Home > Technet > Administrative rights required

Administrative rights required

April 6th, 2010

Windows NT at its base has been around a long time.  The concept of administrator rights versus user rights (and permissions) on a Windows NT based operating system is certainly nothing new and there should seemingly be very few applications that point out this distinction anymore.

If only that were true.

Today I was asked about an application that collects data from a serial device regarding temperature and other information.  Great concept.  Put this thing in your environment for a day (week, month, etc) and it will collect information about its surroundings.  Then you can attach it to your PC and pull the information from the device and use it to somehow make your organization or products better.

I love the idea of that.   However the implementation doesnt make sense to me.

When installing software, typically I use an administrative account and select some kind of All Users access for the application so that anyone who logs on to the PC can use the application.  This works for most things, like Office or Adobe Reader.

But some applications (even some from Microsoft) require the user to have local admin priveleges on their machines to use the appliation.  This makes no sense.  Sure it is easier for both the developer and the administrator to allow anyone to do whatever they want on the PC, but this practice (with a few exceptions) should be almost unheard of in the IT Community today.

An application should run however it is installed.  If it needs high level access to the OS, use the admin account with which the application was installed or pop up a UAC box (in the case of newer versions of Windows) to ask for it.  I realize that UAC was a huge annoyance in Windows Vista, but it did start many developers down a path to properly integrate with the Operating System.

I guess it is just frustrating that I need to provide users with local administrative rights to run applications they need to do their job properly.  Sure some applications have work arounds, but when those do not work, I am right back at square one users being added to the local administrators group.

Sure if you do not tell the user about the administrative access concept – you can do anything you want to your PC because you are an admin, they will think nothing of it.  Many will likely think you are the coolest person ever because the PowerPuff Girls Screensaver installed without a hitch.

I wish there were a solution to the problem, maybe App-Locker in Windows 7 and better coding practices on the part of the software developers will help correct this problem, but in my environment today, there is little to be done except give the software what it needs and scan for everything.

I am curious to find out what your thoughts are on applications needing administrative rights…

[poll id="9"]

Categories: Technet Tags: , ,
  • http://blogs.technet.com/kevinremde Kevin Remde

    The problem is a complicated one, to be sure. Before we solve it, let’s assign blame. (That’s always fun!) Who’s fault do you think it is?:

    1. Microsoft’s
    2. The developer of the product
    3. All of the above

    I propose that it’s that third choice.

    It’s Microsoft’s fault for being so benevolent and open in years past. “Back in the day” our application platform, the OS and the development tools, gave developers full-access to the OS, to your disk, to the browser… whatever they needed to build cool applications- never thinking that perhaps somebody might use all of that power for evil instead of good. Even up to the time Windows XP was first released, developers were coding changes to important areas in the registry or Program Files area. But then all of the big-news malware leading up and into 2003, Microsoft’s Trustworthy Computing initiative, Windows XP SP2… and we now can’t (and simply won’t) trust or allow applications to make those changes. We had to draw a distinction between a standard user and an administrator, because it was within the context of one or the other that your application ran. BUT… to allow those older applications to work, we had to install or even run them as an adminstrator, because that was the only way they would work. (How many of you XP users run as a Standard User? Very very few.) Going beyond that, in Vista and now in Windows 7, we’ve made it easier for older applications to run while still allowing a standard user to get more work done. There are “shims” and compatibility fixes and tools to apply those tweaks to applications and entire teams at Microsoft devoted to making the experience of trying to run poorly or lazily developed applications to work well, and work even in the new world of locked-down security we find ourselves in.

    That brings me to “It’s the developers fault”. These days there is no excuse other than laziness – and by that I mean a lack of the willingness to invest in upgraded development practices – for an application to have to require someone to be an administrator to run an application. Developers have had the tools and coding standards available to them for 5 years now (at least!) to allow them to build their applications in a secure and still-fully-functional way. Understandably, developers weren’t happy having to be restricted in what their programs could do to the OS and to your PC or platform – but most now recognize that it is a “neccessary evil”; with the great benefits being the more secure and stable platforms we see and enjoy in Windows Vista and now Windows 7.

  • http://blogs.technet.com/kevinremde Kevin Remde

    I really should have finished with a proposed solution – but really the solution comes out of understand why we have the problem to begin with. So.. Microsoft fixes things by doing everything it can to help older or (poorly written) applications work on the newer platforms, and developers continue to build to the new standards and for the newer, more secured platforms.

    Actually, I don’t think we’ll ever have a situation where standard users can just install everything they want. That’s another aspect of having a secured platform – that a standard user can’t just install anything they want because installation has to be protected. The alternative is to “deploy” applications, as you suggested in your post, in a way that installs in an elevated manner, but doesn’t require the user to be an administrator. The installation (such as using SCCM or even Group Policy in a domain environment) being launched by the administrator in this way is trusted, because of the relationship of that domain membership, right? So we can deploy apps even when the local user can’t install them themselves.