Slashdot Mirror
Microsoft Employees May Lose Admin Rights
daria42 writes "As Microsoft moves its internal desktop systems to Windows Vista, the company is contemplating whether to change a long running tradition and take away admin rights from its employees in order to improve security." From the article: "'We haven't made that final determination yet. We would like to absolutely look at scenarios where we can look at elements of User Access Control -- that is the feature in Vista -- so that we can start moving in that direction ... It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees."
they'll probably just install linux instead :-O
From TFA: No wonder:
- and -
Mabye if M$ developers were forced to run as non-privileged users once in a while, they'd realize that there's a lot of problems with trying to get through the day on a non-admin account. With any luck, this will spur them to design a better way of handling applications that fail due to insufficient privileges, as well as get tough on application developers who sloppily code their apps to demand admin rights.
Again from TFA: I'd hardly call an environment where users have full admin rights to their systems an adequate test-bed.
Once more from TFA: Saying that Microsoft is 'not smarter than any other enterprise in terms of knowing how to address security', while technically true, is deeply misleading. Any company that purports to "eat its own dog food", but performs their testing with full admin rights to the box clearly has a dangerous lack of understanding of security...a lack that we all pay the price for every day.
____
~ |rip/\/\aster /\/\onkey
Now maybe Media Player will work properly on non-admin machines, or do they all use winamp?
An Education is the Font of All Liberty
Who better to test and actually use the "User Access Control" than Microsoft's own employees?
Clearly, they weren't "trying out" the Limited User accounts when Windows XP was in its infancy. Otherwise, it might actually be useful to us today.
"Eat your own dog food".
If Microsoft's access rights model isn't good enough for their own purposes, it isn't good enough for the rest of the world either.
If they were truely confident that it works as they claim it does, they should have had their employees in a more secure and restricted environment years ago.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I don't see why this is a big deal. Average desktop users should not have admin rights -- no?
boxlight
would be if they'd remove admin rights from friggin Outlook
Nothing great was ever achieved without enthusiasm
Yes, having the employees run as 'regular' users would be a terrific idea. All the problems that limited user accounts have now would be encountered by those with the most ability to fix them.
Currently, the majority of Microsoft's employees enjoy full admin rights on their desktop PCs, which is an unusual practice in the enterprise space ...
An unusual practice? Where? Most places I know have their users running as admin, because there is still software around that won't function properly if it's not run that way.
If Microsoft forces its employees to run as non-admin users, I think it's a good thing, because maybe it will lessen the amount of crap software that's designed with the assumption that it's going to be run that way.
Unfortunately, that doesn't help the situation with the tons of legacy apps that assume this, and it only takes one important legacy app in a corporate environment to hose the entire security model of non-admin users.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It happened to me when I mistakenly typed "su" instead of "du".
With a huge percentage of the people being developers, these people need full control over their system.
I don't see how they can even implement this scheme.
May be they can take the admin rights from their Managers computers.
I wonder what made them think about it in the first place... too much Banzai Buddy?
"By the same logic, if he has no good reason for what he says, he is just making noise and we need pay him no attention.
Compare and contrast this approach with Sun. Employees in Sun are all equiped with Javacards which they can insert into a Sun Ray appliance anywhere on the Sun network. AFAIK, only the staff responsible for administering their Sun Ray network have sysadmin credentials within the environment: all other users get a set of applications which are deployed to the user, with no ability to install anything else. And it works - a user can walk out of an office in GB, fly to the USA and plug in their Javacard, resuming their session exactly where it was.
The similarity with Microsoft is that the employees had to cope with some pretty dreadful software a few years ago. Disgruntled colleagues are always a rather special spur to developers, and the Sun Ray technology is now tip top. Perhaps the same will happen to Microsoft
Would this mean that if they switch MS employees to Vista with only user rights, that Vista would be delayed yet another couple of years while they work out the bugs? If it doesn't work for MS employees, it can't possibly work well for anyone else. Surely, they have to make sure it works since its part of securing the system. Right?
Support NYCountryLawyer RIAA vs People
They will need to go to the administrors...Aha! No more firefox and opera from M$ campus.
There is a spark in every single flame bait point.
in a sense, it's nice for those working there because i've seen myself how limited one can get in certain situations without some non-standard rights, but from the IT department's point of view, ubiquituous amateur administrators are a real nightmare.
I predict that by this time next year, we will be hearing that Microsoft has started using DeepFreeze or similar to "lock down their systems". =)
Shiny. Let's be bad guys.
I doubt they could leave if they didn't like the new rules. I'm sure they had to sign an non competition agreement so they can't work for another computer/software/network/blah/blah/blah company for the rest of their natural life. It will be interesting to see what comes of this.
It's not uncommon for Linux users (even developers) to use user accounts, because it's very easy to su any administrator tasks. So, maybe Vista will fit this model better, and having developers using user accounts won't be all that ridiculous...
ZuluPad, the wiki notepad on crack
Not only does Microsoft not restrict their own users to unprivileged accounts, but their Director of Internal Security has no qualms about stating that in an interview for the press?
Advertising soft-chewy insides is for candy companies, not computer security experts.
Edith Keeler Must Die
If Microsoft can't implement this for their own employees, any CTO looking at Vista would be foolish to think that he could in his company.
Others have given the example of XP, and so true.
If you have to manage Vista the same way you manage XP, that is one less reason to upgrade, and another reason to look at alternatives.
Look at Novell with their internal deployment of Suse. They've had to suffer for a while, but slowly they are starting to show it can be done, and have gained a bunch of knowledge doing so. Novell customers may actually believe them when they suggest they can deploy Suse for some systems instead of Windows. Who believes you can run Windows without adminstrative rights?
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seus
Hell, make them work in monitors the size the average office supplies -- 15" or 17" where I work.
I'm so damn tired of apps that open big windows needlessly in the middle of the screen (MSWord's 'find' for example) covering whatever it is you wanted to actually operate on -- because some programmer had a 29" monitor -- or two -- to work in and never thought about fitting stuff into a real user's working screen.
Open find. Drag stupid window off the text area. Find. Damn, window moved back to the middle. Lather, rinse, repeat.
Sure, the IT department could supply larger monitors. But those are commodities and they're saving their budget for bells and whistles to impress top management.
Windows Media Player 11 *doesn't* need admin rights, hopefully in preparation for Vista.
At least one application has got the idea, even if it is from the company behind the OS.
How many people can read hex if only you and dead people can read hex?
what's a "huge percentage"? when you consider the $hit that the marketdroids put on their machines, and the massive number of them that MS must have, this is a good testbed. The number of actual software devs in the MS org must be surprisingly low...
Just so you know, not all of these programs need admin rights to run; they need certain privs on certain folders (usually either write or modify to their program directory).
Are you sure on Windows Media Player? I'm able to run it at work without admin rights. I can rip MP3's with it as well.
It matters to anyone who was hoping for useful limited user accounts in Vista, because if they have to use them then there's a chance that they'll actually work.
Plus as others have noted, the Windows security "model", is less like Jessica Alba and more like Herman Munster. The choice has always been, do we delay the next release, or do we clean up all the security misfeatures, rough edges, questionable defaults? Ballmer always says "Ship it".
They support a few more than 100,000 desktops :)
They make Slashdot every now and then too.
Blar.
I work for a very large multinational company (as an administrator but not handling emplyee user-rights). By deafult all (windows using) employees have user rights only. Everyone is allowed to apply for Local admin rights if they really need them (e.g. want to install special software not provided by help desk). I think this system works great as those that most likely do something stupid with their computer are the ones who dosen't care if the have full access or not. Those that apply for to admin rights usually know something about the computers and how to handle them.
If Microsoft doesn't think Vista's user accounts are usable how did it end up as one of the top features of the whole product :P?
The actual fact they are thinking whether to use it or not makes me fill with doubt. And I really thought they had it right this time (honestly).
We are so excited to be totally looking at how to go forward with this?
What about your filing technique? Is it unstoppable?
Yeah, I was about to post a similar thing. I've run WMP perfectly fine without admin rights; then again, it was version 8 or something like that.
Virtual Machines (e.g. Xen) can allow companies to have strictly controlled (e.g. no admin rights) corporate work environments while allowing considerable freedom for developers and personal apps, files, etc.
Imagine a world where you would have a host OS which is a company-standard image. No admin/su rights for the user, no weird apps, no spyware, etc. Guest OS images are used for development and personal stuff:
* There can be a strictly controlled corporate standard OS image, app set, etc. Access to the corporate network (VPNs, direct ethernet, etc.) can be restricted to only allow connections to this OS instance.
* Development can be done in sandboxes that restrict the fallout from any damage. Network connections (and mounted disk images) can be restricted to a subset of the corporate network.
* Folks can install their own junkware on a guest OS image. This partition can be proxied out to the internet (no visibility to the intranet), allowing instant messaging, etc., without putting internal systems at risk. This image would only have access to a single disk partition (which wouldn't be visible to any other image), and would have essentially no access to internal corporate resources.
If done right, the corporate image would be automatically and securely connected to the corporate infrastructure even when connected to an unsecure network. The personal image would be connected to the internet, even when running on the corporate intranet, and development sandboxes would be further restricted to a development network.
All the stuff that's needed to make this works exists today. If Microsoft insisted its own staff worked within such constraints, it would be seamless for the rest of us as well.
How will they install Firefox then?
Here's a partial list of programs that require admin rights to run (not merely install): ........
PowerDVD
Can't attest to any of the other examples you listed (I don't use WMP, and haven't installed any of the others), but I can attest that I use PowerDVD on my limited-priveleges account just fine, thank you.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
I agree that personal computing enabled everyone to benefit from cheap, ubiquitous computing power, which the mainframes of the day couldn't provide.
Of course, this was back before anyone realised total cost of ownership was far greater than the purchase price of the machine. And viruses and worms hadn't been invented, and you needed to be a guru to change the machine configuration, and they only ran a single application at one time, and we weren't connected to a vast global network filled with script kiddies and criminal hackers.
We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.
Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.
...if MS ended up releasing a product that would only run properly with the right spyware programs installed.
PCs have always been about having a bit of computing power under the user's control, which can be molded to projects that the MIS team are too busy/sleepy/detached/uppity to implement on big iron. That is the heart of personal computing in the workplace, and it has much less to do with a specific OS's philosophy than with a workplace's need for flexibility and initiative.
So I question whether Microsoft can take admin rights away from their workers and still claim to be in the PC business.
If in my college years, when I was working for different companies (as support/admin), they had that feature, I maybe wouldn't have become such a windows hater and concentrate only on unix-like systems.
...
....
....
... just a flashback from my early years of computer support :) and I am not doing anything with customer machines anymore ..... but still, I feel it is a problem ...
....
But then again, it is not enought to take away the admin rights from users completely, you will need a decent way of remote administrating those damn machines.
Before people start trolling on me: yes, you can take away admin rights in 2000/XP (to a cenrtain level) and there are remote tools......
Admin rights should completely go away, the user should not have right to install, modify, not even change the screensaver dammit. And not run programs at all, only from a secure pool of programs.
That includes "i-know-it-all" managers, who tend to fsck everything up, because they know it so-well they are playing in the registry, and deleting folders/etc
Now on the remote tool: the nightmare of a a support/admin person is a multi-level building, where you keep going for all those machines, instead of ssh-ing into them and fixing/installing remotely
Not because they are easy, but they are computer people and not PR monkeys and are probably sick of interacting with all the workers of the companies, who probably do not wash their hands after peeing, and then you have to go and touch 100 keyboars in 100 rooms
Oh well
Ohh, and that's why you have to wear the suit and not cargo pants and something that actually keeps you warm in the server room, or climbing on that roof yagi in the european winter to spot the balloons 5kms away on the rooftop with the compass and the binocular, to re-align the connection
I run Kodak Share on about 40 of our Windows boxes, none of them have admin rights.
I run AutoCAD on all of our Engineer's windows boxes (about 25), only one has admin rights.
I run PowerDVD on over 1,000 windows boxes, less than 20 have admin rights.
I run Windows Media Player on every machine we have, around 1,5000, and only a few have admin rights.
And these machine run the software as well as you can expect windows to work.
Autocad does not "need" admin rights to run, but that surely is the easiest way to make it run. Or you could just correct the permissions on the system hive and import that at login.
There are a couple of folders that need write access as well. All in all, autocad is not nearly as bad as soem custom apps out there. (shudder)
Programs that need administrative rights out the box have become more scarce recently (good thing).
I can imagine the msoft managers talk from here: "look, we improved the security model so much you do no need to giv'em admin (cringes from the poor techies)". It's kind of revealing to learn that even msoft people were requiring admin rights. Talk about eating your own medicine. nuff said.
[Pruneau
A lot of times it requires registry permissions tweaks as well. Filemon/regmon are invaluable for that task.
A few of those (Oracle I'm looking at you) are so bad that I've gone so far as to chuck their installer completely and replace it with one of my own that sets appropriate permissions.
Even that's a band-aid, though. Programs really shouldn't be trying to store per-user data in a system-wide program folder. Not even counting the potential security hole, it's a pain if users can't change settings without affecting other users of the same computer.
I used to work nights as a Photoshop guy at a color pre-press shop in the burbs of Chicago. They had an SGI server running IRIX and the people that ran it were two guys that knew a little about computers. One used to be in the sales department, and the other guys dad got him his job there straight out of high school. Neither one had any formal training in IT or even a basic computer course...let alone Unix security. To be fair, I wasn't a computer expert either, but I read a lot and knew a few things...but hardly an IT professional.
Anyway, when I first started there, I offered my help at night since they weren't there and sometimes it got slow in my department. They declined with an attitude of like "pfft....yeah, we're fine guy, just go away". So I did, and I didn't want to ruffle any feathers as I had just started there. But what I DID notice is that everything they did on the server they did in root mode. All the terminals were in root, all the back-ups they did were in root and even just normal maintenance was all done with root! Now, I thought that was basic 101 computer security and SAFETY not to do everything in root. Plus, none of the terminals were locked away in a room...anyone could walk up to any terminal and just start typing away, from the CEO to the janitor. I pointed out this very basic breach of security and again got the attitude of "we know what we're doing, go back to Photoshop"...so I did and kept my mouth shut.
Well, to make a long story longer, they had the whole system hacked into, a guy set up a spam-bot network using their equipment and T1 line....but did they lose their jobs? No, not at all...they actually got promoted later on, but it was pretty funny at the time.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Thinking about this logically, admin rights should only be given when necessary. If they aren't needed, there is no problem with taking them away, and if they have set up their system environment properly, the employees won't miss it at all. Employees that do need some special priveledge can be given limited access (kind of like sudo, etc).
I suspect one of the other big reasons for this is it's cheaper to do a bare-bones re-install when the Windows box goes teets up than to have an admin action every user need that is required on a box where the user is actually treated as a user.
Imagine how many real-life admins you might need to handle the hour to hour needs of a company where access rights in Windows were restricted.
This of course applies to no company that does NOT run Windows. Almost any other company would be able to handle that easily.
Talk about hidden costs.
Luck favors the prepared, darling.
We usually package up the install and throw a 'cacls' call at the end of it when necessary :). Programs with registry tweaks are far less common than the used to be; most prgrammers are learning that App Data exists for a reason...
We aren't really going back to a central processing model. We are trying to regain some of the management and security benefits the old central processing model had by default and that general purpose networked personal computers can only acquire with a lot of hard work.
This is true, but only to a point. It is not just that the individual configuration model is inherently insecure, it is that the market has not been able to demand more security in the default configuration and with easier, more understandable security features. Mostly, this is because the industry is monopolized and free market forces are unable to bring about the wanted change.
Frankly, for what most people use their PCs for at work, and given the ubiquitous network, it would be far cheaper for many enterprises to run thin client diskless workstations and actually return to a central processing model, if we hadn't already bought so heavily into the current model.
This could work, but it is an inefficient model. Work PCs and Home PCs both benefit from sharing the development costs between them. Many features now available to home users would not be if businesses had not demanded them and vice-versus. Maybe a thin client working environment can take over for corporate users, and it does have some benefits, but don't underestimate the inherent drawbacks. And without an ever-present network, the thin client model does not work for everyone. Mobile devices need to function in the absence of the network and are critical to many everyday uses. Until we have fast networking available everywhere, the thin client model will be limited to a small subset of the market.
You're better off not running Kodak easy share software at all. It's a major pig -- 3 or 4 services that run all the time, and 2 or 3 programs that run upon user logins == lots and lots of wasted memory / CPU cycles. It also has some shell extension crap that hooks into explorer and gums up the works.
maybe this'll teach them a thing or two about "vunerabilities" ;) after all, necessity is the mother of invention!
Are you absolutely certain about WMP? I ask because my daughter (who most certainly does not get admin rights to my machine!) uses it sometimes to watch DVDs. Perhaps some aspects of WMP need admin rights, but most certainly not all of them do.
It's official. Most of you are morons.
A simple registry edit will fix your problem with Autocad. Granted, you shouldn't need this workaround.
Jaysyn
There is a war going on for your mind.
They need to lock down their boxes to make sure that their employees don't discover the utility of free software (like firefox).
Oh _that's_ why they are doing it. That figures. Everyone knows, you always give Linux users root access, so they can install all that great free software. And, equally, we know that if you don't have administrator rights on a Windows box, it's impossible to install Firefox.
And someone gave you an 'insightful'. Geez.
-----
I'm a bit dubious about this list. I run with limited privs on my personal machine. So far I only elevate privs for Exact Audio Copy (it needs it for proper access to the hardware or something), and Intuit products (badly written). Any other apps that I've had problems with have been resolved by selectively changing permissions on specific registry keys and file system folders or files. It's really not that much effort, and Aaron Margosis' blog is also a great help in this area.
The employees instead of typing the admin password will actively look for holes to get the admin rights, spot them and eventually later patch them. Things like "cancel" button in Win98 login screen won't get overlooked :)
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Works on version 10 as well.
I see it a lot of times when a program's installer doesn't correctly register COM objects, and so the program tries to do it the first time it's run instead. AutoCAD is bad about that (as well as trying to re-associate its files all the time)
Do your users have Power user rights? The default reg permissions in XP allow power users to create new entries in the system-wide CLSID key. I see a lot of programs that work if you have power user but not standard user rights. Honestly I don't really see the point of power user since once you have that it's trivial to escalate to full admin.
The Oracle installer just sucks donkey balls though -- I repackaged all their stuff simply so I could install it under 'Program Files' where it belongs. It's hard to believe in this day and age that an installer would complain and not let you install in a directory with spaces in the name. Progra~1 works for the install but it gets really confused it you try to uninstall.
I don't think that can be true. Microsoft would be shooting itself in the foot if its own employees remained in the dark about what's going on in the real world.
You are not alone. This is not normal. None of this is normal.
It would be nice if software vendors listed those things. It can take quite a bit of time for something that would be trivial if it was listed.
That's a brilliant idea. That way, your essential corporate data will live in virtual Word documents and virtual Exchange databases, and it will only be disclosed to the outside world by virtual spyware running on a virtual machine.
Of course, the bad guys are still very real, as is the damage to your company.
I "box" doesn't have administrative rights, a user does. So I'm not sure what you are talking about.
Windows Media Player works just fine in an ordinary user account. Some people fsck up their installations by putting media files in inaccessible locations -- but WMP 10 works fine.
He's replied already that you can get almost any program to work without administrative rights if you tweak registry keys and file/folder permissions. The point is that you have to do that; the programs do not work without administrative rights out of the box using a standard install procedure.
Here's a partial list of programs that require admin rights to run (not merely install):
/ HallOfShame.html
Here is a more complete list: http://www.pluralsite.com/wiki/default.aspx/Keith
Not running as admin should have been eliminated back when multiple users were first introduced with NT.
But hey, from what I hear this new Vista OS will have new features like using config files instead of the registry, shell scripting, regular updates to keep the thing working via a paid subscription, and other nifty new things.
What's next? A web browser that is not integrated with the entire operating system?
Oracle is the WORST on any platform, I don't know what kind of crazy-land they live in, but even the headless unix versions require all sorts of graphic libraries to do the install. We couldn't go to a newer version of Redhat for a long time not because of the kernel, etc but because of the installer graphic libraries would work; people were shoe-horning it on boxes just to get around the sole problem of the installer!
Sure, that must be the reason
r table_firefox
:-) )
http://portableapps.com/apps/internet/browsers/po
It comes with me everywhere I go (well, almost
I know this is a minor example, but I always had a lot of trouble running the Microsoft Reader (their EBook reader) from a non-admin account, especially after their 2.0 format update. Before I could read ebooks just fine from my Admin or my Power User account, but after, it got screwed up big time. Reader ran it didn't always work - some books were only accessible from Administrator, and another set were only accessible only access from my Power User. Yet I had authorized the same hotmail address from both, etc. You might want to check on any DRM app to make sure they work properly. Working properly at the minimum means 1) a non-admin can authorize a purchase, 2) stuff still is accessible especially after an app update which is done my an admin. The entire EBook fiasco I've had has turned me off their DRM altogether.
I'm pretty sure, even without having read TFA, that Microsoft doesn't control its employees' computers at home.
English is easier said than done.
The point I was making is that most apps I use do work out of the box. I can count the number of apps I have had problems with on one hand, so it's not such a big deal. I've heard gamers have problems, but then I just scratch my head anyway because I don't see the point of using a PC for that. Each to their own.
You can make any program run with administrator privileges with PolicyMaker Application Security or ProtectionManager, neither of which ask for the admin password. The first if free if you don't use remote administration, don't know about the second.
Is there any reason not to use some kind of virutalization solution, and allow employees to "admin" their images, while forcing user privelidges for the host operating system?
Except for device driver development (even USB and some other stuff would work correctly in a VM), are there any disadvantages?
Are there any OS developer situations that require the performance of native access at the same time as requiring administrator privlidges?
The only arguments I can think of against this are developers that require close hardware access, but with paravirtualization solutions like Xen even thats not a big issue. Well, except on Windows, of course.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
You don't need admin rights to install Firefox, etc. on Windows. That was his point. This has nothing to do with free software, and everything to do with "Hacked By Chinese" (for those who remember when MS was compromised by Chinese vandals).
Given what has been on /. lately, are you so sure that it isn't the case for some of their staff?
I have nothing to say.
If you look around at the other comments it actually is a really big deal. Finally MS will have to build their software so it works properly for non admin users, and this is a big boost for security. And for admins all over the world, who have tried to apply strict security policies, but failed, because the security lid couldn't be safely fastened on a machine that should do standard tasks.
http://www.theregister.co.uk/2002/06/30/ms_securit y_patch_eula_gives/
The thing that would bother me about this arrangement, is that someone with *decades* less experience than I have, and with entirely less financial stake in the company than I have, would have a higher level of authority than I.
-fb Everything not expressly forbidden is now mandatory.
I think the terms 'Admin Rights', 'Admin Responsibilities', or even just 'Superuser' is a bad way to describe to the non-technical what's really involved and unsecure by granting these accounts this level of access.
I used to work for a large publication which meant most people ran on Macs. Of course admin access isn't required to just use a Mac under OS X, but many non-technical people and especially the higher-ups saw this as a threat when I mentioned we should force people to run without administrator 'privileges'.
It was only when I started calling it by the term 'Administrator Responsibilities' did people stop insisting that they needed this level of access. They really didn't want the 'responsibility' involved in running a computer, they just wanted to 'use' it. Things went very well (in this regard at least) from then on.
Glencoe Textbook Software, especially the Test Generator ©2004, insist on copying a DLL file from its own directory on the Root of C: (This location is hard coded into the software) into the \%system%\ directory everytime it runs. With-out Admin rights, it is unsuccesful ergo it will not run. (It doesn't matter that the DLL is already there.)
MediaMax DRM generates an error if you do not have Admin Rights. You'll get this error even if you run once as Admin then try to run again as a Power User. Since you can't install/update/run the DRM, the CD will not play. There is a work-around, but to me it is not worth it. This is just another reason to not buy BMG products.
Memo
Signature applied for, Patent Pending
Interesting policy... I wonder how many machines will be domain joined if it is put into place?
...and Quicken.
Quicken is the *only* reason my wife has admin rights to her Windows machine. After removing yet another virus--and a several page list of spyware--from her computer (which has automated Windows, anti-virus, anti-spyware and firewall updates, thank-you-very-much), I changed her user account from administrator to power user...and Quicken promptly stopped working.
I tried changing permissions, etc., on the Quicken data directory (among other things) to no avail. The only way I was able to get Quicken to run under her account was to give her back admin rights, sigh.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
You don't need admin rights to install Firefox, etc. on Windows.
In that respect, they're better than a lot of MS products. One thing I wonder is how they're going to run debuggers without admin privs.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
What on earth? Dont they have an enterprise software distribution system? Why are they not using their own product, SMS?
How can they control anything with that many users that just 'install at will'. Sheesh.
Sure they are 'techincal users', but management should be taking a more active roll in what is going on.
---- Booth was a patriot ----
Or is Microsoft promising them all new hardware in the balance?
"Hi, here's a new Core 2 Duo for you. Now pretty please will you take Vista as well?"
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
What version are you running?
:-)
7.0 (latest) on my wife's machine.
Perhaps they've fixed that problem since I encountered it about 4 years ago.
It would appear so.
Just a thought, but a lot of things change in 4 years, particularly with computer apps. It's probably wise to verify such things before making statements (or just stating the version of PowerDVD that doesn't work). For instance, WordPerfect 2002 won't run without Admin privs. Does the latest? Don't know. I also don't care anymore, since I run Linux now
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
You're all over the place...
Maybe a thin client working environment can take over for corporate users, and it does have some benefits, but don't underestimate the inherent drawbacks.
Like? some of what you consider drawbacks may be pluses to the reader, such as homogeneous software footprint, less hardware (space and power) at the end-node, no DVD drive to break; but since you don't list them, we won't know.
And without an ever-present network, the thin client model does not work for everyone.
huh? a network is a prerequisite for any corporarate network, thin or fat client - this makes no sense (strawman anyone?) PLUS if you do have a network outage, and your user is on a client/server model using a fat-client, they may get data corruption on the backend (doc, sql, etc) with a thin- client, they reconnect after the power cord to the main switch get's plugged back in - and guess what? all their sessions are still alive - so i submit that a thin client model needs less 100% contiguous uptime (most clients will reconnect automatically up to 30 seconds, so if the user was looking away at the time, they won't even know it had a blip) PLUS most thin clients can have a Cisco or Orinioco like pcmcia card internally mounted, and be wireless post boot, so no LAN cables needed.
Mobile devices need to function in the absence of the network and are critical to many everyday uses.
what does that have to do with thin clients? (and with direct to exchange access / OMA you don't sync with your PC anyway but with your central exchange/notes server anyway) so a mobile device, now that you bring it up, is actually a nice pair to a thin client - both for 1/2 the cost of pc and 1/3 the cost of a laptop.
Until we have fast networking available everywhere, the thin client model will be limited to a small subset of the market.
now you're just being silly. Thin clients using ICA, VNC, RDP 5.x you only need 30 - 80k (*as in 0.030-0.080 of a mb/s) - the same as a VOIP conversation. Are you saying your 10/100 to the node and 1gb-10gb corporate backbone can't handle 80k to each desktop? give it a rest.
I manage 3 org's fat + thin networks and the servers that power them. and when i'm off campus, my EVDO connection gives me my Mobile 5.0 device (vx6700) a great RDP connection back to the servers, my Powerbook uses RDP for server management and user remote control.
I use thin clients in any classroom that needs a "teacher workstation" and they also have a 'real' pc for cd burning, digicamera syncing, DVD playing, etc. But the thin clients are 0 (zero) node maintenance and much easer softare admin'ing than the many pcs i support (and yes, i do use Group Policy and Altiris to manage those, not just running around touching all the fat clients) but thins still win for ease of managing - i update the Terminal Servers after hours, and voila, all done.
This [thin clients] could work, but it is an inefficient model.
based on my posting above, you can see how wrong you are - but to be specific, for anyone who has a common set of apps, with even 10 users, can come ahead using a dual proc box, 2-4 gig ram, dual 73g 15k drives, raid 1, dual power supplies (think Dell 2850 or HP GL385) and keep your data on your san/nas - this is your application server and will speed along with just winserver 2003, need app metering and real loadbalancing? (not with 10 users..) but still, look at Citrix 3rd party tools.
10 users on fat = $12,000 in hardware and hardware support contract
10 usres on thin = $9,000 (10 x 300 for thins w/ 3 yr hw warranty, and $6k for server, plus TS CALS - already $3k ahead...)
a dual proc box, with 4gb ram and fast disks can handle 20 users running IE, Office, SQL front-end app (accounting and grades), Acrobat Pro..
and all the zealots here will tell you, the largest part of TCO is maintenance - and again, above, the thin + TermServer will be lower there, too.
If she floats, she's a witch.
It it's not good enough for them what makes it good enough for us?
Don't mind that shooting pain in your ass thet's just stevey B.
Actually, I was able to get every application you listed to run as a normal "user" account. I have repacked and given special permissions for hundreds of third party apps to get them to run non-admin.
The last co. I worked for decided to do this, boy you should have seen the backlash and uproar from users. Everyone from other IT depts, engineers, heck even secretaries were mad. However, once we successfully implemented a locked down environment help desk calls were dramatically reduced.
It's actually not as hard as you think to get "legacy" apps to run correctly as a non-admin. The best tools for this can be found at Sysinternals http://www.sysinternals.com/, regmon and filemon. Just install the app as an admin, then try to run it as a user. Regmon and Filemon will tell you where you get an "access denied" error. When repacking the app, just make sure to give the appropriate permissions to keys/files that the app writes to. InstallRite from epsilon is also pretty handy http://www.epsilonsquared.com/ , its basically a nice front end to sysdiff.
Don't get me wrong, it isn't always easy. Some apps need to run exe's on the first reboot, some dynamically create files at winnt, but with a little programming know how you can create some tools to get around this.
//TODO: Insert catchy phrase
Like? ...but since you don't list them, we won't know.
I did describe them. They require network access to function, which is not possible for mobiles right now. Since they are specialized they are less likely to benefit from innovation brought on by home user software development.
huh? a network is a prerequisite for any corporarate network, thin or fat client - this makes no sense (strawman anyone?)
I take it your company does not have anyone work offline with a mobile... ever? You're completely failing to understand my main point. When corporate workstations and home computers are the same OS/platform, both benefit from improvements to the other. When they are different, they don't. Thin clients are not practical for most home users. Thus, moving to a thin-client architecture for your corporation means losing a lot of those improvements over time.
I'm not even going to address the rest of your post. Go back, re-read and actually comprehend my points. Then, if you want to discuss it, actually address them, rather than implementation details of a thin client system for a specific use.
Apple remote desktop:
http://www.apple.com/remotedesktop/
Firewire transfer during setup (also available after setup):
http://www.apple.com/macosx/features/setup/
At least in my experiance, windows boxes are generally set up for single user environments. Sure there could very well be more than one user account (administrator and guest for example) but only the account with admin rights will be used. In linux you are more or less required to run multiple user accounts.
And I don't have a good enough reason to switch to it on my own, although it is supported. Hannover might be able to convince me tho.
Blar.
Same difference, as i think he is saying 1 user = 1 PC. He also fails to mention if he is using alternate means (custom security policy, compatws.inf template, etc.) to ensure those apps run. I have run across alot of apps that need admin rights to run or to function correctly and have had to make significant changes to ensure that a typical "user" can run correctly. I think TMM meant installed apps with no "tweaking". Please verify that you mean the same or not. I think tweaking instead of just giving admin rights is worth it in the end. I no longer have an endless stream of phone calls related to spyware or have to worry about spyware involvement in a troubleshooting scenario since everyone is locked down. Makes your typical day alot more quiet. Of course, there is a bevy of other issues, like a laptop user who can't install a printer driver for his home network and needs "assistance". But overall, it is worth it.
And these machine run the software as well as you can expect windows to work.
;)
So they are full of spyware and crash for no reason?
Good idea, but flawed from a security perspective:
If the idea of not having Admin rights is to keep virusX off the network, running Admin in a virtual machine just means virusX runs in the virutal machine & infects the virutal machines on the network: Stuff is still borked bacause all those developers have viruses on the virtual machines...
Note: Personally, I don't see developers wanting to develop in User-Mode. I also don't see why at least the non-developer staff is not running in User-Mode. (OK, realistically I do, but thereotically I don't.)
Just so you know, not all of these programs need admin rights to run; they need certain privs on certain folders (usually either write or modify to their program directory).
Yeah, but that's more of the same voodoo, isn't it? To the extent the Windows directory structure and associated permissions makes sense and are consistent, I wonder how the typical Windows administrator would find time to right-click his or her way through the file system, or bury their nose in the registry until everyone's gone home for the day, to determine what's what, let alone work out problems on a case-by-case basis, keeping track of all the changes.
Some time ago, I came up against a failed OfficeXP install. Reason? The user's $TEMP folder was owned by the user (novel concept), and had rwxr-xr-x permissions. (Converting those perms to the Windows' ACL equivalent I'll leave as an exercise for the reader.) Never mind the full admin rights of the user, the install failed consistently with a nondescript message. Not having the time or patience to narrow down the problem (no doubt SYSTEM needed write privileges or some such nonsense to create yet another goofy one-off log file), I changed the perms to 777, re-ran the install, and called it a day.
Personally, I think someone could write a book on the subject of Running as Non-Admin, but it would be a miserable read. As for possibility of the folks at Microsoft going through changes, good for them! They may yet discover treating everything as a file just works better, especially when you have to start paying attention. Even if that is a slippery slope that leads away from the Windows way of doing things.
This *may* be the way for Microsoft to finally solve some of their security problems. When their employees constantly are yelling "G*dD#@mn IT", the company might buy a clue-by-four to figure out their *basic* failure in the current security model. As a network security specialist, I was dumfounded to (on my new machine) find that, in addition to the basic administrator account (no default password), there had to be at least one more administrator added. My issue was simple - my user ID should be a "Power User" not "Administrator". Yet, when I attempted to change my usual logon to a PU (I am the only one who uses this machine), I was greeted with a message that "You MUST have at least one administrator". This while logged on to the ACTUAL Administrator account (that name had already been changed). I suppose I could have done the work to logon as "Local Service", but .
More importantly, why does Microsoft ship all Windows products with a password of $NULL?!?. Any self-respecting cracker (THEY ARE NOT HACKERS) knows this. At least use a password generated by the product key entered upon installation. The product key is printed on the documentation along with an admonition not to lose it. It would be TRIVIAL to add an administrator password to the sticker, along with the key.
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
it is true that applications developers do not strictly need admin rights to develop in windows. But this only works if they need infrequent installs of software packages. Some places this works, particularly if everyone is on same project or same exact development environment. but other places not so well. Also, developers are generally power users. While they may be ok w/ out full admin, they certainly want to be able to install software on their own from time to time. everyone has their favorite utilities & apps, etc... also people want the freedom to try new tools on their own (beta version of visual studio, for example). In UNIX, this freedom is no problem. In windows it is tough to make it work.
Once again, the point is evinced by the fact that MS still has everyone running as admin. that is a security joke! In the internet age, no one should be 'working' as admin except administrators and even then adminstrators should be doing email, browsing, research, etc.. as non-admin user & only switch to admin when making real system changes. It is difficult to pull this off with windows and it shouldn't be.
Even in cases where admin rights are necessary, virii and malware can be mitigated by a combination of tools. With Symantec AV, MS Defender, and a good firewall at the perimeter with content control, the only people who cause problems for me are bored users who get to sites that aren't on the content control deny list. Once I explain to their boss that they're paying me +$100 an hour to clean up a mess that could have been avoided if the employee was doing their god damn job instead of jacking off on someone else's time, the problem usually goes away.
When a workstation blows up, a re-image gets things up an running again in an hour or two.
Even though it's possible to work around the 'dangers' of admin rights, I do agree that it is a problem. Microsoft took a step in the right direction with the Windows XP RunAs. I've found that at my clients who have XP and need admin rights for a particular application, setting up a shortcut that uses the RunAs functionality gets the job done most of the time.
One thing I wonder is how they're going to run debuggers without admin privs.
They should be okay so long as they are members of the usefully named 'debugger' group.
-ccm
Too much Law; not enough Order.
And? Does it change the FACT that it only takes a single mission critical app to dictate if your organization can function with limited rights and MANY organizations have such apps?
I'm not getting how your secretary and the post office have higher authority than you.
Does your secretary get to edit content after you've signed the letter? Does the post office get to decide what mail is, and is not, delivered?
Were all these people hired on your authority, paid out of your budget, and working according to a policy you wrote?
-fb Everything not expressly forbidden is now mandatory.
I didnt think it was possible or feasible to run Windows box as any other than as admin. Ive tried and it made setting a whole fileserver up look like a walk in the park. For almost every single app you have to determinate what rights it needs and adjust. Especially when you start using some older software its very time consuming. With Vista the possibility to run as a limited user without demanding one admin per PC is introduced. I think the intention is "eating their own dogfood" and to force this way of thinking into everybodys mind.
Windows XP really sucks hard when i think about it. Vista is a small step forward but still, it really sucks to admin.
HTTP/1.1 400
No text.
http://outcampaign.org/
microsoft doesn't need doing this... game developers need to do this!
several games don't run without admin rights (who knows why...) - if all games worked without admin rights then MAYBE people MIGHT start using their windows systems with user rights making the whole world MUCH safer from attacks...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
For both companies (one of them is a big name, the other is a startup) I've worked for, they give you admin. It's usual practice.
Gates: "We're wrestling with a security issue whereby our employees are able, due to holes in the desktop OS we're using, to be inundated with all sorts of software we didn't intend for them to run. Suddenly, we're starting to ever...so...slowly...understand what all the security fuss is really about for our customers! Thus, Vista was delayed!"
In a related story, Microsoft employees' bragging rights are pretty much gone.
Result: Operating system that comes closest to mimicking the public school | prison | "insert_government_run_agency_here" system.
Autonomous Retard -- Is your camp safe? UnsafeCamp.com
For an example of the reason Microsoft *should* restrict their employee's (especially development/useability staff), look at the following exchange: Me: It was not a question. If an application requests access far in excess of what it needs, is denied and continues on without problem, the request for access is by definition a LUA bug (it did not need the authorization in able to proceed). If, for example, my application never reads or writes to COM1 but attempts to open it for read/write access, the least I should be guilty of is sloppy coding. However, if I am writing a trojan masquerading as an otherwise useful utility, I would do this to see if I was able to do so. Possible responses: Request denied: Continue with what the user wanted me to do. Request permitted: Deploy destructive payload, then continue with what the user wanted me to do. This scenario is the same whether the request is a registry write, an update/change of system files (libraries, executables, configuration files) or writing to memory (RAM or DISK). Therefore, by definition, any request for services that are not needed to perform the operation is an LUA Bug Answer: Developer from Microsoft (as a result of my comment to his blog): You can choose to define it that way if you want, but it's not a useful definition, and frankly doesn't make any sense to me. For most people, "bug" implies that the object under consideration does not work as designed/desired. For my purposes, I'll stick with my description as posted here: http://blogs.msdn.com/aaron_margosis/archive/2006/ 02/06/525455.aspx
Is there some reason that a "security conscious company" would feel that widespread requests for unneeded access should be permitted? If I came to you and said "I want a key to your house, not because I need it, but because I want it", would you feel comfortable giving me one? Better yet, would you feel comfortable if I went down to the local locksmith asking for a key to 1313 Mockingbird Lane and they gave it to me without any questions??? This is what an employee of Microsoft is describing as working as designed/desired!!!
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
"An unusual practice? Where? Most places I know have their users running as admin..."
Personal experience is not a statisical sample. This applies both to the parent and the grandparent. I have no idea which approach is more common in the Fortune 500, but the exereriences of a couple of random Slashdot people, no matter how smart they may be, isn't going to tell us. I've met companies in the Fortune 1000 that do it both ways, FWIW (i.e., nothing).
Now, as far as my current employer goes... I'm the IT Manager for a small manufacturing company. Almost everybody (including IT staff, including myself) use an unprivilaged user account for day-to-day operations. This works reasonably well, all though there are plenty of programs that need a little persaution (sometimes with a large hammer) to be made to work. REGMON and FILEMON from http://www.sysinternals.com/ are great for debugging problems that arise from Windows Programmer Brain Damage. I've only got one program that couldn't be made to work this way, and it's limited to two computers.
I'm fortunate in that management recognizes computer security as important, and backs me up on this.
I have to say that restricting user rights this way (along with a few other things, like WSUS and roaming profiles) go a long way towards making Windows a usable platform. All the support calls from malware/badware vanish. Support calls from things "I installed Napster and now AutoCAD won't work" vanish. People can't tinker with stuff and break it. It's a Good Thing.
I still vastly prefer Linux for any number of reasons (not all of them technical), but if I have to support Windows, I will at least do it right.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Seeing as they have already denied many rights to non-Microsoft people, they were looking for another segment of humans to restrict. It seems they have found it.
As for it being the same old voodoo, proper permissions are something you run into on all OS's (it's just that some implement it differently than others). Windows certainly isn't well-designed as far as allowing functionality with severely restricted permissions, but a lot of the blame falls on bad programs also.
And as a Windows administrator (I don't know how typical), in order to be good at your job you're going to need to know your way around in the registry. You make time to ensure software being pushed out to thousands of machines is working properly, even if that takes looking at file/regmon readouts to see if things are bombing out anywhere. Permissions changes can be scripted.
Just a sidenote: about the worst program I've dealt with as far as packaging up and pushing out to machines was WordPerfect 11-. However, they've fixed many many problems in 12.
Per your O-faceXP issue, I don't know what to tell you. We push a package out that works just fine with (pretty heavily) restricted user privilages.
But hell yea, I think forcing M$ employees to run as regular ol' users instead of administrators is a great idea. 'Run as...' kinda sorta works, but they need to convert their entire OS model to something more compatable with the 'run with minimum necessary privilages' philosophy. Having a whole team of developers deal with what we have to go through all the time means (hopefully) something will get fixed.
Want a lists, with details?
/ HallOfShame.html
http://www.pluralsite.com/wiki/default.aspx/Keith
http://www.threatcode.com/admin_rights.htm
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Since we're almost entirely a Windows environment (we use FAI and various scripts for the Linux machines), we use a combination of GPO's and Ghost. The nice thing about Ghost's AI system is that it basically takes a snapshot of the system pre-installation and another post-installation, does a diff, then builds a package. You can also reboot inbetween snapshots and run the program inbetween snapshots to ensure all necessary registry keys are created and COM objects are registered. You can also edit the config file to do some custom calls from the package (call built-in's, reboot the system, etc...).
:).
Don't get me wrong, there are many many problems with Ghost, but they did do a couple things pretty well.
Our users have only 'User' rights with a few custom restrictions set with security policies, but our images and logon scrips have some registry tweaks.
Yea, Oracle is a pain in the nuts; fortunately, it's not something that comes up for us all too often
On a normal XP install, the user you create is administrator-equivalent in security to the actual account named "administrator", so even though you're not using the named admin account you are still effectively administrator.
This security then made worse by using the "keep user logged in at all times" option (not requiring a login screen).
-- You are in a maze of little, twisty passages, all different... --
That's why we have instated a super-secure system. First of all, our su doesn't sit in /bin/su. Instead the file gets copied to a random place in the file system with a random filename at random intervals. Of course this is not logged, in order to improve security. Also, the only computer where it's possible to get root access at all (we use a special version of the Linux kernel that does not allow local users to become root and immediately detects any attempt to do so on all other computers) sits in an hermetically sealed room with three redundant sets of motion detectors that can only be disabled by the CEO, the CIO and our lawyer, respectively. A fourth set of motion detectors ensures that there is never more than one person in the room. The floor of the room is made up of 2x2" tiles, most of which are pressure sensitive and are not ever to be touched. The touchable tiles are dispersed in a semi-random pattern; the administrator has to know which ones are rigged, dancing a delicate ballet while passing the fifty meters between the door and the computer. Authorization itself requires the use of a special key, a keycard, two passphrases, a fingerprint, a tongue print, a retina scan, a blood sample, a sperm sample and a spoken passphrase, which is a tonguetwister in Frisian, spoken backwards. When in root mode the administrator has to press a key at least every five seconds but not faster than twice per second.
If at any point anything unusual is detected our sensitive corporate data is automatically protected from being compromised as C4 charges in the walls and floors are detonated, immediately annihilating the entire building and everything within ten meters of it.
Some say that our approach might be a bit too proactive, but =%&/(&%/%&$/"$?=(/)&%=/%/)+NO CARRIER
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
blah, who cares? Microsoft has never 'gotten' it and never will: that is why I use alternatives, such as gnu/linux. Where do i want to go today? Somewhere intelligent: so I opened up a door and closed all the Windows. shut up or walk.
soylentnews.org Go there to enjoy the people!
So why don't you use "Run As" to run Quicken and leave the normal login as a regular user ?
TO START
PRESS ANY KEY
Where's the 'ANY' key? I see Esk, Kitarl, and Pig-Up...
I wonder how they keep track of software licenses when all of the employees can install whatever they want, whenever they want.
Is not MS a business somewhat like any other company? Not everyone who works at MS is a coder afterall.... I wouldn't want just anyone to have admin rights........
You need a sperm sample to get su access? And we wonder why there are so few women in IT!
know if non admin users capabilities in Vista have been improved? As many of us are aware, limited users are pretty much broken in XP and server 2003 for development purposes. Debugging of ASP .NET and installing of numerous third party applications just won't work without admin access. This is partially the fault of third party developers, who often force installation in the Program Files directory, or who actually check to see if the user is admin before allowing installation, even though this is a totally artificial constraint.
Realistically, many users and developers especially have specialized tools that they must install, from a perl binary to something as innocuous as an instant messaging client. On linux, this is easy since configure scripts almost always allow install directories to be specified, and processes that don't need root access never request it. On windows, many programs assume admin during install, even though they don't need it, and balk if they user tries to install without it. At my school, we get around this by giving everyone admin, but having all the windows dev machines copy their image from a hidden partition on boot.
Developers might get away with this non admin boxes, but it certainly wouldn't fly for test. Testers aren't going to want to call support every time they want to test against a different version of the nvidia drivers...
When I was in school, I worked as 'student support'. :-) He even stored it on a network share, and unfortunately accessed that particular account logged on as himself. He had a nice little talk with the principal while we booted the computer.
We used to have a program named DeepFreeze installed. We would give students admin rights (because a few computers still ran Windows 98), and it worked great. Each time the computer was booted, it would mirror back to the original setup. If a teacher needed a certain program for his/her class, we would just turn off deep freeze, install it on the computer, and run Ghost to get it mirrored. Faster than installing the cd on each computer.
The biggest problem we ever faced was a student that found a pc in the library, which was turned on 24x7. He installed Kazaa and started downloading via the 100 mbit connection.
Neither at home nor in the workplace, actually.
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
We have a couple of people that everyone calls the twins (because they are twins) that administer about 900 XP machines. There really needs to be about 4 more of them if the company is going to keep our computers locked down. Our computers are so secure that they are protected from running the company software properly. Of course, I'm the only one that seems to care. I guess apathy is the only way to stay sane.
Ops, I shuld have usd the prevuwe but in.
So they are full of spyware and crash for no reason? ;)
hehehehe
Yep, that was what I hinting at.
Same difference, as i think he is saying 1 user = 1 PC.
Yep, that's what I meant, sorry for the poor wording.
He also fails to mention if he is using alternate means (custom security policy, compatws.inf template, etc.) to ensure those apps run.
None of those apps took any tweaks for the users to be able to run them, but I will point out that 1,100 of the 1,500 or so users are Power Users, the others are Users (plus a few admins obviously). Activesync does have to be installed as an Admin and a PocketPC must be installed by the user, so those users get bumped up to Admin for their initial use of the PDA and then busted back down to Power User or User, I do consider this a tweak, but he did not mention Activesync. Also we have a several GPS device that use Activesync and they need similar tweaking. There are all kinds of backflips I have to go through to get many stupid windows apps to work, but the apps I mentioned in the previous post run fine on my network by Power Users with no tweaks.
I get the same calls regarding notebooks as you mentioned. Windows XP support for USB is quite spotty if you ask me.
I had the same problem, and "Run As" didn't work.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
One thing I wonder is how they're going to run debuggers without admin privs.
Debuggers? Microsoft has debuggers?
You learn something new every day here.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
If some programs or settings are "shared" for use by "all users", shouldn't the system be architected in such a way that it permits any user to one-off that setting or program for their own account?
Microsoft is taking the wrong approach with Vista (by having the system prompt for admin credentials all over the place). Instead, they should have rearchitected the system so that admin rights aren't needed so much in the first place.
The fundamental problem with Windows security and reliability is that the state management is unnecessarily complex.
It's unnecessary for a program to be "installed" in order to be used -- why should I have to modify the state of the system itself, and wedge crap into the registry and C:\WINDOWS directory, just to run a program? Why should the program have to keep its state in a global database (registry) that is also a core part of the system itself? It's a broken design.
Fixing the architecture to simplify state management would have other added benefits. For example, if a program's last state/settings are stored with the program, all bundled up into some kind of package file, and the program doesn't even have to be "installed" to be run, then it would be easy for users to move a program (plus all its settings) from one machine to another, or to fully backup/restore it, or to carry it across OS upgrades, etc. I've never used OS X, but I've read a little about it and it sounded like that's the approach it takes, which is just common sense.
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
It is a tough balance and every company has to decide what is right for them,' said Estberg. However, Estberg said that for the moment, the company will continue to leave the responsibility of installing software with its employees.
It's telling that they presume you have to be an administrator to install software. There's no reason why that should be the case. Personally I think it's a great idea to force employees to use user accounts... Maybe then the "user" account will aquire some degree of functionality beyond the ability to login.
https://www.eff.org/https-everywhere
Big companies nowadays will never allow such access. It is simply suicidal.
IANAL but write like a drunk one.