Skip to main content
NICE XP (End of support)

NICE XP (End of support)

Search
Winservices Help Pages
  

 Contact Service Desk

Email:service-desk@cern.ch
Phone: +41 22 76 77777

 

Working with limited privileges

Site Structure
NICE Environment
NICE Installation
Libraries
Installation of Windows at CERN
Moving or Renaming a Computer
How to verify your computer name ?
Electronic delivery of Microsoft software for Work at Home
NICE Windows 7
Status of Windows 7 at CERN
Applications available on NICE Windows 7
NICE Windows 7 User's Manual (printable)
NICE Windows 8.1 (Pilot)
Pilot support for Windows 8.1 at CERN
Supported Windows 8.1 hardware
Migrating from Windows 8 to 8.1
NICE Windows 8 (Pilot Terminated)
Pilot support for Windows 8 at CERN (Pilot project terminated)
Supported Windows 8 hardware
NICE Vista (Support Ended)
End of Support Notice for Windows Vista
Getting started with Windows Vista at CERN
Working with Windows Vista
Improving performance of Windows Vista
Advanced Topics
Offering Remote Assistance from Windows Vista
Applications available on NICE Vista
NICE XP (End of support)
End of Support Notice for Windows XP
Getting Started with Windows XP at CERN
Using the build-in Firewall of Windows XP SP2
Working with limited privileges
Portable computers
Accessing remotely your Windows Desktop at CERN via SSH tunneling
Offering Remote Assistance from Windows XP
Applications available on NICE XP
NICE Windows Updates
Keeping your computer up-to-date under NICE
Working with network files
Folder Redirection
Working with Offline Files and Folders
Requiring DFS folder.
Installation of Windows at CERN
How to recover network files
Manage Rights on your Network file/folder.
Home Folder Reorganization
DFS WebDAV remote access
Introduction to WebDAV
Accessing the DFS through WebDAV from Windows
Using WebDAV from Mac OSX
Accessing WebDAV resources from Linux SLC4 or SLC5
Accessing WebDAV resources from Linux using davfs2
FAQ for NICE
Get Information
Your Desktop
Keyboard Interaction
Working with files
Office Applications
Internet Explorer
Windows System
Periferals
Screensaver Settings
Administrative account review
NICE Administrative Account Review
NICE hard disk encryption
Bitlocker for Windows 7 and Windows 8
Mandate
Software Lifecycle End of Support Notices
NICE security and antivirus
NICE security How-To
How to disable/enable the "System Restore" feature ?
How to delete the temporary internet files ?
How to configure shared folders for a good security level ?
How to check applications versions & hotfixes on your system ?
How to display file extensions ?
How to disable the Guest account in Windows XP Professional ?
Converting your File system to NTFS
Setting the 'sa' Password in Microsoft SQL Server
ACL, ACE ... Permissions... How to handle File security?
Best Practice to Manage Permissions
Virus hoaxes and spyware
About viruses
Suspicious email messages and viruses
How to react when a virus is detected on your computer ?
How to react when someone tell you that you sent him a virus by mail ?
How to decode the name of a virus ?
How to protect dedicated computers ?
About spywares
Why my Antivirus program does not detect Spywares? Explanations
Several kind of spyware
How to uninstall HOTBAR from my computer ?
About hoaxes
How to recognize a Hoax ?
Antivirus software
Forefront
Microsoft Forefront
How to Manage a Schedulled System Scan?
How to perform a manual system scan?
How to stop a scheduled scan?
How to keep virus definitions up to date?
How to install an Antivirus program on a non-NICE computer?
A brief tour of the icons in Forefront Client Security
Endpoint Protection 2012
Microsoft Endpoint Protection
How to manage a scheduled system scan ?
How to perform a manual scan ?
How to stop a scheduled scan ?
How to keep virus definitions up to date ?
How to install an Antivirus program on a non-NICE computer ?
A brief tour of the icons in System Center Endpoint Protection
CMF local Administrators
Procedure for deploying System Center 2012 Endpoint Protection on locally managed computers
CMF Management of System Center 2012 Endpoint Exclusion Lists
Printing
Configuring printers
Printing from SLC systems
Add a Printer on Mac OS System
Printer Management on Windows 7
Printer Management on Windows Vista
Printer Management on Windows XP
Alternative Method
Printing for Visitors
Searching or administrating printers
Search and Configure
Search on the Web
FAQs
OS FAQ
Help related to printer Hardware problems
Overview
Frequently Asked Questions
Computer management framework
The Computer Management Framework - User Guide
NICE applications
Help for applications
Office 2003
Compatibility Pack for Office 2007
Office Proofing Tools
Office XP
Office 2000
Office 2003
Using Frontpage
Using Outlook
Adobe Acrobat
Adobe Illustrator
Using Corel
Micrografx Designer
Microsoft Visio
Putty
PuTTY_CERN
OpenAFS
WinZip
CERN Alerter
RealPlayer
MSDN Library
New Features of Adobe Acrobat X
XWin-32 X11 Server for Windows
Office 2003
Migration schedule
Office 2007
Using Microsoft Office Enterprise 2007
Word 2007 - Basic Elements
Excel 2007 - Basic Elements
Powerpoint 2007 - Basic Elements
Changes in Outlook 2007
Using Microsoft Office 2007 Proofing Tools
Office 2010
Microsoft Office 2010 Pilot
Installing Microsoft Office Professional Plus 2010
Using Microsoft Office Professional Plus 2010
Word 2010 - Presentation and New Features
Excel 2010 - Presentation and New Features
Powerpoint 2010 - Presentation and New Features
Changes in Outlook 2010
Using Microsoft Office 2010 Proofing Tools
Microsoft Office 2010 at CERN
Office 2013
Microsoft Office 2013
How To Install MS Office 2013 ?
Using MS Office 2013 Proofing Tools
Recommended Applications
Internet Explorer 9
Mozilla Firefox
Internet Explorer 10
Internet Explorer 11
Support for NICE
Scheduled tutorials
IT3T - IT Technical Training Tutorials 2012
IT3T - IT Technical Training Tutorials 2011
IT3T - IT Technical Training Tutorials 2010
IT3T - IT Technical Training Tutorials 2007
IT3T - IT Technical Training Tutorials 2005
Support Central Help Desk Books
Presentations hold in the IT/IS Group
Running Linux on a Windows PC
Install multiple OS using Virtual PC Windows XP and Vista
Intall multiple OS with PXE using Virtual PC Windows 7
Install SLC5 with VHD using Virtual PC Windows 7
Install Windows XP Mode using Virtual PC Windows 7
Custom servers hosting
Server hosting service
Terminal Services
Introduction
Terminal Services Manifest
Linux client
Mac Client
Win Client
Architecture Overview
Login into Terminal Services
Other clients
FAQ
Available Applications
How to contact Windows Terminal Services Managers
How to Print
Accessing remotely your Windows Desktop at CERN via SSH
Transfer files to you WTS session
Rdesktop Reconnection
Connecting to WTS from home is slow
Licensing issue
Remote Desktop Gateway
Configuring remote connection via Remote Desktop Service
Manually setting up local RemoteDesktop configuration
Manually defining the RDP file to connect using the Remote Desktop Gateway
DFS
DFS WebDAV remote access
Accessing WebDAV resources from Linux using davfs2
Using WebDAV from Mac OSX
Accessing the DFS through WebDAV from Windows
Accessing WebDAV resources from Linux SLC4 or SLC5
Introduction to WebDAV
Working with network files
Folder Redirection
Manage Rights on your Network file/folder.
Manage your DFS folder.
How to recover network files
Requiring DFS folder.
Working with Offline Files and Folders
Skip Navigation LinksWinservices Help Pages > NICE Environment > NICE XP (End of support) > Working with limited privileges



 

Contents of this page :

Introduction
Why working with limited privileges ?
Canceling your administrative privileges
How to regain administrative privileges
What works unchanged with limited privileges ?
Known issues with not having administrative privilege on the computer
The NiceAdmin application
Giving us feedback


Introduction

In order to improve computing security on Windows Desktops, the Desktop Forum of 24th November 2005 has agreed that every NICE Windows XP installation (either new computer installed or old computer re-installed) will not anymore grant by default �administrative privileges� to the main user or to the computer responsible.

Administrative privileges allow the user to perform administrative actions on the computer, like installing new software or changing system settings. Those privileges were previously enforced at every boot sequence, by inserting the main user and the responsible of the computer, as defined in LANDB, in the 'Administrators' local group.

In order for the users to still install software and change system settings on their computers, a shortcut called �NiceAdmin� in Start | Programs menu offers a way to execute most tasks with administrative privileges, but only on-demand (see below).

Users having valid reasons to be a permanent administrator for their machine will still have this option (see below).

On the contrary, users wanting to proactively benefit from this increased security without reinstalling their computer can already cancel their administrative privileges (see below).

By removing users from the 'Administrators' local group, security is tightened but at the expense of some troubles for the user when doing his daily work. Please see below. This new policy concerns only Windows XP computers.

Why working with limited privileges ?

When the user has administrative privileges, there exists a risk of compromising the computer at every execution of code from non-trusted origin (ex: mail attachment or web browsing). The malware executing with the user's credentials, has rights to install files and change registry keys etc.. This often ends up by a reinstallation from scratch of the computer. A virus running on behalf of a user with administrative privilege can :

  • Install kernel-mode rootkits
  • Install system-level keyloggers (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
  • Install ActiveX controls, including IE and Explorer extensions (common with spyware and adware)
  • Install and start services
  • Stop existing services (such as the firewall)
  • Access data belonging to other users
  • Cause code to run whenever anybody else logs on
  • Replace OS and other program files with Trojan horses
  • Access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
  • Disable/uninstall anti-virus
  • Create and modify user accounts
  • Reset passwords
  • Modify the �HOSTS� file and other system configuration settings
  • Cover its tracks in the event log
  • Render the computer unbootable
  • ...

Canceling your administrative privileges

In order to proactively benefit from this secure setting without reinstalling your computer, you just need to remove your account from the local 'Administrators' group. You can do it using this page. Then logoff/logon again. Another option is to use the 'NICEAdmin | Change Status' application to remove your account from the 'Administrators' group. Please see below.

How to regain administrative privileges

In order to work with full administrative privileges on your computer, just insert your account(s) into the local 'Administrators' group. You can do it using this page. Then logoff/logon again. Another option is to use the 'NICEAdmin | Change Status' application to add your account in the 'Administrators' group. Please see below.

What works unchanged with limited privileges ?

Without administrative privilege, a user can do most of his/her daily office working without even noticing the change:

The computer can be installed using the NICE Windows distributions.

Common applications work correctly; the following have been tested:

  • Microsoft Office 2003 (Word, Excel, Powerpoint, Access, Frontpage, Outlook)
  • Internet browsing with Internet Explorer
  • Outlook Express
  • Acrobat Reader 7
  • CERN Phonebook
  • Nice Alerter
  • Real Player 8
  • Windows Media Player 10
  • Windows Messenger 5.1
  • Symantec Antivirus 10
  • Remote Desktop Client
  • Exceed 9

Changing user-specific settings like Display settings, Regional settings, Folder options, Internet options through the Control panel, is possible.

Configuring access to a new network printer at CERN (through the Printer Wizard) is possible.

Creating a new VPN connection to CERN is possible.

Known issues with not having administrative privilege on the computer

There are known issues when you are not the administrator of your computer. For each of them, we provide a workaround, usually based on the NiceAdmin application (see below).

Access to some local files / (Write) Access to the registry

  • Access to some local files
    Access to C:\WINNT and C:\Program Files directories is restricted. Some log files located there will not be readable and this will also prevent installing most applications.
     
  • Creating files on the local disk
    Creating a file in the C:\ folder is forbidden.
    [NiceAdmin Solution]--> to store files on your local disk, either create a folder named 'C:\' like 'C:\your_account_name' or use the 'Documents and Settings\your_account_name' folder. Remember that 'My Documents' and 'Desktop' are redirected folders which store files on the servers, not on the local disk.
     
  • Checking a drive or defragmenting a partition is not allowed.
    [NiceAdmin Solution]--> Open a 'Console as admin' and type c:\winnt\system32\chkdsk.exe c: /f to check c: drive, c:\winnt\system32\dfrg.msc to defragment.
     
  • Changing a disk drive letter or managing partitions is not  allowed.
    [NiceAdmin Solution]--> This has to be done using 'Computer Management' which is in 'Admin Tools'. Open 'Control Panel as admin' (set Category View in case it's not), you can access Admin Tools/Computer Management from there as admin.
     
  • Access to the registry
    While most of the registry keys remains readable, most are not writeable anymore. This can cause troubles with some applications.
    [NiceAdmin Solution]--> Open a 'Console as admin' and type c:\winnt\regedit.exe to access registry in write mode (don't do it if you don't know what you are doing).
     
  • Remote desktop access to your computer doesn't work

    [NiceAdmin Solution]--> You need to allow your account to access your computer remotely. Open 'Control Panel as admin' (set Category View in case it's not), click System / Remote / Select Remote Users.

Application installation & removal

  • Application (and drivers) installation
    Most applications will refuse to install because of the previous bullets. Some applications will install but will not work correctly. Most applications can't be uninstalled for the same reason.
    [NiceAdmin Solution]--> Open 'Add Remove Programs as admin'. If the application you want to install is not listed in 'Add Remove Programs'; then there is an executable file somewhere (on your CD, or that you download from Internet and stored in some folder on your disk etc..) that launches the installation. Often it's called 'setup.exe'. Using Windows Explorer, locate the folder where this file is. Right-click on this file, choose 'NICEAdmin..' and install you application as usual.
    [NiceAdmin Solution]--> for drivers, sometime the real installation is done during the first logon after reboot. To ensure you still have the administrative privilege after reboot, use 'Nice Admin | Account Status' to permanently gain administrative privilege before installing. Don't forget to use 'Nice Admin | Account Status' again when you are done with the installation, to relinquish the administrative privilege.
     
  • Internet Explorer Plug-ins
    They will not install. QuickTime for example does not show up. Google toolbar will not show up.
    [NiceAdmin Solution]--> Open 'Internet Explorer as admin' and access the web page to install the plug-in.
     
  • Outlook 'Report Spam' button
    Does not show up
    [NiceAdmin Solution]--> the dll needs to be registered as admin : Open a 'Console as admin' and type c:\winnt\system32\regsvr32.exe "%USERPROFILE%\Application Data\Microsoft\Addins\cernaddin.dll"
     
  • Symantec Live-update can't be launched by hand
    [NiceAdmin Solution]--> Open a 'Console as admin' and type "%PROGRAMFILES%\Symantec\Liveupdate\luall.exe" to do it.

Badly coded applications

  • Some badly coded applications, not following Microsoft coding standards, may fail to work, sometimes with weird error messages not saying explicitly they miss the proper privilege. For example, Sony phone synchronization tool with Outlook, Corel Draw 10, HomeSite, TopSite, Remedy and Yahoo Messenger will not work without administrative privilege.
    Whenever possible, check if there exists a updated version of your application that solves the problem. For example, upgrade to Corel Draw 12 which works correctly.
    [NiceAdmin Solution]--> Using the Windows explorer, locate the application executable file. Right-click on it and choose 'NICE Admin' to launch the execution with administrative privilege. To automate this, create a shortcut with the Wizard (see below).
     
  • Open AFS does not work.
    Currently there is no possibility to run OpenAFS without administrative privilege. To run OpenAFS, you need to insert your account in the 'Administrators' local group.
     
  • CPSS screen saver does not work.
    Do not use CPSS as screen saver.
     
  • Visual Studio will not allow you to debug programs unless you add your account in the Debuggers group.
    [NiceAdmin Solution]--> Open 'Nice Admin | Control Panel as admin' (set Category View in case it's not), go to Administrative tools ->  Computer Management and add your account to the Debugger's users. 
     
  • Microsoft anti-spyware (not supported) does not retain options set, RealPlayer 8 does not retain some options set
    -> launch the program with administrative privileges, then set the options.
     
  • Nero problem
    Can't burn a CD.. Burning with Explorer works.
    [NiceAdmin Solution]--> use an auxiliary application called NeroBurningRights to allow burning under Nero without administrative privileges.

nChanging system state

  • Installing a local printer
    Can't install a new local printer.
    [NiceAdmin Solution]--> Open 'Control Panel as admin'  (set Category View in case it's not) and use 'Printers and Faxes', 'Add a Printer'.
     
  • Firewall settings
    You won't be able to change the settings for the windows firewall. This include disabling the firewall or unblocking on the fly an application.
    [NiceAdmin Solution]--> Open 'Control Panel as admin'  (set Category View in case it's not) and use the Firewall applet to configure things.
     
  • Control Panel system settings
    Several applets will not work, like Power Options.
    [NiceAdmin Solution]--> Open 'PowerOptions as admin' to configure things.
     
  • Changing date/time
    Is not possible.
    [NiceAdmin Solution]--> Open 'set time-date privilege' from NICE Admin shortcuts, then reboot.
     
  • Updating with 'Windows Update' site
    Will not work
    [NiceAdmin Solution]--> use 'Nice Admin | Account Status' to gain permanent administrative privilege, re-log, then you can update your computer. Don't forget to use 'Nice Admin | Account Status' again when you are done, to relinquish administrative privilege.
     
  • Updating with 'CERN Windows Updater' from Add/Remove Programs
    Tells you don't have administrative privileges.
    [NiceAdmin Solution]--> Open 'Add Remove Programs as admin' to update your system.
     
  • Adding a new System DSN (Data Source Name) in Control Panel  | Administrative Tools | Data Sources (ODBC)
    The new DSN can be created and tested, but when you quit the creation applet, the new DSN is not recorded in the list
    [NiceAdmin Solution]--> Open 'Nice Admin | Control Panel as admin' (set Category View in case it's not) to create a new System DSN.

Workarounds

As a workaround for these issues when missing the administrative privilege, the NiceAdmin application is deployed on computers participating to the Project. Using this application, your account can exceptionally execute tasks with the administrative privilege (see below). 

Another workaround is to permanently gain administrative privileges using the 'Nice Admin | Account Status'. Until you relinquish them, your account will be part of the local 'Administrators' group and will have administrative privilege, even after successive reboots.

The NiceAdmin application

NiceAdmin shortcuts

In Start | All Programs, there is a new 'Nice Admin' group with several entries. These are shortcuts to the NiceAdminWin application and options.

At the first time you launch the application you will need to provide your NICE credentials. Only the main user or the responsible of the computer are allowed to execute tasks with administrative privilege:

Account Status : shows the status of your session (running with administrative privileges or not) and of your account (member or not of the local 'Administrators' group). Allows you to permanently change status, eg. re-gain / relinquish administrative privileges for your account, and keep the setting across logons.

Add Remove Programs as Admin : opens Control Panel  | Add/Remove Programs with admin privilege.

Console as Admin : opens a Console window, running with admin privilege. Any program you execute from there will have the admin privilege.

Control panel as Admin : opens Control Panel with admin privilege; allows you to choose which setting to change.

Create Nice Admin shortcuts : when using this wizard, you can easily create (modify) shortcuts to applications so that you can launch them with administrative privileges. The easiest way to use it is first to drag/drop this shortcut at the top of your application's list in the Start button (near the Internet Explorer shortcut). Then choose another shortcut (like Remedy), drag and drop it on this 'Create Nice Admin Shortcuts'; it will create a modified version of the shortcut so that NiceAdminWin will be called first, giving you the administrative privileges. This new shortcut will be placed in the 'Nice Admin' group.

 Internet Explorer as Admin : launches Internet Explorer with admin privilege.

Network Connections as Admin : opens Control Panel | Network Connections with admin privilege.

NiceAdmin Options : allow to change options (password caching) for NICE Admin. By default your password is cached in memory (protected and encrypted) and you have to type it only once per session.

Power Options as Admin : allows you to change the power options of your computer.

Set time-date privilege : like /timeon NiceAdminWin option (see below).

Context menus

On most of the shortcuts of the Start button, when you right-click the item, you get a 'NiceAdmin..' option. This allows you to execute the action with administrative privileges.

The NiceAdminWin.exe application

This application is in %PROGRAMFILES%\CERN\NiceAdminWin. You may need to include this in your PATH to find it. This application will ask your password to execute some task with administrative privileges.

Options

/console : allows you to launch a 'cmd' window where you have administrative privileges. From this, you can launch additional processes, keeping administrative privilege.

/controlpanel : allows you to open the control panel with administrative privileges. This is a workaround for adding/removing applications, changing firewall settings, power options etc..

/iexplorer : allows you to open internet explorer with administrative privileges. This is a workaround for updating your system with the 'Windows Update' site, installing plug-ins.

/timeon : allows you the right to set the time on your computer, using the applet at the right end of the taskbar.

/winstatus : returns the status of your session (running with administrative privileges or not) and of your account (member or not of the local 'Administrators' group).

/toggle : permanently gives / removes administrative privileges for your account. This setting will survive a reboot. At next logon, you will be warned about your new status.

/help : gives some help about the application

path_to_document : allows you to launch the default registered application to open the document, with administrative privileges. Example: NiceAdminWin.exe c:\boot.ini - allows you to edit this file, which you can only do with administrative privileges.

path_to_application [/startin path_to_directory] : allows you to launch the application with administrative privileges. If you specify /startin, then the application will be started with the specified directory as current directory. Enclose the paths in quotes (") when they must contain spaces. Example: NiceAdminWin.exe c:\winnt\regedit.exe /startin c:\ - allows you to start the regedit application with administrative privileges.

Notes about the NiceAdminWin program

When you launch an application with NiceAdminWin to gain administrative privileges, be aware that the G: drive (or any mapped drive) is not available to your application.

Giving us feedback

Please report to nice-security@cern.ch any issues you may have with this new policy.

Please come again to this page to get renewed information.

Created: 7/21/2010
Last reviewed: 7/12/2007
Tools:
Send the page Send  |  Printable version Print