Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Power Users are Admins who have not made themselves admins yet

  • Comments 20
  • Likes

It seems kind of odd that in 2006 I would still get these questions, but twice in the past week have I had to explain the truth about Power Users to someone. Typically they are organizations who are trying to limit the rights of their users, who right now run as admins. Unfortunately, they are under the mistaken impression that making those users Power Users will help.

Power Users are simply Administrators who have not made themselves Administrators yet. There are access control lists, privileges, and other settings all over the OS that allow them to do so. Making someone a power users only makes it marginally more difficult to shoot yourself in the foot. It does not actually limit their privileges, nor does it protect them from malware, which can typically run just fine with Power User privilege.

Two related issues usually come up at about this point in the conversation. The first one is that some application requires at least Power User privilege. If that application is not an inherently administrative one it is broken. Period. Return it for a refund or a fixed version.

The second issue that comes up is that the organizaton is going to modify the permissiosn of Power Users so they are less privileged. If that is what you users need then why not make them users in the first place? It is really unlikely that you will be able to cripple Power Users sufficiently and if you do they become users, which is what you should have used in the first place. Some people try to cripple Power Users even though nobody should be in that group. Why? If nobody is in the group what difference does it make what privileges it has? Usually I then get the standard argument that "if someone is able to add themselves to the group..." Only Administrators could do that. If a user can do that they would not make themselves Power Users. That is a completely flawed argument. Besides, most people who try to cripple Power Users run afoul of KB 885409 and end up with a destabilized and unsupported system in the process.

In general, I prefer making people Administrators over Power Users. That way it is obvious that they have extremely elevated rights and a glaring problem is more likely to get fixed than one that is papered over.

Comments
  • I was going to title this post "Microsoft Representative Says to Return Quickbooks for Refund". ...

  • Even regular Users are Admins who have not made themselves admins yet....

  • I know better than to put users in the Power Users group, for the reasons you described.  My question is, what is the purpose of this group in the first place?

  • BOFH, that is partially true. One might argue, for instance, that any user with physical access to the computer is an admin who haven't made themselves an admin yet.

    The Power Users group was added long ago to provide a way to run applications that were written assuming elevated privileges. Over time, more and more things were added to the rights of that group and fairly quickly it went past the point where the group provided any isolation. Since then it has been there only for backward compatibility.

  • It's very simple, really, and I can even put it in simple language.

       admin = God
       power user = Christ

    And, according to the literature,

       Christ = God

    It follows, therefore, that:

       power user = God

  • Christ isn't God! Read John 14:28..

  • Really good points, and I could agree with you more.  I'm very ready to implement and also to advise my peer consultants to lower the Domain Users default additionally assigned Local Administrator group down to the Local User level.  But if I do that in my SBS 2003 deployment things like Remote Web Workplace no longer work.  Yes it is a nasty predicament because that is the number one coolest thing that customers like about SBS ...and there is no comparable competitive product.  Plz I'd rather Microsoft fix this not provide refunds and returns.

  • RWW doesn't need admin rights other that to initially get the Active X controls on the box in the first place.

    Most software needs admin rights to get the software 'on' the box, after that they don't need normal admin to run.

    Software typically always needs rights to install, it should not need rights to run.

  • This is a great thread and article...most of us know this stuff but need to be hit over the head and reminded where we maybe going wrong. Keep up these great articles Jesper I really enjoy reading and getting your perspective.

  • http://www.sbslinks.com/RWW-LUA.htm

    Remote web workplace as LUA.

    It works.

    The problem is not hacking up the registry, I would argue.. but knowing if what we're hacking is ends up making our systems more insecure.

  • Here is the relevant KB. Helpful if you need to sell this.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;825069

  • Sorry for the OT response, but someone else started it :p

    lpiatek: Read just a few chapter back: http://www.biblegateway.com/passage/?book_id=50&chapter=10&verse=30&version=31&context=verse

    Now back to your regularly scheduled topic...

    While no security system will ever be foolproof, Windows will remain will continue to contain more holes than the titanic as long as MS insists on full backwards compatibility in each release of the OS.  I read Raymond Chen's blog regularly and I appreciate the immensity of the problem with breaking backwards compatibility, but there are ways to mend the API (or restructure it entirely) using VMs and compatibility subsystems.  Yes, they make the legacy programs run slower or in some crippled fashion, but it has got to be better than the current veneer of security we have to endure because Company X refuses to part with application Y that was written for Windows 3.11.

  •  
    OK.  gripe time.  One of my co-workers was asked by a customer, "Can you prevent a...

  • Placing Windows user accounts in the Power Users security group is a common approach IT organizations

  • OK. gripe time. One of my co-workers was asked by a customer, "Can you prevent a local admin from deselecting

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment