Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Are Limited User Accounts effective?

How effective is using a limited user account to surf the net? I’ve read
that if you get infected with a virus/trojan etc,the amount of damage caused
can be dramatically reduced if you were logged on with a limited account. Also
if I set up such an extra account (for surfing), do you have run anti virus
updates, and do scans on both the administrator and limited account, or does an
ONE anti virus/anti spyware scan cover all the accounts on the computer.

In a word, yes – Limited User Accounts are very effective at reducing the
potential impact of a virus or spyware.

Unfortunately my experience has been that they’re also effective at reducing
your abilities in other areas as well.

Become a Patron of Ask Leo! and go ad-free!

I’ll be honest … every time I’ve attempted to set up a Limited User
Account (often referred to as LUA), I’ve been frustrated, and eventually ended
up reverting that account to full administrative privileges.

My frustration is not with LUA itself, per se, but with other software.

The concept behind LUA is simple: you don’t need every privilege on your
machine in order to do most day-to-day activities. Surfing the web, sending
email, writing documents or balancing your checkbook do not, and should not,
require anything other than the most basic of permissions on the computer.

Taking away certain types of permissions – such as the ability to write to
certain system directories, install activex controls and the like – means that
it’s more difficult for malware to do those things if you happen to run across
it as a Limited User. Since so much malware relies on exactly those types of
operations, it’s actually a very effective strategy.

And yes, even though I have my own frustrations with it, I do recommend it,
if possible, as a very valid step towards increasing the overall security of
your system. I particularly like the idea of families setting up their
children’s accounts on a shared computer with LUA.

To do so, by the way, in Control Panel, User
Accounts
, click on the account you wish to change, click on
Change My Account Type, and then select
Limited. Note that you will not be able to change the
primary Administrator account, and that not surprisingly, you need
administrative privileges to actually do this to any account.

“…I do recommend it, if possible, as a very valid step
towards increasing the overall security of your system.”

Now, about my frustration.

Every time I try to run as an LUA, I keep running into things that I can’t
do. Things that I want to do. For example installing software in general is an
issue using an LUA. If that software expects to be installed for the current
user, then logging in as the administrator to install it may still not set up
the software for use in another Limited account on the same machine.

Now, to be fair, there are often workarounds. One could temporarily elevate
the Limited account to administrator just long enough to install whatever
software needs installing. But there are also frequently still complications,
and it’s certainly an additional, somewhat cumbersome step to what’s typically
already a complicated process.

Now I definitely understand that there is a fundamental conflict here – you
want to prevent installation of malware, while allowing the installation of
trusted applications. Unfortunately there’s no easy way to distinguish, so LUAs
must prohibit both – or at least those that affect protected system areas.

The more fundamental problem is that while many applications do need it, too
many assume administrative privileges when they don’t. As a result,
they fail when installed or run from LUAa.

If there’s good news in all this, it’s the answer to your other question
about anti-spyware and anti-virus software. Most of these applications are
installed at the system level, and as such work on the entire machine,
regardless of what user you happen to be logged in as, or even whether you’re
logged in at all.

So, yes, I’m one of those folks who apparently needs to use software that
requires or assumes administrative privileges often enough that running as an
LUA is simply not a practical option for me. My advice to you: try it. I know
I’m an edge case – I do a lot of things that more normal people don’t. You may
find that all your needs are met in an LUA, and as a result, you will
definitely be safer.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

14 comments on “Are Limited User Accounts effective?”

  1. Windows Vista finally has a practical LUA implementation, many many years overdue, and linux has always had it. The implementation in Ubuntu is really quite elegant. Everyone is defaulted to a power user account, and if you’d like to perform a root-level task, you’re simply asked for your password.

    Reply
  2. The Mac is much like Ubuntu in this regard, and I agree, it’s perhaps the most elegant compromise.

    What I *don’t* know is how often that requirement (administrative access) pops up in what would otherwise be “normal” work. That’s what’s most frustrating about XP’s LUA.

    Reply
  3. >> What I *don’t* know is how often that requirement (administrative access) pops up in what would otherwise be “normal” work.

    Anecdotally, I read that this was one of the biggest complaints about the early RC’s for Vista..that even in trivial tasks like deleting a file from your desktop, Vista would password-prompt you (not once, not twice, but) *three* times. However, Microsoft has corrected this in later RCs, and supposedly trimmed down the number of tasks that require entering a password.

    Reply
  4. I have added a Limited account to the computer that I most use for Web Wandering and intend to use that account only for that purpose. Is this sensible?

    Reply
  5. In early 2006, I found a reference to a small program on Microsoft’s website called DropMyRights. It’s used with user setup desktop shortcuts to fire-up DropMyRights which then starts ups another program (such as Internet Exporer, Firefox, Outlook Express) with LimitedUser rights (non-Administrator). I’ve been using it for the 3 programs above for most of 2006. When I look at the security setting of any of these DropMyRights invoked programs using ProcessExplorer (from SysInternals), …right-click application name > Properties > Security tab > BUILTIN/Administrators setting: it shows “Deny,Owner” rather than “Owner”. I think that for WinXP, this is a pretty good compromise. I can logon with Administrator rights, but then fire up some programs such as browsers and email with LimitedUser rights. I think that this protects me pretty well! I get the benefits of the need for Administrator rights with many applications as well as the protection of LimitedUser rights with my Internet facing applications. I keep my standard desktop icons for browsers, etc. for WindowsUpdate and other such work.

    Reply
  6. I believe many people are not aware that it is possible to run an application in a LUA with administrator rights (provided you have the password). The feature is called “Run as…” and is accessible through right-click in Explorer on the program you want to execute. It will only be valid for the current session and is an excellent way of quickly getting things installed or configured without the hassle of temporarily elevating permission rights. It is even possible to setup a shortcut or program to always run as a different account (although I wouldn’t recommend that as a design, it’s a compromise for the exceptions).

    Reply
  7. I have setup my system exactly as described and since I don’t use games (which are the ones that are most fiddly about permission rights) everything works fine without hickups or hassles. Admin accounts is ONLY for installation of new programs.

    I DO wonder how protected I am with this scheme. Knowing a little about how permissions work with NTFS, I can’t figure how a virus could bypass this. Of course there is a way because enterprises get viruses just as anybody else (albeit not as often) and in a corporate environment LUA is exactly the norm. So how do viruses do it? If they can’t get write access to the registry, how do they make themselves executable on system restarts?

    Reply
  8. I can’t change the security settings from medium to medium high. Is this normal in a limited user account? and when I change try to change these settings I always get “explorer.exe is not responding” or smoething like that when I close or apply the setting. Is something wrong with Windows in my PC?

    Reply
  9. I use all three levels of XP accounts
    Admin for Updates, installs, and SW that requires Admin priv.
    Limited for regular day to day stuff and some of the SW can be run with “Run As Admin account” such as FTP Voyager
    Guest, I setup the Guest account log into it once and then use the Run As to access the “Guest Account” web browser,
    but, I’ve recently bumped up against a problem with the Guest account User Profile not being retained and can’t seem to find a solution anywhere except “it’s supposed to do that…” but I know it works as I have set up the Guest account to use for web browsing on 4 previous machines 2 with XP Pro and 2 with XP home and the settings are retained in the Guest Profile, I have tried to setup another XP Pro machine and at every log off the profile is deleted which is not good because all Firefox browser add-ons & settings / customizations etc. are also removed the method I use (because I have software that requires I always be logged in as Admin. to use it), is to setup the Guest account and log into it once then “net user Guest ‘password'” and then change the browser shortcut in my admin account to “Run with different credentials” and use the “Guest browser” from within the Admin. & or Limited account is there some registry entry or group policy setting that’s preventing the Guest profile from being retained?

    Reply
  10. I find my LUA such a pain: example: I downloaded a new font. However, I can only use that new font if I am using Word while logged in as the administrator. I couldn’t install the new font while logged in as the LU so had to log in as administrator. I can’t figure out how to either allow LU to get full rights to Fonts folder or copy Fonts folder and tell Word where to find it. ARGH! Any ideas?

    Reply
  11. I have XP Home. I haven’t been able to grant myself administrative privileges on the guest account. Apparently it’s not a part of the Home version. When in Guest there is no AOL client, that is there is no way to reach the internet. You can’t download the client without the admin privileges. Then I tried moving the AOL folder from the C:\ drive to the “shared” folder. This didn’t work either. So I gave up and surf the net via the owner’s administrative account. Frustrated.

    Reply
  12. I use Windows 7 on my personal laptop where User Account Control has been revamped compared to previous versions. I log onto a limited account for nearly 99% of my activities. Whenever I need to use the administrator privileges it is just a simple task to type in my admin password. It Works great. I have had to login to my admin account twice in two years I recommend this setup to most of my customers because it is the best way to prevent viruses and malware. I also force my family members to use my computer under a guest account.

    However we do have a family PC running Windows XP. Under Windows XP the user account control can be a pain constantly requiring you to log out of one account and log into another for the simplest of things. Only the most untrustworthy of family members access our family computer as a limited user and the rest run as administrator.

    Reply
  13. I am a self computer educated user and have followed the precaution of logging in as limited user for many years now and strongly recommend it. Note, limited user and not guest log in. Gave up guest log in fairly quickly as it was causing too many problems.

    Initially, I did run in to occasional problems but found a work around fairly easily. As for installing programs, most accepted “run as… “, in some cases I had to take a temp. admin priviledge(must remember to return to limited user, did forget at times) and only on rare occassions had to log in to admin. ac for installation.

    Now that I use windows 7, most of these are no longer problems- windows automatically ask for “run as”

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.