Reverse Administrator/User Accounts?

  • Thread starter Thread starter CWLee
  • Start date Start date
C

CWLee

(Running Vista Ultimate 64-bit, SP-1, IE-7, classic mode.)

I currently have an administrator account I'll call AAA.
I currently have a user account I'll call BBB.
(I also have a guest account, turned off, which can be
ignored for this post.)

On account AAA I have done extensive personalization
(changing icons, removing some from desktop, etc.) which I
want to retain. Account BBB is just as it was produced when
I created it, and has rarely been used.

Heretofore I have used account AAA all the time, and have
not used account BBB. I have since been advised not to
operate in an administrator's account (AAA) for security
reasons, and that it is better to operate in a user account
(such as my BBB).

So, I'd like to reverse my two accounts, with BBB becoming
the administrator account, and AAA becoming my regular user
account. Here is how I propose doing that, and I'd like
some feedback on any risks or problems foreseen with this
scenario:

Change account BBB to be an administrator account. Then
change account AAA to be a user account. Then change name
of account AAA (temporarily) to CCC. Then change name of
account BBB to AAA. Then change account CCC to BBB. When
that process is complete I'd have account AAA with all my
current personalizations, but as a user account; account BBB
would be the plain and simple account, but the administrator
account hardly ever used.

Anyone see any problems with that approach? If I do this
will my security be better, in terms of protection from
viruses?

Other relevant comments welcome.
--
 
CWLee said:
Heretofore I have used account AAA all the time, and have
not used account BBB. I have since been advised not to
operate in an administrator's account (AAA) for security
reasons, and that it is better to operate in a user account
(such as my BBB).
Click to expand...

I've never heeded that advice... and even have UAC turned off.

I have so many backups of my entire system that I don't worry about
such matters... and my computing is SO much easier.
 
CWLee said:
(Running Vista Ultimate 64-bit, SP-1, IE-7, classic mode.)

I currently have an administrator account I'll call AAA.
I currently have a user account I'll call BBB.
(I also have a guest account, turned off, which can be ignored for this
post.)

On account AAA I have done extensive personalization (changing icons,
removing some from desktop, etc.) which I want to retain. Account BBB
is just as it was produced when I created it, and has rarely been used.

Heretofore I have used account AAA all the time, and have not used
account BBB. I have since been advised not to operate in an
administrator's account (AAA) for security reasons, and that it is
better to operate in a user account (such as my BBB).

So, I'd like to reverse my two accounts, with BBB becoming the
administrator account, and AAA becoming my regular user account. Here
is how I propose doing that, and I'd like some feedback on any risks or
problems foreseen with this scenario:

Change account BBB to be an administrator account. Then change account
AAA to be a user account.
Click to expand...


Yes, that would work.

Then change name of account AAA (temporarily)
to CCC. Then change name of account BBB to AAA. Then change account
CCC to BBB.
Click to expand...


Here's where you lose me. Why go through all these contortions with
renaming accounts? There's no point, and remember that the user profile
folders will *NOT* be renamed when you do this, so you'll end up with
AAA's account settings, portion of the registry, and data files stored
where they originally were, in the user profile labeled BBB, and BBB's
files and settings stored in the user profile AAA. At some point down
the road, this is bound to lead to some confusion.

When that process is complete I'd have account AAA with all
my current personalizations, but as a user account; account BBB would be
the plain and simple account, but the administrator account hardly ever
used.

Anyone see any problems with that approach?
Click to expand...


Again, I'd forego the renaming of the accounts, but otherwise it's OK.

If I do this will my
security be better, in terms of protection from viruses?
Click to expand...


You will be more secure, yes.

Routinely using a computer with administrative privileges is not
without some risk. You will be much more susceptible to some types of
malware, particularly adware and spyware. While using a computer with
limited privileges isn't the cure-all, silver bullet that some claim it
to be, any experienced IT professional will verify that doing so
definitely reduces that amount of damage and depth of penetration by the
malware. If you do happen to get infected/infested while running as an
administrator, the odds are much greater that any malware will be
extremely difficult, if not impossible, to remove with formating the
hard drive and starting anew. The intruding malware will have had the
same (administrative) privileges to all of the files on your hard drive
that you do.

A technically competent user who is aware of the risks and knows
how to take proper precautions can usually safely operate with
administrative privileges; I do so myself. But I certainly don't
recommend it for the average computer user.



--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
"Here's where you lose me. Why go through all these
contortions with renaming accounts? There's no point, ... "

Thanks for your advice and information. It is good to get a
lengthy, thought-out, on target reply.

The end result I'd like is to log onto a (USER) account with
the name AAA that has the current personalizations that my
current AAA (ADMINISTRATOR) account has. I'm the only
person who uses this account, but I'm trying to get the
increased security you mention while at the same time
keeping the current personalizations I have on my
Administrator account. (I know I could just re-configure my
User account to match those personalizations, but that is a
LOT of effort, and some of it I don't even remember how I
did nearly 18 months ago. Things like getting ride of icons
for the Recycle Bin, and changing icons on programs that
want to keep their own logo-icons, etc.)

I appreciate your attention and insights, and if you have
other ways to achieve my goal I'd appreciate it. As a
practical matter to me, I don't fully understand the
implications of "the user profile folders will *NOT* be
renamed when you do this, so you'll end up with AAA's
account settings, portion of the registry, and data files
stored where they originally were, in the user profile
labeled BBB, and BBB's files and settings stored in the user
profile AAA. At some point down the road, this is bound to
lead to some confusion."

Again, thank you very much for your attention, and I look
forward to any further insights you can provide to help me
achieve my goal.

==================================
 
CWLee said:
"Here's where you lose me. Why go through all these contortions with
renaming accounts? There's no point, ... "

Thanks for your advice and information. It is good to get a lengthy,
thought-out, on target reply.

The end result I'd like is to log onto a (USER) account with the name
AAA that has the current personalizations that my current AAA
(ADMINISTRATOR) account has. I'm the only person who uses this account,
but I'm trying to get the increased security you mention while at the
same time keeping the current personalizations I have on my
Administrator account. (I know I could just re-configure my User
account to match those personalizations, but that is a LOT of effort,
and some of it I don't even remember how I did nearly 18 months ago.
Things like getting ride of icons for the Recycle Bin, and changing
icons on programs that want to keep their own logo-icons, etc.)
Click to expand...


Changing the AAA Account from an administrative account to a limited
account won't change any of those "personalizations."

I appreciate your attention and insights, and if you have other ways to
achieve my goal I'd appreciate it.
Click to expand...


Simply change the permissions levels of the two accounts, as you'd
already planned. None of the customizations or "personalizations" of
either account will be affected.

As a practical matter to me, I don't
fully understand the implications of "the user profile folders will
*NOT* be renamed when you do this, so you'll end up with AAA's account
settings, portion of the registry, and data files stored where they
originally were, in the user profile labeled BBB, and BBB's files and
settings stored in the user profile AAA. At some point down the road,
this is bound to lead to some confusion."
Click to expand...

The user profile folders (C:\Users\UserName) are protected system files
and, once created, *cannot* be renamed, even if the associated user
logon account has been renamed.

This means that if you rename account AAA to BBB, its data files,
desktop icons, Internet Explorer favorites, etc., will all still be
located under the C:\Users\AAA folder hierarchy. (And BBB's files,
favorites, etc., will be in the C:\Users\BBB folder hierarchy even
though the account has been renamed to AAA. This would make it awfully
easy to mistakenly modify, move, copy or delete the wrong file or folder
when working with Windows Explorer.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Thanks,


"The user profile folders (C:\Users\UserName) are protected
system files and, once created, *cannot* be renamed, even if
the associated user logon account has been renamed. This
means that ... "

OK, I'm beginning to understand - I think. When an account
is first created, whether as an administrator or user
account, it is given a "birth name" which remains forever in
the system bowels/archives, even if the "working name" is
changed several times, and whatever the administrator/user
assignment happens to be at any particular time. Any
attempts later to modify files or programs associated with
an account cannot be reliably found using the "working
name" - one would have to know and use the "birth name."

Am I close?

Again, many thanks.

===========================
 
Back
Top