Is a standard user account necessary for tight security and home user?

Page 7 of 7 FirstFirst ... 567

  1. Posts : 16,325
    W10Prox64
       #61

    I am not using a public network, nor a homegroup of any kind.

    I had a chance to test the windows repair program on Tweaking.com yesterday, and it has an option to reset permissions to default. If you would like to try it, let me know. But I would remove all homegroup/network sharing before doing it, so you can start fresh.
      My Computer


  2. Posts : 2,979
    Windows 11
    Thread Starter
       #62

    simrick said:
    I am not using a public network, nor a homegroup of any kind.

    I had a chance to test the windows repair program on Tweaking.com yesterday, and it has an option to reset permissions to default. If you would like to try it, let me know. But I would remove all homegroup/network sharing before doing it, so you can start fresh.
    Hi Simrick,

    Thanks for your offer. I've got a very helpful guy over at superuser.com helping me to reset the permissions so we'll see how that goes first...

    Basically the Users folder should not have been shared and the individual user accounts should not have inherited full control. Why it ended up like this I'm not sure yet.

    I'd still be interested to know more about your program...
      My Computer


  3. Posts : 2,979
    Windows 11
    Thread Starter
       #63

    Hi Simrick,

    I'd like to try the program you have. Unfortunately it's become to complex to workout with back and forth comments over the forum.
      My Computer


  4. Posts : 2,979
    Windows 11
    Thread Starter
       #64

    Steve C said:
    If you try to access another user's files from your local account, I you should get a UAC prompt requesting the admin password for access after which the permissions will be changed allowing you permanent access to the other user's folder. See the enclosed prompt when I just tried to access my backup admin account from my user account - I would get permanent access if I followed through and entered the admin password.
    Attachment 102770
    I think this has been my issue all along. Being new to multiple accounts I must have granted one time access to to the administrators user folder from my newly created standard account and not thought anything of it. I've then totally overlooked what you guys were saying about the ONE TIME ACCESS still thinking that I shouldn't be able to access the admins user folder from my standard user account!

    I'm so sorry, I've probably really confused you guys!

    I've run @fdegrove's acl.bat again in the hope that it has restored any wrong changes that I've made along the way. Should you know if the acl.bat has been successful once you've run it?

    On a side note, why does access to administrator locked folders/files only need a one time permission to access?
      My Computer


  5. Posts : 5,478
    2004
       #65

    It doesn't matter if your user is part of the Administrator group or not (as long as you don't mess with UAC).

    In both cases you will by default start processes as a standard user. The difference is that if you are part of the Administrators group you can override the prompt "Do you want this app to make changes to your device". If you are not then you have to enter the password from an administrator. That is all.

    The end result is the same - the launched process will have Administrator privileges and can do what it wants. It has been this way since Vista. You can check this by looking in the details tab in task manager if you right click and add the elevated column - here are 2 command prompt windows - one running as Administrator permissions (I accepted the prompt) and one not.

    Is a standard user account necessary for tight security and home user?-cmd.png

    Do whichever you find more convenient but just don't (in either case) just say "OK" if you aren't sure what the program is or you don't trust it. Except for installation most program should not require Administrator privileges unless they are utilities looking into the whole system not just your data. If a program asks you for this permission you should question why they do and (by default) say no unless you are sure.

    In regards to your question "Why do you only have to do it once" about accessing folders that is because after you have given it authority to do so your user is granted permanent authority to the folder. The one time task has been done and you now have permanent authority.

    It tells you this at the time...

    Is a standard user account necessary for tight security and home user?-capture.png

    Personally my profile is set as local admin and there is not (afaik) any risk from doing this.

    Other users on my PC I set as standard users as I don't trust them not to just click "OK" on everything.
      My Computer


  6. Posts : 2,979
    Windows 11
    Thread Starter
       #66

    After granting permanent access let's say you wanted to make it inaccessible again how would you do that?
      My Computer


  7. Posts : 31,473
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       #67

    Kol12 said:
    After granting permanent access let's say you wanted to make it inaccessible again how would you do that?
    In File Explorer, right-click on the folder and select Properties. On the Security tab you will see your user account is listed as having full control. Click the Edit button, select your user account in the list. DO NOT TOUCH any of the other names. Click Remove, then Apply (or OK).

    You will see a message window saying it is applying changes - then immediately an error message saying (basically) you can't see what you're doing because access is denied (well, it would be, wouldn't it - you've just denied yourself access). Despite the apparent errors, you have successfully removed your access to the folder (until next time you click on it and are asked if you want permanent access).
      My Computers


  8. Posts : 2,979
    Windows 11
    Thread Starter
       #68

    Bree said:
    In File Explorer, right-click on the folder and select Properties. On the Security tab you will see your user account is listed as having full control. Click the Edit button, select your user account in the list. DO NOT TOUCH any of the other names. Click Remove, then Apply (or OK).

    You will see a message window saying it is applying changes - then immediately an error message saying (basically) you can't see what you're doing because access is denied (well, it would be, wouldn't it - you've just denied yourself access). Despite the apparent errors, you have successfully removed your access to the folder (until next time you click on it and are asked if you want permanent access).
    I thought it might have been something along the lines of this except instead of removing the user I thought you might have to limit their permissions. I tried it myself and limited the user from full control to only read & execute, list and read permissions but that didn't work. It makes sense to remove the user though...

    While doing this I received an error similar to what you describe, a "failed to enumerate objects in the container. Access is denied." It seemed to be for multiple files and folders. I edited these permissions as administrator and they were for a standard account.
      My Computer


  9. Posts : 31,473
    10 Home x64 (22H2) (10 Pro on 2nd pc)
       #69

    Remove the user is the correct action. You can look at the permissions of a folder to which you don't have access by looking at the Properties/Security tab, clicking Advanced then 'Click Continue to attempt the operation with Administrator privileges'. You user account will not be listed. After trying to open the folder and clicking '...Continue to permanently get access to this folder' the only change is that your user account has been added to the list.
      My Computers


  10. Posts : 2,979
    Windows 11
    Thread Starter
       #70

    Bree said:
    Remove the user is the correct action. You can look at the permissions of a folder to which you don't have access by looking at the Properties/Security tab, clicking Advanced then 'Click Continue to attempt the operation with Administrator privileges'. You user account will not be listed. After trying to open the folder and clicking '...Continue to permanently get access to this folder' the only change is that your user account has been added to the list.
    Thanks for providing that information. What other folders would a standard user usually not have access to? I seem to be able to browse around most of the OS in my standard account...

    I had a brief issue the other day when logging into the administrator account. It was almost stuck on loading when logging in and took a long time to open up to the desktop. When it did open I was greeted with an error similar to the one we've mentioned and it was something to do with access denied to the desktop. The background was black, there were no desktop icons and the start menu didn't work. I kinda started panicking as I didn't know what had happened and I couldn't recall making any changes anywhere. Another error then popped up very breifly that I didn't have time to capture. I then either restarted or shutdown and the account returned to normal.

    Does this sound like something to be concerned about?

    What stands out in Event viewer after this happened is this:

    "Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


    Details:
    AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.


    System Error:
    Access is denied."

    Source: CAPI2

    Event ID: 513
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:02.
Find Us




Windows 10 Forums