Being a limited user

published: Wed, 1-Jun-2005   |   updated: Tue, 14-Jun-2005
Helmsley Castle, N. Yorks

Well, it's been several months since I decided to revoke the administrator rights for my main user account on my tablet PC. It was interesting to say the least in the beginning, but now I'm totally used to it and wouldn't change back. Here's a few notes about my experiences.

You need an admin command window

One of the very first things I did was set up a shortcut to launch a command window as Administrator. This has saved my sanity several times. I use Favalias as a program launcher, the command is

run runas.exe /user:Administrator cmd.exe

(If you don't use Favalias, just remove the word run from the command line and type the rest into the Run dialog (Start | Run). When the command window launches you'll have an opportunity to type the Administrator password. It gets tedious to type this command time after time though, so at least write a batch file to do it.)

I also changed the text and background colors of the admin command window to be vastly different (green on white) from my normal command window colors (white on black). It's then really obvious which command window is which.

You need to be familiar with the .cpl and .msc extensions

A slow way to start up a Control Panel applet is to: navigate to the Control Panel (I have it as a menu) Shift+right-click the option you want, and then select Run as. Yuk. A fast way: using the faithful admin command window type start someapplet.cpl, and bingo. Here are some control panel applet file names:

  • appwiz.cpl - Add or Remove Programs
  • inetcpl.cpl - Internet Options
  • nusrmgr.cpl - User accounts
  • powercfg.cpl - Power options
  • sysdm.cpl - System properties

Some control panel items are Microsoft Management Console snap-ins. These have an .msc extension. The only ones I've had to use so far are listed below. Run them using the start command.

  • lusrmgr.msc Local users and groups
  • secpol.msc Local Security Settings
  • services.msc Services


Well, there's no getting around this, you have to pretty much run any installer as an admin. The main reason is being able to write to certain parts of the registry (which are read-only for limited users). A couple of ways to do this: right-click on the installer's EXE file in Windows Explorer and there'll be an option called "Run as...". Click on this and you'll get a dialog asking you for the user account and password to use to run the application.

An alternative is to run the installer from your trusty admin command window. Navigate to the folder containing the installer using the usual CD commands, then run the installer if it is an EXE file, or type start someapp.msi for a Windows installer file.

Note that if the installer asks whether to install "for this user only" or "for all users on the machine", select the latter.

Also to remove programs you'll have to be admin as well (see the point about Control Panel applets above).

Couldn't change the system time

I use a program (AtomTime) to sync with a time-service. Yes, I know that WinXP comes with such a service, but it's one of those programs I've been using since Windows 95 (urk!) and I just can't seem to let it go. Anyway, it suddenly stopped working until I realized that being a limited user means you can't change the system time.

No problem: using the admin command window, run the Local Security Settings console (type start secpol.msc), and under Security Settings | Local Policies | User Rights Assignment there's a item called Change the system time. Add your usual user account to the list of users/groups (there should just be two before you start: Administrators and Power Users).

As a matter of interest, that's the only change I made to my user account apart from making it a limited user.

Batteries were running down faster

This took me a while to notice but in essence as a limited user my battery life was roughly half what it was (it took a two hour long meeting for me to discover this). At first I thought I had a bad battery, but then noticed something else as well. Before I was a limited user, shutting the lid on the tablet would put the PC to sleep. Afterwards it would hibernate instead. Bloody puzzling, but eventually I worked out the problem was with the Toshiba Power Saver program: it needed to be told that it would run under a limited account. It was essentially running, and then terminating immediately, leaving all power saving features turned off. This was simple to fix (there's a check box stating that it will run under a limited user account), but it was puzzling nevertheless.

Microsoft Antispyware can get confused

So I install Google Taskbar into IE. I install as admin, of course. No problems. Antispyware gets its knickers in a twist though because something is messing around with the registry, and it rightly asks permission to allow the change. But it's running under a limited user account so the change can't go through. So, every time I reboot I get the same set of questions from Antispyware...

Don't add yourself to the Debugger Users group

The Debugger Users group is used for debugging DCOM services remotely. You don't need to add yourself to this group unless you're going to be doing this type of development. The Visual Studio and Delphi IDEs work just fine debugging locally.