Vista DWT

It's a well known fact one of the most dangerous practices one can employ as a Windows user is running your everyday sessions using an account with Administrator privileges. Even so, armed with that knowledge, the majority of users do run with an Administrator account. It's easy, it's convenient, and frankly it's a pain in the ass to use a Limited account in XP, especially if you do any type of work on the system other than the absolute basic functions. Vista is looking to change that behavior by implementing a new feature called User Account Protection. Every time I write about user accounts I always have to go back and add this information later so I'm going to get it out of the way right at the beginning.

There are two types of accounts in Vista; Administrator and Standard. For example, I could have an account named Elder Geek that has Administrator privileges, or I could have an account named Elder Geek that has Standard privileges, but I can't have both; usernames are unique and can only be used once.
When Vista is installed it automatically creates a user account 'named' Administrator. You won't see it on the login screen nor is it listed in the Users section of Control Panel, but trust me it's there. And yes, the account 'named' Administrator 'is' an Administrator type account and has Administrator privileges, not a Standard user account with standard privileges.

So, what's the big deal about UAP and why should you care? Well, you can open up Vista Help and Support and do a search on UAP and read all about it, but this is what it says in a nutshell. If you're running your system using an account with Administrator privileges and it's compromised by malicious code or an outside intrusion, the hacker can do everything you are allowed to do with your Administrator account.

On the other hand, if you were using a Standard account, the damage would be greatly minimized because a Standard account is far more restricted in what it can change regarding the system. As Microsoft says in the Help and Support, "An administrator account is a user account that lets you make changes that will affect other users. This is the key difference between and administrator account and a standard account."

Where User Account Protection comes into play is in the way it manipulates user accounts behind the scenes. Even though you may be using an Administrator account, UAP essentially forces it to act as if it is a Standard account until you try and do something that requires the elevated privileges afforded to the higher level account. How it notifies you and the actions you must take vary depending on your basic account type.

Look at the two examples below showing what happens when we try and adjust the system time.

Logged In With Administrator Privileges Account

I'm logged in with the user account 'Elder Geek' that has Administrator privileges. Remember the statement from earlier that said, "An administrator account is a user account that lets you make changes that will affect other users." In this case, changing the date/time is an action that impacts all users of the computer.

Also remember that I said UAP runs the 'Elder Geek' account as a Standard account until a situation arises where the elevated Administrator privileges are needed, the changing of the date/time being one of those cases.

UAP is already aware that I have the Administrator privileges and am 'allowed' to make the change. The question is, do I 'want' to make the change so it tosses up the Windows Security dialog box asking me to click the [ Allow ] button. If I click [ Allow ] it will go ahead and open the window where the change can be made.

UAP isn't questioning my right to make the change. It's just simply making me aware that the action I'm about to take could possibly impact all users, be dangerous in some way, or might make the system less secure. If nothing else it stops me and makes me think about the action without just going blindly ahead.

Logged In With Standard Privileges Account

Unlike the example above, this time I'm logged in with the user account 'Elder Geek - StdUser' that has Standard privileges.

Remember the statement from earlier that said, "An administrator account is a user account that lets you make changes that will affect other users."

Again in this case, changing the date/time is an action that impacts all users of the computer, but this time I don't have a user account with administrator privileges so a different result is to be expected when I click the [ Change Date and Time... ] button.

Sure enough, this time instead of getting a Windows Security dialog box that prompts me to 'allow' the action, it prompts me to enter the password for an account that does have administrator privileges.

If there is more than one user account on the system that has administrator privileges they will all be listed for selection.

If I know the password for a listed user account with administrator privileges I can go ahead and enter it and the operation will be allowed to complete. If I don't know the password the only option available is the [ Cancel ] button.

All this sounds well and good up to this point. As long as you remember a few key points there shouldn't be any problems or issues with having UAP enabled on Vista. Points to remember are:

An administrator account allows you to make changes that affect other user accounts as well as make changes directly to other user accounts.
An administrator account allows you to change security settings, install hardware and software, and grants you access to any and all files on the local system.
A standard account does not allow you to make changes that affect other user accounts or make changes directly to other user accounts.
A standard account does not allow you to change security settings, install hardware or software, or grant you access to system files and utilities such as disk defragmenter or Windows firewall.

As nice as that sounds, User Account Protection is not without its faults so stay with me for one more example.

Logged In With Standard Privileges Account

This example is 'almost' exactly the same as the one above where I'm logged in with a standard privilege account trying to change the system date/time, but this time there is one huge exception to the previous example.

A user account named Test Administrator has been created on the system, given administrator privileges, but 'is not' password protected.

Even though I am logged in with a standard user account, all I have to do to gain the necessary administrator privileges to change the date/time is select the unprotected Test Administrator user and click the [ Submit ] button, totally defeating the User Account Protection.

This change is global; it affects every user on the entire system and completely defeats the User Account Protection scheme.

Bottom Line

User Account Protection is a great step forward in securing the system and helping to prevent users from performing actions that could be detrimental to the system, but like most things it requires some common sense on the part of the system administrator or whoever is in charge of the computer that sits in a den at home. There should never be a user account on the system that isn't password protected. Period. I'm sure some will come up with a million reasons why they disagree with that statement, but I just don't buy into the logic. Yes, User Account Protection is going to be annoying for a while until you get used to it, but after a couple of days you don't even notice it anymore and just accept it as what it is; an excellent tool to help secure and protect the system from outside intrusions as well as prevent less qualified users from mucking up the system internals. If you're the one that has ever had to deal with restoring a system because of an ill advised program install or someone deleting system files by mistake, you'll come to appreciate UAP. Be very cautious (and conservative) in handing out administrator privileges, make sure every account is password protected, and don't share passwords. Computing life will be a lot more pleasant.

XP Main Page

Win 7 Main Page

Win 8 Main Page

Be sure to visit TEG on
Windows XP & Win 7

Control Panel
An overview of the basic Vista Control Panel with descriptions covering each of the specific categories.

Dual Boot
Partition/Drive Switching

Choosing to install Vista by booting from the DVD or from inside a running XP installation can impact how you subsequently interact with the drives.

Create A Slipstreamed
Vista SP1 DVD

Consider A Donation

Custom Search

- Important Information -
The Elder Geek sites contain many articles and suggestions for modifying the Windows operating system. I've tried these tweaks and tips on many systems. Sometimes they work, sometimes not. The point is, ensure you have a current, tested backup of all system and data files and understand how to restore the system in case something goes very wrong. You can still yell at me, but I assume no responsibility for your actions and use of the information and disclaim any legal responsibility for any consequences of such actions.

Copyright © 2002/2003/2004/2005/2006/2007/2008/2009/2010/2011, Jim Foley/The Elder Geek, All Rights Reserved Worldwide
Reproduction, in any form, of information on this site is prohibited without express written permission.
Microsoft is in no way affiliated with, nor offers endorsement of, this site.