Fog Creek Software
Discussion Board




Administrative account on windows?

Question (maybe it has been asked before, but i did not find it)

Are all users of Windows nt/2000/xp running as administrator? Is anybody running as a more restricted account?

Michael Moser
Saturday, June 26, 2004

Home users usually use Admin accounts. In corporate networks, usually not.

Eric Debois
Saturday, June 26, 2004

Developers need administrative rights, or the majority of them anyway.  But they should test with regular user rights.

Simon Lucy
Saturday, June 26, 2004

That's untrue. Developers _don't_ need administrative rights for their day to day development work. The compiler doesn't require it. The debugger doesn't require it. The IDE doesn't require it.

My now woefully out of date "list of software that works" includes links to many articles that detail the process of developing without admin rights.

http://www.dotnetdevs.com/articles/RunningAsNonAdmin.aspx

Brad Wilson (dotnetguy.techieswithcats.com)
Saturday, June 26, 2004

I try to run in a non-admin role, so that when I try to do something which DOES require the admin role, I at least find that out.

I find many software packages are silent about their need for admin priveleges -- but most installs do require it.

So no, if you are 'joe blow' software developer, and you are using a well-defined set of tools, and you never leave that set, then no, you shouldn't need admin.

BUT, if you are a 'power' user, and want to evaluate tools, and want to update your skills by installing Perl or Java, perhaps even a web-server, then yes, from time to time you need admin priveleges.

AllanL5
Saturday, June 26, 2004

Trying to convince a developer to develop without administrative rights is two-fold ridiculous:

1) They'll be forced to spend extra time attempting to debug why their ASP.NET isn't debugging . . .
2) you'll be forced to spend extra time attempting to get their "user" account debugging . . .

Trust me . . . lighten up . ..  it's only their machine, anyhow.

Anon
Saturday, June 26, 2004

Ok, developers of serious applications generally need admin rights.

Developers of toys may not.

Simon Lucy
Sunday, June 27, 2004

Mr. Lucy

I respectfully disagree.

Running as Admin while development *produces* toy applications. Applications that open files or registry keys in ALL_ACCESS mode when they want to read them. Applications that change system-wide settings when they have no business doing so. Applications that cause crashes. Applications that can be taken advantage of by hackers.

Unless you are developing device drivers, you do NOT need admin privileges.

Raj Chaudhuri
Sunday, June 27, 2004

I love how some people think resorting to a sly sort of ad homenim attack means they're "participating in the debate".

It's clear that real world applications can be developed as non-admin, including ASP.NET applications, because people do it all the time, myself included.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, June 27, 2004

"The IDE doesn't require it."

Unless you're trying to install the .net framework so you can use C #, etc.

Mr. Analogy
Sunday, June 27, 2004

"Unless you're trying to install the .net framework so you can use C #, etc."

That's what Run As is for. My Windows XP account at home is a member of the Power Users group but even that's probably too elevated.

John Topley (www.johntopley.com)
Sunday, June 27, 2004

You re-install the .NET Framework as a day to day activity?

Exceptional activities -- like installing software -- will often require admin priviledges. Day to day activities generally don't, unless the software in question was poorly designed. All Microsoft software that developers use (that I'm aware of) runs without admin priviledges required.

Brad Wilson (dotnetguy.techieswithcats.com)
Sunday, June 27, 2004

Uh, as a developer I am expected to install and use our software.  You dont need to be and admin to do this, unless you run as a service ( which you probably do ).

All sorts of essential tools only work as admins -
procexp, filemon, netmon to name a few.

It really depends what you are developing.  DDK work requires admin.  DBA not so much.

B
Sunday, June 27, 2004

"The compiler doesn't require it. The debugger doesn't require it. The IDE doesn't require it"

Of course, you probably need admin rights to install these things, but wtf.


Monday, June 28, 2004

Ok.  Yes you can use IDE's and such and yes you could install such things as an admin account and then separately login.

However, if you need write access to places like Program Files, you need to modify some registry entries, you have to use Component Services and such and so on...

Personally, logging out as me and then logging back in as Admin is simply a waste of time.

Testing is something else.

As I said.

Simon Lucy
Monday, June 28, 2004

I hereby volunteer to be the guinea pig. I've just removed my account from Administrators, placed it in Power Users instead, and logged off and back on.

Possible  activities during a day:

- Writing code and debugging in VS.NET
- Adminning SQL Server with Enterprise manager and Query Analyzer
- Adminning IIS (localhost and other servers) with IIS Admin
- Managing DNS (this is delegated to the web developers at our company -- hey, it has to do with the web, right?)
- Administering a small AD domain for development / testing boxes
- Playing with images in Macromedia Fireworks
- Installing software
- Testing web based software

I'll post back here if I run into anything that requires me to log off and back on as an administrator, or put my account back in the administrators group.  I predict that I can do all of the above with my power user account or by invoking Run As.

MacSqueeb
Monday, June 28, 2004

How come the usually well-read technical folks here are not up-to-speed on security issues? Checkout keith's excellent book:

http://www.pluralsight.com/keith/book/html/book.html
http://www.pluralsight.com/keith/book/html/howto_runasnonadmin.html

"Contrary to popular belief, you don't normally need any special privileges to debug programs on Windows. If you start a process, you own that process, and thus have full permissions to it, and that's all a debugger needs. "

igetby
Monday, June 28, 2004

So far I've run into a couple of gotchas, but they were easily solved.  I had to put myself in the "VS Developers" group to resolve some errors I got trying to open projects in VS.  Also, as noted by others, I had make a few adjustments to debug ASP.NET processes.  I followed the instructions here:

http://msdn.microsoft.com/vstudio/default.aspx?pull=/library/en-us/dv_vstechart/html/
tchdevelopingsoftwareinvisualstudionetwithnon-administrativeprivileges.asp
#tchdevelopingsoftwareinvisualstudionetwithnon-administrativeprivilegesanchor4

And would consider the changes I had to make trivial.  (You'll have to un-line-break and paste that URL; I didn't want it to to give everyone a horizontal scrollbar.)  Other than that I'm cruising along happily, although today has admittedly been a lazy day.

MacSqueeb
Monday, June 28, 2004

I do not run as Admin. And I use dev tools all the time. Since I started doing this(2000), I have doing things in my applications that would require me to have more privileges than a regular "User". Things like Mr. Lucy mentions above; writing to Program Files or to HKLM.

I DO install and uninstall apps from time to time, and need to perform administrative tasks too. I don't log out for these. I just have a start menu group containing some shortcuts, all of which are configured to run as a different user. You can do this (under Windows XP), by setting the "Run with different credentials" property of any shortcut.

The shortcuts I use are:
- A shortcut to the command processor
- A shortcut to RegEdit.EXE
- A shortcut to a custom MMC (.msc) file, which has all the snap-ins that I require (IIS Admin, Local Users & Groups, Services, Local Policy).
- A shortcut whose target is "%Windir%\system32\rundll32.exe Shell32.DLL,Control_RunDLL appwiz". This is the Add/Remove programs applet.
- A shortcut to Visual Studio. I need this to debug my ASP.NET applications, which run by default under the credentials of a user called ASPNET under Windows XP.

I do need to go through the hassle of providing an Admin-level login name and password when I invoke one of these, but since I do not need to do this very often, it's worth the pain.

Raj Chaudhuri
Tuesday, June 29, 2004

*  Recent Topics

*  Fog Creek Home