Question for jimmah, or anyone

[Ray]

On JB's website http://www.jimmah.com/vista/security/uac.aspx there is a
Note to Administrators

"The behavior of the Run As Administrator command is different from the Run
As... command in Windows XP.

This command does not run the program in the context of the built-in
administrator, as you might have expected.

If the currently logged on user is a member of the Administrators group, the
program is given administrator access to the system, but still runs in the
context of the currently logged on user.

However, if the currently logged on user is not a member of the
Administrators group, the program will run in the context of the
administrator account that was used to authenticate with the UAC dialog."



The third sentence; am I understanding this correctly? Run as Admin means
total control, as if logged in to the Administrator account.

I don't understand the last sentence though, can someone explain please?
Words of one syllable if need be



Ray

 

[Kerry Brown]

On JB's website http://www.jimmah.com/vista/security/uac.aspx there
is a Note to Administrators

"The behavior of the Run As Administrator command is different from
the Run As... command in Windows XP.

This command does not run the program in the context of the built-in
administrator, as you might have expected.

If the currently logged on user is a member of the Administrators
group, the program is given administrator access to the system, but
still runs in the context of the currently logged on user.

However, if the currently logged on user is not a member of the
Administrators group, the program will run in the context of the
administrator account that was used to authenticate with the UAC
dialog."


The third sentence; am I understanding this correctly? Run as Admin
means total control, as if logged in to the Administrator account.

I don't understand the last sentence though, can someone explain
please? Words of one syllable if need be



Ray

I may have this wrong but here goes.

When using "Run as administrator" you never run as THE "Administrator"
account. You run as the account used in the first UAC prompt immediately
after you "Run as administrator". Using "Run as administrator" gives that
account full administrator privileges with no more UAC prompts for the
duration of that process. If you are already logged on as an administrator
then that account is used and the first UAC prompt doesn't ask for a
password. If you aren't logged on as an administrator then you have to
specify an administrator account and password at the first UAC prompt and
that account is used.

I can see a use for this. You could setup an administrator account just for
this purpose. If something messes up that user profile then you haven't
messed up any accounts that you use every day. I have had a program mess up
the user profile while trying to install it in XP compatibility mode.

If I'm wrong someone please correct me. It is confusing and seems to have
changed somewhat with RC1.

 

[Ray]

Thanks Kerry, I think I have it now.

--
Ray

I may have this wrong but here goes.

When using "Run as administrator" you never run as THE "Administrator"
account. You run as the account used in the first UAC prompt immediately
after you "Run as administrator". Using "Run as administrator" gives that
account full administrator privileges with no more UAC prompts for the
duration of that process. If you are already logged on as an administrator
then that account is used and the first UAC prompt doesn't ask for a
password. If you aren't logged on as an administrator then you have to
specify an administrator account and password at the first UAC prompt and
that account is used.

I can see a use for this. You could setup an administrator account just
for this purpose. If something messes up that user profile then you
haven't messed up any accounts that you use every day. I have had a
program mess up the user profile while trying to install it in XP
compatibility mode.

If I'm wrong someone please correct me. It is confusing and seems to have
changed somewhat with RC1.

 

[Rock]

Thanks Kerry, I think I have it now.

Here's a good article on UAC:
Understanding and Configuring User Account Control in Windows Vista
http://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx

 

[Guest]

You are correct, Kerry

It is really, really confusing, and I have filed some bug reports where even
MS was confused by this behavior.

Basically, when you are logged in as an administrator, programs can either
run as a "standard user" or an "administrative user", but they both see your
administrative user's registry and settings. So, no matter what program you
run or what privilege level they run at, they are accessing the data from
your account - your registry settings, etc, not the built-in administrator
account, which some people may have expected.

I noticed a lot of administrators on here thinking that Run As
Admininstrator actually ran the program from the user profile of the built-in
admininstrator, so that is why I wrote that on my website.

However, if you are logged in as a standard user, when you run a program "as
administrator" the program is running as if the administrative user was
running it - the program does not see the standard user's registry, it sees
the administrative user's registry. This is the way Run As... works in
Windows XP.

 

[Kerry Brown]

Here's a good article on UAC:
Understanding and Configuring User Account Control in Windows Vista
http://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx

Thanks, that's a very informative article.

 

[Ray]

Here's a good article on UAC:
Understanding and Configuring User Account Control in Windows Vista
http://www.microsoft.com/technet/WindowsVista/library/00d04415-2b2f-422c-b70e-b18ff918c281.mspx

Thanks Rock, that's a keeper.

 

[Rock]

Thanks Rock, that's a keeper.

You're welcome.

 

[Kerry Brown]

You are correct, Kerry

It is really, really confusing, and I have filed some bug reports
where even MS was confused by this behavior.

Basically, when you are logged in as an administrator, programs can
either run as a "standard user" or an "administrative user", but they
both see your administrative user's registry and settings. So, no
matter what program you run or what privilege level they run at, they
are accessing the data from your account - your registry settings,
etc, not the built-in administrator account, which some people may
have expected.

I noticed a lot of administrators on here thinking that Run As
Admininstrator actually ran the program from the user profile of the
built-in admininstrator, so that is why I wrote that on my website.

However, if you are logged in as a standard user, when you run a
program "as administrator" the program is running as if the
administrative user was running it - the program does not see the
standard user's registry, it sees the administrative user's registry.
This is the way Run As... works in Windows XP.

Thanks

In playing around I was quite sure this was what was happening. The link
that Rock posted was very informative. I didn't realise that when running
with an administrator account you actually get two access tokens. Once I
read that it all makes sense.