Michael Horowitz

Resurrecting restricted users

December 08, 2009 9:10 PM EST

I recently setup  a new Windows 7 computer for a non-techie user. As part of the initial tweaking, I created both a restricted (called a "standard" user in Windows 7)  user and an Administrator user.

As with prior versions of Windows, when the machine powers up, the system shows each available user. My instructions were to logon as the restricted/standard user normally and only logon as the Administrator user when installing new software. To encourage the use of the restricted user, it has no password, while the Administrator user does.

But, these XP era instructions may not be necessary any more with Windows 7.  The new OS may, finally, make it practical to always be logged on as a standard user.

Microsoft thinks so. In the Control Panel, when chosing the type of user to create, they "recommend creating a standard account for each user" because it prevents "users from making changes that affect everyone who uses the computer, such as deleting files that are required for the computer to work." 

Yet, they default to creating a single Administrator user. 

Like most copies of Windows, my Windows 7 system had a single administrative class user. I created a second Administrative user, logged on to it and then downgraded the initial user to standard. Then I logged on to the newly low-class user and kicked the OS tires.

These tests were run with User Account Control (UAC) set to the default level of "Notify me only when programs try to make changes to my system. Don't notify me when I make changes to Windows settings."

The goal, of course, is for a standard user to do their day-to-day computing without interruption from UAC. When installing software, and making other system-wide changes, the system should prompt for an administrative password. In other words, Windows 7 should work like Linux.

Of course, this isn't perfect. Anyone who thinks they need to run an .exe file because they were emailed by the IRS about a tax refund, can still get infected with malware and still needs antivirus software. But, it would be a big step up.

Life As A Standard User

Things started well.  A standard user can install Firefox extensions without being interrupted by either UAC or a password prompt.

A standard user can also install Windows bug fixes (a.k.a. "patches", "updates" and "changes").

My first Windows Update test found only a pending update to Windows Defender, no actual OS patches. Still, the update installed without any UAC nagging.

Further poking around turned up a configuration option for Windows Update, one that also appears in Vista. It's called "Allow all users to install changes on this computer" and can be found by clicking on "change settings" after getting into Windows Update from the Control Panel.

I was fortunate enough to test this again on Patch Tuesday. The computer needed two patches and I installed them as a standard user but with different values for this checkbox.

When this option was on, it was smooth sailing, the patch/update/change installed without a word from UAC. When the option was off, I was still able to install the other patch, but only after entering the Administrator password.

When it came to Windows Services, there were some things the standard user couldn't do, password or no password. I could see all the services and their status and even start some. But, when it came to stopping services or changing their startup type, fuggedaboutit. I couldn't even stop a service that I started. There were no errors, warnings or prompts; these features/buttons were just disabled.

The workaround is to right click on the Services icon (still in the good old Administrative Tools section of the Control Panel) and run it as an Administrator.

I certainly understand the restrictions here but don't get why Services are controlled so differently from the other system related tweaks that a standard user can't perform without an adminstrative password. Certainly someone can forget that they're logged on as a standard user (or not understand the concept) and wonder why they can't stop any services.

As soon as I went into the Task Scheduler, there was an error that "The selected task "{0}" no longer exists. To see the current tasks, click Refresh." This seems to be a Windows 7 bug, as I got the exact same error when logged in as an Administrator.

Viewing the password that Windows 7 stored for my Wi-Fi network required the Administrator password.

Installing software, as expected, requires a password. But the software I installed, TrueCrypt 6.3 is, perhaps, the worst case scenario. When used in portable mode (which is how I prefer to use it), standard Windows 7 users need to provide a password every time they run TrueCrypt.

Finally, I tried making an image backup as a standard user. This required a password, perhaps because it backs up files belonging to other users.

After the backup, I was curious to see how the compression went. For whatever reason, the properties of the output folder show no space allocation data. So, I drilled down one level. The properties of this folder also showed no information about disk space usage. So I drilled down again and again. No big deal, except that every time I went down a level, I had to re-enter the Administrative password.

The biggest glitch I ran into involved an external USB hard drive. For whatever reason, Windows required the Administrator password just to rename a folder on the drive. Unlike all the above, this wasn't intended as a test, I just needed to rename a couple folders.

These tests just scratched the surface, more needs to be done. Whether life as a standard Windows 7 user is practical may well turn out to be a matter of opinion.