI, but you can only do so in Safe Mode. Which is, of course, retarded, but better than using the command line tool, in my opinion, since it's notorious for mucking up permissions.
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | I forgot about Safe Mode.
That is still horrible, why would anyone reboot into Safe Mode just to click on one checkbox? The command I use hasn't mucked mine up and has always given me desired results. That is what "/e /t /p" is for.
cacls "C:\Program Files\mIRC" /e /t /p Users:F |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland
| Indeed, it is horrible, and kind of makes you wonder why MS even bothered to give us limited user accounts in XP Home, when they seem to have made every effort to make them as difficult as possible to operate.
--
And lead me not into temptation - for I can find my way there myself easily enough. |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| said by Tuulilapsi :kind of makes you wonder why MS even bothered to give us limited user accounts in XP Home, when they seem to have made every effort to make them as difficult as possible to operate. first off, fabulous article in the original post; thanx.
second, xp home is a blight and a stupid concept, imho. ms should have made all xp's pro and strongly encouraged (and documented the instructions for) running as user for everyday tasks. xp home is NOT easier or more user friendly---users not needing the advanced features of xp pro can just not use them in most cases.
that said, since many of the noobs i support are indeed using xp home, every tip on making it more usable is so welcome! i'll never forget my first "friend's new computer with xp home" setup as i tried desperately to figure out how to get into the built-in admin account to rename and put a password on it (dell ships 'em with a blank password); the old CAD twice definitely doesn't work in xp home.
a quick edit of policies to use the classic login and require CAD to login makes short work of that stupid welcome screen .
i hope longhorn will incorporate the best of xp pro and lose the stupid xp home restrictions, making them optional for those wanted a leaner and less-featured setup.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
