Windows Vista RC1: you have the right to do ... nothing, actually

James Bannan
05 September 2006, 11:45 AM


Send to a friend Print

I discovered today that Vista's irritating User Account Protection completely locks you out from doing certain things on your PC. It's like that annoying message in XP warning you not to modify system folders, except there's no 'I know what I'm doing' option to skip past it.


I say, I say, I say…when is an administrator not an administrator? When they’re a Vista administrator!

ROLFMAO.

It’s true, but were you laughing? Neither was I. It’s not funny.

David Flynn talked in a recent article about how after we upgraded on APC machine to Vista RC1, we noticed we couldn’t open Outlook PST files stored on an external drive. It turned out to be a problem with permissions - despite being an administrator, the user didn’t have Modify and Write access to the PST file, so Outlook couldn’t expand the file using the rights inherent in his credentials.

Once the user account was explicitly added to the folder’s security permissions, things went back to normal.

Step back a bit from this particular incident and look at the larger picture - in Windows Vista, system administrators are genuinely NOT administrators, and things break when that happens. When something as basic as opening a PST on an external drive breaks, that's a real worry.
This is all due to UAC - User Account Control [such an important new feature of Vista's security system that Microsoft even has a blog about it.]

Anyone who has tested a Vista pre-release build has seen it jump into that protected desktop mode, prompting for confirmation when you want to access some particular system feature or install an application. If you haven't seen it, Microsoft has a 12 minute demonstration video of it. You may want to switch it off after about 20 seconds.

UAC alerts are irritating, but fortunately they can be completely disabled (more on that later). However, they’re symptomatic of events happening at a lower level.

Why administrators ain't administrators

By default in Vista, the first account you create is a member of the Administrators group. You can check that by go into Computer Management (right-click My Computer, Manage) and navigate to Local Users and Groups.

Take a look at the properties of your own user account under "Member Of", or look at the members of the Administrators group, and there you are.

The local Administrator account is also listed there, which should be reassurance enough that you have full local admin access.

users01_small.png

However, let’s suppose you want to do something like change all the security permissions on the C:\Program Files folder. As an administrator you should be able to, right? Wrong.

Right-click on Program Files and select Properties. Go to the Security tab and there’s a list of currently-assigned access rights.

Click Edit, go through the standard confirmation, and then try to change something. You can’t - everything is greyed out.

users02_small.png

However, turn UAC off and suddenly all is revealed - you now have full access to the underlying filesystem returned to you.

There are a number of ways to disable UAC, and I’ll go into them in greater detail once I get some info back from Microsoft, but a straightforward way to do it is to go into the Control Panel, switch to Classic View, double-click User Accounts, and select “Turn User Account Control on or off”. This takes you to another window, where you simply untick the checkbox to disable UAC, hit OK and then reboot.

users03_small.png

UAC is one of those aspect of Vista which offers both great and highly annoying features. The concept behind it is sound - distance users from the OS, thereby protecting both the OS and the users themselves. It also gives great flexibility to users with standard user rights - these users on Vista can do much more to personalise the experience than Windows XP’s all-or-nothing approach. UAC can also be used to run applications intelligently with elevated privileges, which is great news for desktop admins trying to strike a balance between functionality and security.

However, power users don’t want to be protected, don’t want to babysat, don’t want to be cut off from anything. They want full access, all the time, and if something breaks they won’t come crying to your door. They’ll take responsibility for the stuff-up and sort it out themselves. And for these people, UAC is the software equivalent of hearing a mozzie buzzing around in your bedroom when you’re trying to sleep.

Personally, when I do a Vista install from now on for my own use, UAC is the first thing to go.


Post your comment



Comments

 RSS feed Email alert

Guy:

Hi James

I don't quite get the point of your argument. You start off by complaining that UAC blocks you from doing 'power user' stuff with Vista, but then you show how easily it can be turned off. So where's the problem? If you're a power user, turn off UAC. Simple. If you're not - or if you're a sysadmin, leave it on so other users can't mess with the OS. It seems bitching about Vista makes for easy headlines -- just think how many problems would be solved if XP had anything close to UAC...

gL

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

James Bannan:

Hi Guy,

You make a valid point, but that's not really what I was driving at. The point of the article is that UAC has been marketed as one of the MAJOR security features of Vista - protecting the OS from the users. That in itself is a good thing, and it's even a good thing are far as power users go to be honest. BUT if you're a power user/administrator, UAC gives you none of the benefits and all of the annoyances of restricted use. So you basically HAVE to turn it off, which means you don't get the benefit of UAC if you have non-admin user accounts on that same machine.

Business systems would fall into this category - there are generally standard user accounts plus admin accounts sharing the same space.

It's just a shame that this feature is so useful on the one hand, and nothing but pain on the other. It's an inclusion I'd love to love, but can't. It offers great features, but at an unnecessary price.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

Guy:

Hi

Good points. A simple solution would be to have another level of UAC instead of just on and off. In that way you'd be able to create an administrator account with fewer UAC disruptions, which can only be activated using an administrator password.

'Normal' or default UAC would then be for everyone else, so unless you're a 'true' administrator, you'll be rightly restricted with what you can do on a Vista machine.

All it will take is a few more lines of code and the whole system can be saved from the inevitable flame war of criticisms it will otherwise get once Vista's unleashed on the masses.

Fix this and the list of Vista's UI inconsistencies, and Microsoft will have a real winner. Right now it's a good idea built poorly by committee, which is a real shame. Thank God we're only at RC1.

gL

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

James Bannan:

Exactly so. At the moment UAC has a slightly "tacked-on" feel....more of an application which sits on top of the OS like Windows Firewall rather than an integrated security feature. As you say, a few little tweaks and it will probably work great all round.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

M:

The problem of ACLs on removable NTFS volumes is a tough one. Note that if the volume is formatted with Vista RC1 you'll get Everyone/All Access. From here, you can change the permissions as you see fit, without relying on the old Administrator/All Access behavior.

Unfortunately Vista still has to honor whatever ACLs were on the volume previously, which creates this behavior.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

James Bannan:

That's interesting - especially as Vista and XP are both running the same version of NTFS. You wouldn't think that there would be an issue cross-plaftorm, would you?

Just checking my own external drive formatted with NTFS on Windows XP, the Everyone group only has Special Permissions and nothing else - Users have Read&Execute/List/Read. Only Administrators and SYSTEM have full rights. That, combined with UAC filesystem restrictions is probably where the problem is stemming from.

Some recent info from Microsoft suggests that this is actually a Vista bug, rather than a "feature". Hopefullly we'll see it eradicated in the final release.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

Guy:

I just don't get why these problems persist when reasonably simple solutions are obvious to far less technically astute people than Microsoft has on its payroll.

I mean really, make UAC a flexible solution, with one level for general users and one level for administrators (password protected of course), and everyone's happy. You can then even disable the option of diabling UAC, because there'd be absolutely no reason to (administrator-level UAC will be equivalent to an all-access pass, only it'll be password protected so regular users won't be able to access it).

This is not rocket science.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

E:

You know, for a home-user, UAC may seem like an annoyance. But as a network administrator who is already using it (Vista RC1 with UAC turned ON) in a real, live environment with real, live employees, I can say that the UAC is a tremendous help!

Perhaps you don't realize how much of a pain for the user and the administrator it is when, with WinXP, you've got to tell the user you need to log them off and log on as the administrator to perform some function or install something for the user. The ability to do these things with the user logged on is an incredibly huge deal and has greatly helped me (the administrator) and the user as well...in fact it has actually saved a huge amount of time for everyone too! I can't say it enough...it is tremendously helpful to be able to have this kind of functionality! I'm using it now with real world users in a real work environment and I have to say that I really, really like the UAC feature, (and so do the users)!

Complaining about having to click an extra dialog box brings back memories of the George Jetson cartoon where George sits at a monitor complaining of his aching "push-button finger".

Even running with Administrative rights, *I* appreciate the extra dialog box as it also gives an administrator an extra chance to prevent something from messing with your PC. It gives a *User* an opportunity to have an administrator assist them without the pain and waste of time in logging on and off for the change to be made.

Considering all the numerous exploits and vulnerabilities that occur because some malicious software can suddenly run with the users rights, simply by visiting a malicious website or receiving a malicious email or just being connected to the internet, this kind of protection will greatly help and reduce the ability of malicious code from running on Vista boxes with UAC turned on.

UAC is a big change, but after everyone finishes venting about the change, in the end, I believe it will be a big help and folks will come to appreciate it.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

James:

E,

when performing admin tasks on a users XP computer in a networked environment you should use the "Run As" feature (right click application then choose run as).

Logging on as an administrator on a user's machine is a security risk and waste of resource because it creates an admin profile.

I agree with your UAC comments though, a few more tweaks and its going to save lots of $$ when coming to system maintenance.

Thanks
James

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

M:

Guy:

1. Run Mmc
2. Add the "Group Policy Object Editor" snapin
3. Expand Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options
4. Scroll down to User Account Control at the bottom
5. Note that User Account Control: behavior... options are seperate for Administrators and Standard Users.

29 February 2008, 8:28 PM (4 years ago)report abuse Send to a friend reply

Jake Schoermer:

Your right that in a workplace enviornment that this would be a great feature as it would also be in a home enviornment with "less than professional" users.

But what about single user systems or computers where only users who know what they're doing. I know that they can turn it off but seems to me that thats another so called "Major Selling Point" gone for the advanced user and perhaps because only administrators will really notice the changes.

As said by E the workers will notice the change of not having to switch acounts to make simple changes but I've never had that problem in all of my years in school including primary school.

If you ask me it's only network administrators who are going to notice the change. I'm not saying that it'll be a bad change just over-rated.

29 February 2008, 8:29 PM (4 years ago)report abuse Send to a friend reply

Dgtal:

Yeah thats pretty stupid its simple to turn the UAC

29 February 2008, 8:29 PM (4 years ago)report abuse Send to a friend reply

Not signed in
anonymous user Anonymous user