Windows 10: Is a standard user account necessary for tight security and home user?
I am not using a public network, nor a homegroup of any kind.
I had a chance to test the windows repair program on Tweaking.com yesterday, and it has an option to reset permissions to default. If you would like to try it, let me know. But I would remove all homegroup/network sharing before doing it, so you can start fresh.
Thanks for your offer. I've got a very helpful guy over at superuser.com helping me to reset the permissions so we'll see how that goes first...
Basically the Users folder should not have been shared and the individual user accounts should not have inherited full control. Why it ended up like this I'm not sure yet.
I'd still be interested to know more about your program...
I'd like to try the program you have. Unfortunately it's become to complex to workout with back and forth comments over the forum.
I think this has been my issue all along. Being new to multiple accounts I must have granted one time access to to the administrators user folder from my newly created standard account and not thought anything of it. I've then totally overlooked what you guys were saying about the ONE TIME ACCESS still thinking that I shouldn't be able to access the admins user folder from my standard user account!
Steve C said:
I'm so sorry, I've probably really confused you guys!
I've run @fdegrove's acl.bat again in the hope that it has restored any wrong changes that I've made along the way. Should you know if the acl.bat has been successful once you've run it?
On a side note, why does access to administrator locked folders/files only need a one time permission to access?
It doesn't matter if your user is part of the Administrator group or not (as long as you don't mess with UAC).
In both cases you will by default start processes as a standard user. The difference is that if you are part of the Administrators group you can override the prompt "Do you want this app to make changes to your device". If you are not then you have to enter the password from an administrator. That is all.
The end result is the same - the launched process will have Administrator privileges and can do what it wants. It has been this way since Vista. You can check this by looking in the details tab in task manager if you right click and add the elevated column - here are 2 command prompt windows - one running as Administrator permissions (I accepted the prompt) and one not.
Do whichever you find more convenient but just don't (in either case) just say "OK" if you aren't sure what the program is or you don't trust it. Except for installation most program should not require Administrator privileges unless they are utilities looking into the whole system not just your data. If a program asks you for this permission you should question why they do and (by default) say no unless you are sure.
In regards to your question "Why do you only have to do it once" about accessing folders that is because after you have given it authority to do so your user is granted permanent authority to the folder. The one time task has been done and you now have permanent authority.
It tells you this at the time...
Personally my profile is set as local admin and there is not (afaik) any risk from doing this.
Other users on my PC I set as standard users as I don't trust them not to just click "OK" on everything.
After granting permanent access let's say you wanted to make it inaccessible again how would you do that?
In File Explorer, right-click on the folder and select Properties. On the Security tab you will see your user account is listed as having full control. Click the Edit button, select your user account in the list. DO NOT TOUCH any of the other names. Click Remove, then Apply (or OK).
You will see a message window saying it is applying changes - then immediately an error message saying (basically) you can't see what you're doing because access is denied (well, it would be, wouldn't it - you've just denied yourself access). Despite the apparent errors, you have successfully removed your access to the folder (until next time you click on it and are asked if you want permanent access).
I thought it might have been something along the lines of this except instead of removing the user I thought you might have to limit their permissions. I tried it myself and limited the user from full control to only read & execute, list and read permissions but that didn't work. It makes sense to remove the user though...
While doing this I received an error similar to what you describe, a "failed to enumerate objects in the container. Access is denied." It seemed to be for multiple files and folders. I edited these permissions as administrator and they were for a standard account.
Remove the user is the correct action. You can look at the permissions of a folder to which you don't have access by looking at the Properties/Security tab, clicking Advanced then 'Click Continue to attempt the operation with Administrator privileges'. You user account will not be listed. After trying to open the folder and clicking '...Continue to permanently get access to this folder' the only change is that your user account has been added to the list.
Thanks for providing that information. What other folders would a standard user usually not have access to? I seem to be able to browse around most of the OS in my standard account...
I had a brief issue the other day when logging into the administrator account. It was almost stuck on loading when logging in and took a long time to open up to the desktop. When it did open I was greeted with an error similar to the one we've mentioned and it was something to do with access denied to the desktop. The background was black, there were no desktop icons and the start menu didn't work. I kinda started panicking as I didn't know what had happened and I couldn't recall making any changes anywhere. Another error then popped up very breifly that I didn't have time to capture. I then either restarted or shutdown and the account returned to normal.
Does this sound like something to be concerned about?
What stands out in Event viewer after this happened is this:
"Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
Access is denied."
Event ID: 513
Is it still recommended to do your daily tasks in a non-administrator user account, or is that obsolete advice in windows 8-10?
Guys I have done this in the past but cannot recall how and don't want to botch.
I had hoped Windows 10 corrected the "rename user account" function but nope. I renamed a User Account due to conflict on the LAN and sure enough, now I have two...
In Windows 10 Pro is there a way to prevent a user without administrator privileges using a standard account from being able to format a usb drive?
"Perform volume maintenance tasks" is set for Administrators (Group Policy), which must be the...
I know I can't access the local users and groups policy in this version, but I can't figure on how to -temporarily- disable my kid's user account so that it cannot be logged in.
Yesterday I've upgraded to Windows 10 Home 64 bit, from my Windows 7 64 bit Home Premium. Then I clean installed it, after the OS was activated.
I used a local account and I have never switched to any of my Microsoft's e-mail accounts. The...