limited account help

hi, i've just setup a new limited account that i'm going to mostly use from now on. i have run afew hardening tools/patches that i had already run on my admin account, most of these pathes didn't need to be run because they were brought over from my admin account when this account was made, but one or two did and some of the Gibson patches need admin rights to run so i couldn't run them

IE, i'm fairly, sure is setup the same way as my other account too.

is there anything i need to do that wont be brought over from the admin account? the whole point of this is so it will be more secure, so i don't wont to make any mistakes. thanks

 

HI....

Why not get back to the admin account (number 1), and from there transform your newly created account(number 2) to admin too (in panel control/users accounts).
Then, step in your new account, and run whatever has to.
Finally, get back to account number 1, and change account number 2 back into "limited".

Cheers

 

Right click on a executable (.exe) in this case, the patch then choose "Run as"

Then

Find your admin account user name from drop down box where it says run as another user, login as if you were logging as admin and program will work with admin previleges.

 

thanks for your help i'm in the other account at the moment so i'll try your help when i next login.

 

No, do not assume that any settings will be "brought" over from another account. If you are familiar with the Registry at all, you will know that there are two main keys: "HKEY_LOCAL_MACHINE" (HKLM) and "HKEY_CURRENT_USER" (HKCU). (Well, actually HKCU is not really a root key but rather a link to the proper branch under HKEY_USERS for the current user... but you get the idea.) Anyway, the point is that it is not always clear what settings affect the entire machine, and what settings affect only the current user. Moreover, developers sometimes seemingly don't put much effort into distinguishing the two, and so in some cases you might expect a setting to be user only and find out that the developer applied it machine-wide (or vice versa).

Microsoft is usually very good about distinguishing the two concepts. So, for example, security tools that, say, harden the TCP/IP stack, affect network drivers, or run as services, etc. will largely be controlled by settings under HKLM and will apply to all accounts. But application-level security settings that often depend upon user choices about what type of behavior they expect and what tradeoffs they are willing to live with will be controlled by HKCU and will only apply to that particular user. So, in IE for example, the manage add-ons tool will affect all users, as well things like the choice of what Java Runtime environment to run, but the actual security and privacy settings are only for the current user, IIRC. Mostly you will just learn this type of stuff through experience and trial & error.

 

hi, i am in my new account now . if i take Maybe's advice and go to my admin account and change this account to an admin account, make the changes, then turn it back to limited, how will i know if the changes have stuck? what i mean is; i just tried to check the services and i can't get there, access is denied. i tried a thrid-party program too and it doesn't work.

i tried squash's idea and access is denied to the servies if i click on Run As.

Alec thanks for your post. i just tried to go to WU to see if it would work, that way i'd know abit more about what is happening with the services; i have BITs and automatic update turned off in my admin account, so if WU worked i'd know the settings where different. when i used IE to go to WU it said i needed to allow activex so i tried to put some of the MS update addresses in the trusted zone but it wouldn't let me. so i went to -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
to do it manually and i wasn't allowed to make a new key. i'm abit confused at the moment. i'll take my time and have a think, i think there is something easy i am missing.

Wow, i've just noticed half my startup programs aren't running i think i have just worked it out. there is no easy way around setting up a new limited account; i have to go through every program/patch one at a time. but, that still leaves me not knowing about services and if it's possible to apply patches that need admin rights.

this is when i click Run As for services.

 

It says access denied but you disabled "Secondard Logon" in services.msc

Login into your admin account
Go to Start > Run > services.msc
Turn on "Secondary Logon" to "Automatic" and Press the Start Button
Log off

Then

Login into your new limited account
Right click on .exe and select "Run as"
Choose your admin account under the "Run as another user option"
Type admin password

Program will now start with admin previleges.

 

hi, i tried that with services and i still get Access Denied. i'm going to search the internet to see what i can find. so far i have only done a quick search.

 

http://blogs.msdn.com/aaron_margosis/

 

thanks Pollmaster, after a quick look at your link, that seems to be what i need. thanks again