Oh the Pain: Paul's First Week as a Limited User

Last week, I mentioned that I'd be testing the experience of running Windows XP Professional Edition as a Limited account user, rather than using the more typical Administrator account that XP sets up for you by default. I didn't expect to have anything significant to report this soon, but after a week of experimenting, I have a lot to discuss, both good and bad. Here's how it's going so far.

To test the Limited account scenario, I wiped out my main desktop machine and reinstalled XP from scratch. During installation, XP doesn't offer you a chance to create Limited accounts (as Linux does) but instead creates any account as an Administrator account with no password, which is incredibly unsafe. I created a local "Paul" account during setup and installed XP Service Pack 2 (SP2) after the final reboot. Then, I changed Paul to a Limited account, assigned a password, held my breath, and dived right in. First step: Install a bunch of software.

The software I use is typical in many ways. I generally start with Microsoft Office 2003, which is, of course, savvy to the different types of user accounts Windows users might have and automatically opens a Run As dialog box that warns you that the suite must be installed by an Administrator account. The warning and automatic Run As dialog box is a nice feature, and over the course of installing several software packages, I was surprised by how many programs offered this facility.

However, quite a few software applications aren't aware of this Administrative account requirement, and their setup routines fail with a warning stating that the current user doesn't have sufficient privileges. In such cases, you can generally locate the setup.exe (or similar) application, hold down the Shift key, right-click, and choose Run As. You can then usually install the application under the privilege level of an administrator-type account.

A third level of applications seems fairly insidious. You install these applications by using Run As, and after Setup finishes, the Start Menu contains no shortcut to the application you just installed. So, you have to manually hunt down the application and create shortcuts. (OpenOffice.org and MSN 9 both showed this behavior.) That's silly.

Finally, some applications won't work even after you install them from an administrator-level account. Many games behave this way. For example, after I used Run As to install Activision's "Call of Duty," I couldn't successfully run the game because the first time the program attempted to write a configuration setting, it crashed. When I tried to run the game with Run As, it also failed. I even tried to install the application to a nonprotected folder, with no success.

I'll grant you that games aren't a common application at most businesses, but let's face reality here: We use Windows at work, and we use it at home, and arguably, many people would be more inclined to create Limited accounts for family members than for coworkers. But the home-oriented scenarios are the ones in which the Limited user accounts fall apart most easily.

Another shortcoming is shortcut creation. As I mentioned earlier, some applications don't create a shortcut when you use Run As from a Limited account to install the application. But many applications create shortcut icons on the desktop, which is precisely where I don't want them. And then, you can't delete them from a Limited account. Why, you ask? Well, because the shortcuts aren't stored on your desktop, they're stored in the All Users account's desktop, which transparently copies its contents to the current user's desktop at runtime. To delete these shortcuts, you need to use Run As to run cmd.exe, navigate to the All Users desktop folder (C:\Documents and Settings\All Users\Desktop), then delete them by using the DEL command you might remember from your DOS days. This task isn't one that many home users would know about or be comfortable performing.

A related problem is the Start Menu, which quickly fills up with shortcuts created in both your account and the All Users account. I generally like to subdivide the clutter in the Start Menu with logical subfolders such as Digital Media, Internet, and Utilities so that I don't have to look at too many folders every time I open the Start Menu. But with a Limited account, I find it more difficult to push folders into my structure because most of the folders exist in All Users and the system complains when I try to move them. I would need to log on as an Administrator account to perform this task.

For some tasks, however, XP is surprisingly accessible from a Limited account. After I assigned a password to my Limited account, I could easily access my network shares, where I keep data and application installations. Many applications work fine with no prodding. You quickly learn when you need to use Run As (with many Control Panel applets) and when you don't, although I think a system such as the one that Linux and Mac OS X use--one that automatically prompts you for an Administrator-level password when needed--would be simpler and more secure than XP's haphazard approach.

On Thursday, I'm flying to Chicago to speak to a user group, and I'm still debating whether I should convert my laptop to a Limited account to see how it fares on the road. But so far, the Limited account experience has been painful. At home, I'll continue this experiment to determine in which areas XP falls short. But clearly, some work needs to be done, primarily with third-party software writers, to make Limited accounts a more viable option for most users. I'm a fairly sophisticated user, but I think the average person would give up computers all together before trying to use them like this.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.