Problem: Surfing the net and checking email as admin = running with scissors
Setting Up the Account
- Request an admin account for the user through the ITG Service Desk
- They will create an account with the format
-la
- They will create an account with the format
- Since the account is linked to their EID, the user can set and manage the password through the ITG Password Management page
- You will need to add this account to the Local Administrators group on the specific computer
Fixing Problematic Applications
Typical solution is to grant users group modify permissions to usual folder and/or registry locations
- HKLM\software\<appname>
- c:\“Program Files”\<appname>
If in doubt, use Process Monitor to see what file and registry locations the specific process is using
- Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity
- Hint: the keyboard shortcuts for start/stop and clear help minimize the extra info
Occasional fixes
- run the application once as admin to “initiate” the application
- make the user an admin, run the program and then remove the user from the admin group
Check with the vendor for updates or workarounds. Vendors may have fixed the issue in the latest version
Ask the community - email etags and it-talk, check blogs (for example, Aaron Margosis' "Non-Admin" WebLog)
Fixes to avoid
- “Power User” privileges do not provide enough security - see this Microsoft support article
- b. User Access Control in Vista (as administrator) – this is not considered a secure alternative
Alternative Software Delivery Methods
- Softricity – can provide a sandbox to allow the application to think they have admin rights
- Hosted Virtual Machines – user could have a virtual sandbox either through a hosted VM
- Vista – has some file and registry “virtualization” to allow some legacy apps to work better
Note: Vista and VDI are still emerging technologies for end users