|
I was always wondering, where all this poorly designed software comes from that forces users to work with Admin privileges. I was sure that it is "just a relic from the Win3.1/Win9x days" and is eventually going to die out. However, that even today so many developers continue with the bad habit of doing everything as Admin ... Well, that's an anwser!
The NT security is quite complex, no question. It requires a lot of effort to understand and use it - and meanwhile it is a source of many subtle bugs. How often one finds code, which opens kernel objects using xxx_ALL privileges, where a simple READ, QUERY or SYNCHRONIZE would do it? Of course, such software does not work as a non-privileges user. However, as long as the software itself is developed, tested and debugged under Admin privileges, things won't improve
Which brings me to the tools thing. Besides ignorance, the second reason for developers not working under a non-privileged account is probably that it is too much of a hazzle. Cetain things we need to do during development just require Admin privileges. Things have become much simpler since Win2k, with RunAs and Windows XP's "Fast User Switching" at hand (the latter is unfortunately is disabled, if the machine is member of a domain). In the NT4 days, I developed a tool suite http://www.netexec.de) which provides similar and even better functionality for the same purpose. It provides, for instance, a feature to create additional desktops running as another user and instantly switch between them. Or an option, to run a process or desktop under your own non-privileged account, but with additional Admin privileges - without having to log off and on. However, I do not want to end up in advertising my software here. My message just is:
Today it is possible to develop and test software under a non-privileged account without having to give up productivity. So why don't do it? It would certainly improve the quality!
--
Daniel Lohmann
http://www.losoft.de
(Hey, this page is worth looking! You can find some free and handy NT tools there )
|
|
|
|
|
Even users on a corperate network are frequently admins on their local machine. I wonder what is the actual distribution/demographic of non-admin users? I know that most personal users are admins (whether they know it or not).
-Steve
|
|
|
|
|
no way ..
in a corporate environment, regular users are not local admins ..
we constantly struggle with software that expects then to be local admins or power users ..
do the world a favour - write your software so a non-privelidged user can use it.
metro
|
|
|
|
|
Oddly as I think about this question and the myriad of machines that I develop on, the only machines that I have an admin account on are my home machines and I don't do any development on them! At one of the banks that I work at, admin accounts are flagged as a security violation and applications needing such priveleges, require a security exemption that has to be renewed every year.
Chris Meech
I am Canadian. [heard in a local bar]
Remember that in Texas, Gun Control is hitting what you aim at. [Richard Stringer]
Nice sig! [Tim Deveaux on Matt Newman's sig with a quote from me]
|
|
|
|
|
It's okay to make your confession here
Norman Fung
|
|
|
|
|
Ok, fine. I don't do it because, like every other windows user, I can't be bothered and everything just works...
Tim Stubbs
|
|
|
|
|
I really don't know how to get all the stuff working under a non-administrator account
Tried it many times, but every time I end up changing my account to an administrative account again, because of the frustration...
WM.
What about weapons of mass-construction?
|
|
|
|
|
Try my useful resources post, just below[^].
Gavin Greig
"Haw, you're no deid," girned Charon. "Get aff ma boat or ah'll report ye."
Matthew Fitt - The Hoose O Haivers: The Twelve Trauchles O Heracles.
|
|
|
|
|
Hear, hear. Windows is not usable with a non admin account (as per my experience, when developping). What I am missing is a way of temporarily getting admin priviledges to do a quick task (like 'su root' you know, to change a setting, or to (un)install something...). Apart from that, I must admit that applications that do not run correctly under a user account are more and more rare these days.
I know about the 'RunAs' command, but it does not always work... Try to install MS Team Foundation Server beta 2 with it (from a user account) for example, and you'll understand what I mean.
|
|
|
|
|
I did some research and discovered that you can run a program with different credential using a simple setting in the shortcut for that program.
And yes I know that some programs can't be installed from the normal useraccount. That's where the admin account comes in. Log in using that account and install the program. After that, log in with your normal account and use 'RunAs' to use the tools
WM.
What about weapons of mass-construction?
|
|
|
|
|
Aaron Margosis' Non-Admin Blog[^]
Keith Brown's Wiki[^]
Developing Software in Visual Studio .NET with Non-Administrative Privileges[^]
I changed over to a non-Admin account about 18 months ago, and wouldn't go back. Almost any software that won't let you run as non-Admin is broken and it should be reported as a bug - of course there are some reasonable exceptions that genuinely need higher levels of privilege, but they're few and far between. Usually it's down to sloppy development. Don't be a sloppy developer!
Gavin Greig
"Haw, you're no deid," girned Charon. "Get aff ma boat or ah'll report ye."
Matthew Fitt - The Hoose O Haivers: The Twelve Trauchles O Heracles.
|
|
|
|
|
Some of my apps (web apps) cannot be tested if not run from a limited account (anonymous or authenticated user)
...Plug & Pray...
|
|
|
|
|
|
Well, I can not remember ever having a non admin account in windows. Even though I am the main windows developer in our department I also am the network admin so I am always logged in as an admin unless I am running linux where most of the time I log in as a normal user and then run su...
John
|
|
|
|
|
I write code as a limited user most of the time, but there are some tools (VB6, I'm looking at you) that don't support it. Mobile development is tricky, you have to set a lot of permissions correctly (both filesystem and registry) to get eVC 3.0 and 4.0 to work.
VS.NET 2003 is mostly OK but you need to be an administrator for the first connection with a new or cold-booted device. Otherwise deployment and debugging simply don't work.
Stability. What an interesting concept. -- Chris Maunder
|
|
|
|
|
... and if I have to, I prefer to use RunAs (Administrator), not login into administrative account.
|
|
|
|
|
Everybody "should" do this, if you unterstand what I mean.
Sometimes I dont forget it
Try this @ home. (B&B)
|
|
|
|
|
Same here (well, except at work, but that's our IT policy). I don't keep software that requires Admin privileges to run on my machine.
My programming blahblahblah blog. If you ever find anything useful here, please let me know to remove it.
|
|
|
|
|
Robert W. wrote:
... and if I have to, I prefer to use RunAs (Administrator), not login into administrative account
Interesting. I read a mention of RunAs in a magazine and looked online in hopes that I could download it. I found nothing and gave up for a while. A few years later, I found some other mentions of RunAs and found it was supposed to already be on my machine. I finally found documentation on it, in a section discussing commands that had no notion of multiple users or privelages (MS DOS commands). With RunAs so carefully hidden, I'm amazed that there are that many people who know about it.
Also, I still develope as administrator, partly because all my setting for developing software was there, and partly because RunAs turned out to be rather limited. There was, for instance, no easy way to use RunAs to run a .msi file.
Nathan Holt
|
|
|
|
|
>> and partly because RunAs turned out to be rather limited. There was, for instance, no easy way to use RunAs to run a .msi file.
If I want to RunAs .msi files (for example) I RunAs TotalCommander, and then run .msi files. It works
There is almost no limitation to RunAs
|
|
|
|
|
Alternatively, you can right-click on something before running it and select Run As... from the context menu. Sometimes you need to do Shift + right click, and some file types just don't have it (like MSI, as you pointed out).
On the whole, though, it's not that hard to get to. If there's a shortcut you want to run as admin a lot, you can even change the settings on the shortcut so that you don't need to right click.
Gavin Greig
"Haw, you're no deid," girned Charon. "Get aff ma boat or ah'll report ye."
Matthew Fitt - The Hoose O Haivers: The Twelve Trauchles O Heracles.
|
|
|
|
|
|
I voted this a 1 - after some hesitation - because I was disappointed to see a "big name" within CodeProject apparently supporting an approach to development I regard as a bit irresponsible. A lot of people develop as Admin, but it doesn't make it the right thing to do.
Sorry Marc, I feel bad doing it, especially as I can see that isn't the only possible interpretation of your post.
Gavin Greig
"Haw, you're no deid," girned Charon. "Get aff ma boat or ah'll report ye."
Matthew Fitt - The Hoose O Haivers: The Twelve Trauchles O Heracles.
|
|
|
|
|
And I voted your post a 5 - not because I agree with you voting Marc 1 (actually, I admire his honesty), but because you have the courage to publicly explain your low voting.
My programming blahblahblah blog. If you ever find anything useful here, please let me know to remove it.
|
|
|
|
|
Nemanja Trifunovic wrote:
I admire his honesty
I second that - and thanks for the 5. It's the first time I've given someone a 1, but I know how much it annoys people when it's not explained.
Gavin Greig
"Haw, you're no deid," girned Charon. "Get aff ma boat or ah'll report ye."
Matthew Fitt - The Hoose O Haivers: The Twelve Trauchles O Heracles.
|
|
|
|