Windows & .NET Magazine UPDATE--Oh the Pain: Paul's First Week as a Limited User--June 22, 2004

1. Commentary
- Oh the Pain: Paul's First Week as a Limited User

2. Hot Off the Press
- Microsoft Enlists College Students to Improve Office

3. Inside Windows Scripting Solutions
- July 2004 Issue
- Focus: Augment Your Argument Arsenal

4. Resources
- Featured Thread: Microsoft IIS Attacks. Help!
- Tip: Can I switch an Active Directory (AD) domain from native mode to mixed mode?

5. New and Improved
- Maintain Network Flow and Performance
- Audit and Recover Passwords
- Tell Us About a Hot Product and Get a T-Shirt!

==== Sponsor: Argent Software ====

Free Download: Monitor Your Entire Infrastructure with ONE Solution
The Argent Guardian monitors servers, applications, any and all SNMP-compliant devices as well as the overall health of the entire network at a fraction of the cost of "framework" solutions. Network Testing Labs states that "The Argent Guardian will cost far less than MOM and yet provide significantly more functionality." Using a patented Agent-Optional architecture, the Argent Guardian is easily installed and monitoring your infrastructure in a matter of hours. Download a fully-functioning copy of the Argent Guardian at:
http://www.argent.com/products/download.cgi?product=xxx&Source=WNT

==== 1. Commentary: Oh the Pain: Paul's First Week as a Limited User ====
by Paul Thurrott, News Editor, [email protected]

Last week, I mentioned that I'd be testing the experience of running Windows XP Professional Edition as a Limited account user, rather than using the more typical Administrator account that XP sets up for you by default. I didn't expect to have anything significant to report this soon, but after a week of experimenting, I have a lot to discuss, both good and bad. Here's how it's going so far.

To test the Limited account scenario, I wiped out my main desktop machine and reinstalled XP from scratch. During installation, XP doesn't offer you a chance to create Limited accounts (as Linux does) but instead creates any account as an Administrator account with no password, which is incredibly unsafe. I created a local "Paul" account during setup and installed XP Service Pack 2 (SP2) after the final reboot. Then, I changed Paul to a Limited account, assigned a password, held my breath, and dived right in. First step: Install a bunch of software.

The software I use is typical in many ways. I generally start with Microsoft Office 2003, which is, of course, savvy to the different types of user accounts Windows users might have and automatically opens a Run As dialog box that warns you that the suite must be installed by an Administrator account. The warning and automatic Run As dialog box is a nice feature, and over the course of installing several software packages, I was surprised by how many programs offered this facility.

However, quite a few software applications aren't aware of this Administrative account requirement, and their setup routines fail with a warning stating that the current user doesn't have sufficient privileges. In such cases, you can generally locate the setup.exe (or similar) application, hold down the Shift key, right-click, and choose Run As. You can then usually install the application under the privilege level of an administrator-type account.

A third level of applications seems fairly insidious. You install these applications by using Run As, and after Setup finishes, the Start Menu contains no shortcut to the application you just installed. So, you have to manually hunt down the application and create shortcuts. (OpenOffice.org and MSN 9 both showed this behavior.) That's silly.

Finally, some applications won't work even after you install them from an administrator-level account. Many games behave this way. For example, after I used Run As to install Activision's "Call of Duty," I couldn't successfully run the game because the first time the program attempted to write a configuration setting, it crashed. When I tried to run the game with Run As, it also failed. I even tried to install the application to a nonprotected folder, with no success.

I'll grant you that games aren't a common application at most businesses, but let's face reality here: We use Windows at work, and we use it at home, and arguably, many people would be more inclined to create Limited accounts for family members than for coworkers. But the home-oriented scenarios are the ones in which the Limited user accounts fall apart most easily.

Another shortcoming is shortcut creation. As I mentioned earlier, some applications don't create a shortcut when you use Run As from a Limited account to install the application. But many applications create shortcut icons on the desktop, which is precisely where I don't want them. And then, you can't delete them from a Limited account. Why, you ask? Well, because the shortcuts aren't stored on your desktop, they're stored in the All Users account's desktop, which transparently copies its contents to the current user's desktop at runtime. To delete these shortcuts, you need to use Run As to run cmd.exe, navigate to the All Users desktop folder (C:\Documents and Settings\All Users\Desktop), then delete them by using the DEL command you might remember from your DOS days. This task isn't one that many home users would know about or be comfortable performing.

A related problem is the Start Menu, which quickly fills up with shortcuts created in both your account and the All Users account. I generally like to subdivide the clutter in the Start Menu with logical subfolders such as Digital Media, Internet, and Utilities so that I don't have to look at too many folders every time I open the Start Menu. But with a Limited account, I find it more difficult to push folders into my structure because most of the folders exist in All Users and the system complains when I try to move them. I would need to log on as an Administrator account to perform this task.

For some tasks, however, XP is surprisingly accessible from a Limited account. After I assigned a password to my Limited account, I could easily access my network shares, where I keep data and application installations. Many applications work fine with no prodding. You quickly learn when you need to use Run As (with many Control Panel applets) and when you don't, although I think a system such as the one that Linux and Mac OS X use--one that automatically prompts you for an Administrator-level password when needed--would be simpler and more secure than XP's haphazard approach.

On Thursday, I'm flying to Chicago to speak to a user group, and I'm still debating whether I should convert my laptop to a Limited account to see how it fares on the road. But so far, the Limited account experience has been painful. At home, I'll continue this experiment to determine in which areas XP falls short. But clearly, some work needs to be done, primarily with third-party software writers, to make Limited accounts a more viable option for most users. I'm a fairly sophisticated user, but I think the average person would give up computers all together before trying to use them like this.

==== Sponsor: Windows & .NET Magazine ====

Get 2 Sample Issues of Windows & .NET Magazine!
Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month!
http://www.winnetmag.com/rd.cfm?code=fsep204xup

==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Microsoft Enlists College Students to Improve Office
This week, Microsoft will host 15 college students from around the world at its Redmond campus to find out how they see the company's Microsoft Office suite evolving during the next 10 years, when they'll be part of the workforce that the company targets with the product. Microsoft hopes that the students, who are 19 to 24 years old, will inject a bit of a youthful outlook into Office, which has stagnated as it has matured. The weeklong brainstorming session is called the Microsoft Office Information Worker Board of the Future. For the complete story, visit the following URL:
http://www.winnetmag.com/article/articleid/43019/43019.html

==== Announcements ====
(from Windows & .NET Magazine and its partners)

Now the Windows & .NET Magazine Network VIP Web Site/Super CD Really Does Have It All!
Our VIP Web site/Super CD subscribers are used to getting online access to all of our publications, plus a print subscription to Windows & .NET Magazine and exclusive access to our banner-free VIP Web site. But now we've added even more content from the archives of SQL Server Magazine! You won't find a more complete and comprehensive resource anywhere--check it out!
http://www.winnetmag.com/rd.cfm?code=edep274xup

Free eBook--"Preemptive Email Security and Management"
Chapter 2 available now, "Evolving techniques for eliminating spam, email virus and worm threats." In this eBook, you'll discover a preventive approach to eliminating spam and viruses, stopping directory harvest attacks, guarding content, and improving email performance. Download this eBook today!
http://www.WindowsITlibrary.com/ebooks/emailsecurity/Index.cfm?code=0621emailannc

Small Servers for Small Businesses Web Seminar
Today a small business can be as agile as a large business by understanding what technology can be leveraged to create a centralized server environment. In this free Web seminar, you'll learn the perils of peer-to-peer file sharing, backup and recovery, migration from desktop to servers, and Small Business Server basics. Register now!
http://www.winnetmag.com/seminars/serversmallbusiness/index.cfm?code=emailannc062104

~~~~ Hot Release: (Advertisement) Unipress ~~~~

Quickly reduce costs, improve agent workflow, & speed customer support.
Award-winning FootPrints(R) 100% web-based service desk software is easy-to-use, affordable, & fully customizable. Centrally track all multi- channel requests, deliver self-help online, manage two-way email, and dynamically access your Microsoft Active Directory address book. New version 6.5 now available!
http://www.unipress.com/footprints/winnet.html

==== 3. Inside Windows Scripting Solutions ====

Windows Scripting Solutions is a monthly paid print newsletter loaded with news and tips to help you manage, optimize, and secure your Web-enabled enterprise. NONSUBSCRIBERS can access all the newsletter content in the online article archive from the premiere issue of Windows Scripting Solutions (December -----1998) through the print issue released 1 year ago.

Subscribers
In addition to receiving the monthly print newsletter, SUBSCRIBERS can access all the newsletter content, including the most recent issue, at the Windows Scripting Solutions Web site ( http://www.winnetmag.com/windowsscripting ). Subscribe today and access all 2003 issues online!
https://secure.pentontech.com/nt/winscripting/index.cfm?promocode=00wi26xxhm

July 2004 Issue
To access this issue of Windows Scripting Solutions, go to the following URL:
http://www.winnetmag.com/windowsscripting/issues/issueid/713/index.html

Focus: Augment Your Argument Arsenal
Although WSH provides tools to validate arguments, problems can still arise. Luckily, you can use a .wsc component to automatically validate them. With this component and WSH's tools, you'll be armed with the tools you need to police the WSH command line.

Automate Changes to Terminal Services User Settings
The WTSSetUserInfo script gives you an easy way to automate large-scale changes to Terminal Services settings.
--Dick Lewis
http://www.winnetmag.com/windowsscripting/article/articleid/42736/42736.html

==== Instant Poll ====

Results of Previous Poll: Deploying Windows Server 2003
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "When will your organization move to Windows Server 2003?" Here are the results from the 370 votes:
- 28% We've already moved to Windows 2003
- 28% We're currently in the process of moving to Windows 2003
- 19% We plan to move to Windows 2003 within the next 12 months
- 25% We have no plans to move to Windows 2003

New Instant Poll: Password-Change Policies
The next Instant Poll question is, "How often do you require users in your organization to change their passwords?" Go to the Windows & .NET Magazine home page and submit your vote for a) Every 30 days or less, b) Every 30 to 60 days, c) Every 60 to 120 days, d) Every 120 days to 1 year, or e) We don't enforce a password change policy.
http://www.winnetmag.com/magazine

==== 4. Resources ====

Featured Thread: Microsoft IIS Attacks. Help!
Forum user dealman is running Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003. He checked his logs and discovered someone is running Unicode and searching through his hard drives. How can he stop this intrusion? To join the discussion, visit the following URL:
http://www.winnetmag.com/forums/rd.cfm?cid=41&tid=121204

Tip: Can I switch an Active Directory (AD) domain from native mode to mixed mode?
by John Savill, http://www.windows2000faq.com

A. After you've changed an AD domain to native mode, it remains in native mode. You can't perform an authoritative restore to change the AD domain from native mode to what it was before the switch (i.e., mixed mode). If you haven't yet changed from mixed to native mode and believe you might want to switch back at some point, you should take one of the domain controllers (DCs) offline (thereby ensuring that it doesn't hold any of the Flexible Single-Master Operation--FSMO--roles), then perform the switch to native mode. Should you need to switch the AD domain back to mixed mode, perform the following tasks: 1. Turn off all the DCs. 2. Turn on the offline mixed-mode DC you set aside. 3. Use Ntdsutil to give that DC all the FSMO roles. 4. Rebuild all the other DCs from scratch; don't bring them online as DCs.

Be aware that some applications might have switched to native-mode compatibility and thus won't work when the domain is returned to mixed mode.

==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series About Security and Exchange
Don't miss two intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent hackers from attacking your network and how to perform a security checkup on your Exchange Server deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox. Register now!
http://www.winnetmag.com/workshops/securingwindowsandexchange/index.cfm?tc=0621emailannc

==== 5. New and Improved ====
by Angie Brew, [email protected]

Maintain Network Flow and Performance
SMC Networks released the TigerSwitch SMC6709GL2 Compact 8-Port 10/100 + one 1000BASE-SX MMF Standalone Managed Switch and the TigerSwitch SMC6708L2 8-Port 10/100 Standalone Managed Switch. The switches feature IEEE 802.1Q Virtual LAN (VLAN), GARP VLAN Registration Protocol (GVRP), and priority queuing to ensure smooth delivery of data. The switches are 1U (1.75") tall and 10" wide. The SMC6709GL2 costs $415.99, and the SMC6708L2 costs $276.99. Contact SMC Networks at 949-679-8000 or 800-762-4968.
http://www.smc.com

Audit and Recover Passwords
@stake released LC 5, the latest version of its L0phtCrack automated password auditing and recovery application. The product features precomputed password tables and a wizard-based interface to configure, schedule, and run comprehensive audits. The password-scoring feature scores recovered passwords' strength, and the reporting feature highlights problem areas and provides real-time data and summary reports about password length and types. After LC 5 identifies weak passwords, you can force users to reset their passwords on their next logon. The product runs on Windows 2003/XP/2000/NT and UNIX systems and is available in professional, administrator, site, and consultant editions. You can download a free 15-day trial from @stake's Web site. For pricing, contact @stake at 617-768-2715.
http://www.atstake.com

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent
Comparison Paper: The Argent Guardian Easily Beats Out MOM
http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

CommVault
CommVault - Free White Paper: Managing the Infinite Inbox
http://ad.doubleclick.net/clk;9133584;8214395;q?http://www.commvault.com/mk/get/infinite_inbox_winnet

VERITAS Software
VERITAS White Paper: Reclaim 30% of Your Windows Storage Space Now!
http://ad.doubleclick.net/clk;9081675;8214395;t?http://ad.doubleclick.net/clk;8450687;9350443;r?http://www.veritas.com/offer?a_id=6704

==== Contact Us ====

About the newsletter -- [email protected]
About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:
Argent Software -- http://www.Argent.com -- 1-860-674-1700

Hot Release:
UniPress Software -- http://www.unipress.com