Saturday, April 23, 2005

Trying To Do The Right Thing On WinXP

(And don't tell me The Right Thing is to ditch for Linux. I haven't enjoyed my Linux experiences much, and I have a GPRS card and random Firewire cards to run on this subnotebook.)

Coming from a technical UNIX background it seem intuitively obvious not to run as root in this dangerous world. This wasn't always an option on Windows at all, and not very practical on Win2K when it runs the personal machine with which you constantly explore new programs. Work machine, sure, you actually have to go through a special procedure at Nokia to get Administrator rights on the standard Win2K image on the desktops. And I fully understand why: keeping 40K users from corrupting the Intranet and taking everybody down is not just a matter of avoiding nuisances, it is vital to the company. I remember the pain we suffered when mail wasn't working for a day or two, and I understand that Nokia Business Infrastructure is in no mood to re-live those days just because somebody needs weatherbug in their task bar tray.

I am basically the sysadm at home. So I try to explore best practices some. And I don't click on received executables and I don't click "OK" on pop-up windows for a Bonzi Buddy -- if I even see them, I asked to switch to Firefox as soon as I had tested it out and knew it would do. You see, for me safe computing is about avoiding nuisances, but Dean makes money off our home network, and I always need to make sure that best practices don't get in his way.

So now that we are both on XP I am experimenting with having my daily account have Power User priviledges, and no more. To stay safe. SO nothing I may run or do can hose the machine, it just hoses the 'fj' account. I did make an Administrator account -- which I couldn't call 'Administrator', much to my chagrin, because XP says that account already exists eventhough I can't find it. And XP allows a user to easily switch accounts without having to shut down work like 2K made you do. And even as 'fj' I can run an install as Administrator by right-clicking and selecting 'Run As...' and entering the Administrator account credentials.

Actually, not quite. If I download a program I want to install under the 'fj' account, I first have to move it to the Shared Documents directory, and do 'Run As...' Administrator from there, because if I try to run it with Administrator priviledges from the 'fj' desktop, the execution will always fail because the Administrator account can't see 'fj''s files. Some root that is.

So I make the install work by running it from the right place with the right credentials -- most installations insists on being run with full Administrator powers -- and then most will leave program shortcuts on everyone's desktops. Which I can't remove from 'fj''s Desktop. Logged in as 'fj', I do not have the priviledges to remove a shortcut that an Administrator left. Logged in as an Administrator account, I cannot access 'fj''s Dektop. Obviously I have to give the Administrator account access to 'fj''s files, but I can't find the Properties tabs for that.

I am sure there is a way, but the second problem is that many applications are not happy being run by someone else than the account that installed them, and certainly not with fewer priviledges. I tried out Dean's new webcam and I installed the application software fine -- as Administrator -- but the shortcuts on 'fj''s Desktop simply would not run.

Doing The Right Thing is turning into a pain. I think I may delete the Administrator account soon after I add 'fj' back to the Administrator group. XP may be ready for lesser priviledged users running as default, but the vendors are not.