Any security issues when converting user from Admin to Standard ?

Discussion in 'other security issues & news' started by Defenestration, Apr 16, 2010.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I have managed to persuade someone who has been running as Admin for a long time to try running as a standard user on Windows 7.

    Normally on a fresh Windows install, I would install all apps and configure everything as required, then create a new Admin account for admin tasks, and switch the existing admin account to SUA.

    I was going to do the same for this user, but as the user has been running for a long time as Admin, I was wondering if there could be any problems (apart from some existing app not having admin rights) from converting his admin account to SUA ?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    how are you going to convert it, straight demotion to standard? There shouldn't be issues but I would create another standard account for everyday use, just in case
     
  3. pasha101

    pasha101 Registered Member

    Joined:
    Nov 28, 2009
    Posts:
    34
    You may be interested in this article http://unixwiz.net/techtips/win7-limited-user.html. I tried running as a standard user for awhile. I had some particular issues that made it less than ideal in my situation. I had difficulty doing certain functions with my antivirus using that account. I could have likely got around the issue but it was becoming a hassle. Also I use Online Armor and run my browser in run safer, this appeared not to work if I logged in with a standard user account.
     
  4. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I was just going to do straight demotion. One thing I was forgetting about is that the users folder name will not change if you change the user name, so you can end up with a username of MyStandardUser, but with a user folder of MyAdminUser (assuming you demote a user called MyAdminUser and rename it to MyStandardUser).

    Creating a new standard user account solves this problem, but then you have to configure things like QuickLaunch and certain run on startup apps.
     
  5. wat0114

    wat0114 Guest

    Terrible approach (sorry to be blunt, but sometimes it's necessary). Just leave the current admin account alone and create a new, lua account. I've seen a number of posts in this forum where people have tried your idea, only to run into myriad ordeals.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I agree. It would be best to leave that account alone.

    What I have been doing is to go ahead and use the Administrator account (in XP) to get just about everything I want configured on a fresh install. Once this is done, I set to option that the group Admins is to be the owner of things. Then I create my daily admin account. Now in theory anything that this daily admin creates is owned by the admin group rather than a particular user. If I were to create a User account, the same would happen.

    This seems to be easier to me and also leaves that default Administrator account, which is rarely used, as the true owner and master of about everything.

    There are ways to automate removing the ownerships a current administrator might have from what he has created, and giving it to the group instead of the user. However, I gave up on that for the moment, as it is only possible (that I can find) if you can figure out some undocumented values. I am trying to do it natively with what is already in the OS. Other methods can work, but that is not nearly as interesting ;)

    Sul.
     
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    On a side note - make sure there is at least one administrator user account configured and left, and by that, I do NOT (!!!) mean the one called "Administrator". The following picture illustrates why :D
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.