Home > Articles > Programming > Windows Programming

  • Print
  • + Share This
Like this article? We recommend

What Kind of User?

I hope you're starting to see that running as a member of the Administrators group is not such a good thing and that using a LUA is a really good thing. But what kind of account should you use? Windows 2000 and later seem to have a couple of possibilities in two built-in groups: Users and Power Users. Which to choose?

When I ask that question at user group meetings or training sessions, usually a few people argue for Power Users and another group for Users, while most people are cautiously silent. The answer is most definitely not Power Users. This group is a kludge introduced in Windows 2000 so that "legacy applications" could run—apps that were written for Windows 9x and NT. These apps were written in the more innocent times of the 1990s, when it was perfectly acceptable to write to the application directory in Program Files and to the HKEY_LOCAL_MACHINE registry hive, practices that are dangerous today. Power Users is sometimes called Admin Lite because the group has just slightly fewer privileges than the Administrators group. You can be a member of Power Users and still install apps, configure the operating system, manage logins on the local machine, start and stop services, and plenty of other things that malware would love to be able to do.

The right answer is to use the Users group. The privileges assigned to a member of this group let you perform most of the everyday tasks you use a computer to do, but without the most egregious permissions to modify Windows, see other users' data, or even shut down server versions of Windows. If malware gets control of an account that is a member of Users, it will be able to do a little mischief but will be unable to do any real damage. Sensitive areas of the registry and filesystem are off limits; it can't change application-executable files to inject viruses; it can't mess with data of other users who use the machine. It will be able to change user settings in Windows, such as to change your desktop picture of your dog Fluffy to something else—but, while disturbing, this isn't really serious damage.

Yes, Users is the right group.

  • + Share This
  • 🔖 Save To Your Account