none
Issue of admin/standard user permission-confusion RRS feed

  • Question

  • Hello forum,

    I'm noticing a strange issue occurring with permissions between an administrator-permissions account and a standard-permissions account. I'm surprised this isn't a bigger issue "in real life" or a concern for other users - or even Microsoft - but I'll air my issue here and hope some good answers or with time; a healthy debate.

    The setup:

    • Two user accounts on the Windows 10 Pro PC: Standard account for daily use. Admin account for UAC actions (such as installing new applications). For simplicity sake let's assume that the admin account is named ADMIN and standard account is named STANDARD. This makes it easy to explain and separate the user-paths such as "C:\Users\ADMIN\Documents\" or "C:\Users\STANDARD\Documents\".
    • The two users are separate, have separate roles and must be separate! Criteria: must have different passphrases, must not be logged on to ADMIN all the time, this to reduce chance of malware getting itself installed (etc). For Linux users; you wouldn't be crazy enough to be logged on as root, right?
    • ADMIN account is only used as a "Hold it! Do you have permission to install programs on this PC? Authenticate yourself"! The PC owner is never actually logged onto this account to work from it; but only elevates to this account during installation, such as via UAC.
    • STANDARD user is the day-to-day 24/7 account. The PC owner is logged onto this account at all times. No other accounts are being signed onto,with the exception: if user installs a program and UAC pops up, user briefly authenticates as user "ADMIN" instead of "STANDARD". Auth'd. session ends when setup application ends.

    Issue:

    1. As the user authenticates as "admin" the installed files are unfortunately "owned" by the Admin-account. This causes a lot of strange problems, such as:
    2. If program has ability to save files, the "save file" / "save as" dialogue automatically opens in "C:\Users\ADMIN\Documents" directory. This is of course completely wrong. I am logged on as a user STANDARD, not ADMIN. User ADMIN was only used to elevate permission to install.
    3. While attempting to move or delete files that were created during installation, elevation is always required. This is a tiresome thing. Even things like the Desktop shortcut to the new application. Just moving or deleting it from "C:\Users\STANDARD\Desktop\" requires elevation from ADMIN... That's some top-secret super-valuable shortcut in my own Desktop directory, man.
    4. Rarely, but with occurrence, settings and adjustments made in the program will not save, if user is on their STANDARD user. If the program is started with "Run as Admin" then settings can be saved, but this goes against the purpose of the account ADMIN! It is not to be used for "using the PC" only to authenticate beyond the UAC!
    5. Rarely, but with occurrence, applications will not run at all without "Run as Admin"! I suspect one of the problems here is that important files are stored inside the ADMIN home directory "C:\Users\ADMIN\"  for which STANDARD has no access.

    I have a mild suspicion based on review that in some cases these applications weren't built for Windows 10 or a multiple accounts system in mind; it will seem as if the program either makes changes to files not belonging to STANDARD ("Owner" permission issue), (or) launches a secondary application which it does not have permission to do, (or) is installed in an "old fashioned" directory, one that is now much more strictly controlled by Windows than ever before; such as the "Programs" directory.

    These were just some cases I could recall. I hope other users will share their experiences and advices. Also preferable would be a discussion with Microsoft involved. Naturally I believe the currenty permissions-system to be slightly flawed. I don't think that user STANDARD, when UAC-elevated to ADMIN, should lose all owner/access right for an installed application or it's files. I'm still STANDARD, just using ADMIN as a shield against unwanted software, so why strip away the rights of the PC owner... Bizarre.

    Workarounds:

    Thanks, but no thanks.

    I can most certainly (MANUALLY) go through every single installed file, feeling much like a loser while doing so, and change ownership from ADMIN to STANDARD. I'll get back to you in a year's time once I'm done with this lengthy process... :p Microsoft representatives who offer this type of solution must never have worked on real-life Windows systems. You know who you are. Please don't do this.

    Permanenet solution:

    Now we're talking! This is what I'm after; a permanent "do it once" solution that will correct the behavior of UAC; because it's apparently going haywire with owership where it shouldn't. Unless, of course, the practice of actually having multiple account permissions was actually tested by anyone during development...but I'm pretty sure security was the #1 main focus area of development, even before functionality. Secure by design! Right? Right...? Please?

    Thanks for reading!

    Kindly,

    Ariin


    Thursday, August 23, 2018 11:59 AM

All replies

  • "...these applications weren't built for Windows 10 or a multiple accounts system in mind" I would think sums it up. What program\s are you seeing this with?
    Saturday, August 25, 2018 9:57 PM
  • "...these applications weren't built for Windows 10 or a multiple accounts system in mind" I would think sums it up. What program\s are you seeing this with?

    Well for starters, Windows 10 itself won't let me delete my own desktop shortcuts without logging onto Admin. So there's that. I get where you're coming from though.

    What I can think of right off the bat:

    * Every single jetico software; the more frustrating issue is with wiping the recycle bin. This action requires elevation, which in turn makes it target the ADMIN accounts' recycle bin not the STANDARD user's... So the feature effectively doesn't work

    * Python, but this is a Environmental Variables issue. Still, I don't get why they have to be account-specific only due to the elevation; again I'm not surfing the web as Admin, I'm just complying with UAC...why would it assume I'm another user all of a sudden? Is there a workaround option to disable account-specific PATH and instead use global?

    * Windows 10's own Task Scheduler (TS) doesn't really let the STANDARD user do anything at all that is non-default. Even when you change user within TS, for example to ADMIN, to let TS run tasks with elevated permissions, it requests the ADMIN password, but it fails with a "Task scheduler cannot create the task. The user account is unknown, the password is incorrect, or the user account does not have permission to create this task". Other options also return the same/similar error.

    This feels flawed to me, but perhaps I'm the only one. That's fair; I'm still happy I can bring it to someone's attention.

    /Ari

    Sunday, August 26, 2018 2:40 AM
  • Guess I have learnt to live with UAC so used to it I guess.

    Desktop there are two locations for the files, All Users and the logged in user. A non-admin will not be able to delete or create All Users desktop shortcuts (so not just there shortcuts). They can there own.

    C:\Users\Public\Desktop

    C:\Users\%USERNAME%\Desktop

    jetico appears low level security software so would not be surprised if that has to be run as admin. If there are user functions to that and they require admin then perhaps raise that with there support.

    Python not sure what version \ installer you are meaning. The environment variables there are user and all users sets from memory.

    Task Schedule getting into more of Windows protecting itself. Some tasks you cannot change as admin (the Windows Updates), same as same files and some services and why it will not let you clean your disk it is running on.

    Did install a couple a things as user with providing an admin with UAC (Open Office and Notepad++), Open Office had an install screen asking what user to install for and defaulted to All Users, Notepad++ installed and ran fine. The Open dialogue on Notepad++ opens its program folder so guess it may get a around the user thing that.

    So if you are hitting things that are problematic with UAC you may have to use your work-arounds or something.

    • Edited by -Mr Happy- Sunday, August 26, 2018 6:43 PM
    Sunday, August 26, 2018 6:42 PM
  • ... again I'm not surfing the web as Admin, I'm just complying with UAC...why would it assume I'm another user all of a sudden?

    I realise this doesn't help with the particular situation you have here, but when UAC prompts you, and you enter the credentials of a different user, then you essentially are another user all of a sudden. That setup program is running as ADMIN, not STANDARD. It's not that different from using RunAs to launch a program as a different user, or logging off and back on as that user.

    The way I generally advise thinking about it is - a regular user can do what they like to their own settings, but changing what a different user would see requires admin rights. Therefore, if the shortcuts are on the All Users desktop, and visible to any user, it requires admin rights to change or remove them. If the shortcuts are on your own desktop, then they're yours to delete. The icons you see on your desktop are the combination of these two locations, so it may not be obvious that some of them are common to all users (and you don't have rights to change), while others are specific to your username.

    Some of the things you mention are specific to the software you're using, not Windows, I think. At least, we automate the installation of quite a lot of software (somewhere around 400 apps), which are almost always installed under different credentials to the ones used at runtime, without running into this kind of problem.

    On the environment variables, I'm not sure what the issue is you're describing. The PATH has both user and machine components, and what you see as the PATH variable in a command prompt is the result of combining the two. There should be nothing preventing STANDARD from appending path entries to the user path to include Python, and there are resource kit utilities (pathman) that can automate that.

    Wednesday, August 29, 2018 10:10 AM