Updated Account Creation Plan



Hello, this is David Cross again and I have an interesting project update to share with everyone.  Currently, in the beta for Windows Vista, when you create an additional user account, the account is automatically added to the local administrators group.  We have decided that by making users administrator by default was sending the wrong message to users, IT professionals and the developers in the ISV community.  We have subsequently made the decision that in Beta 2, secondary user accounts will be standard users by default.  An administrator will have to consciously, and specifically add a user to the local administrators group.  Reducing the overall number of users that run as administrator will be a compounded improvement in the security of all systems.



We believe now is the time to make this change.  Although, some users may still have application compatibility issues with legacy applications while running as standard user, we believe we will have enough fixes and shims to make the most commonly used applications work in a broad sense as standard user when Windows Vista is released.  We are confident that we will be successful in getting enough applications working and tested properly to make Standard User a successful experience.  In addition, we are hoping this change will encourage ISVs and developers to start writing their applications for Standard User as the default account under which those applications will be used.



We do expect some problems initially with applications that rely upon “self update” during runtime while running as standard user.  Games are the most common applications that typically fall into this category.  Self-updating applications are those that modify their binaries and perform installation during runtime.  Our goal is to encourage changes in these categories of applications and hope the impact of legacy applications will be minimal and do not limit very many consumers from running as standard user.



Please stay tuned to this blog for more exciting announcements, changes and improvements as we continuously analyze your feedback and apply that feedback to the product to ensure the best possible experience when we release.



David B. Cross
Director of Program Management
Windows Security


Comments (20)

  1. David Cross a Director of Program Management with Windows Security has posted today over at the UAC blog…

  2. Alun Jones says:

    IMHO, it’s about time!

    Or, in other words, congratulations for making this bold decision.

  3. I say "yay" to this post from David Cross:

    "We have subsequently made the decision that in [Windows…

  4. petal says:

    bit early for the 1st April, but I really laughed when I got the joke.

    but seriously, why not just do away with the Administrator account completely – if you force everyone to run as LUA then it eliminates the majority of security risks. How about safe-mode as the only way to install/update software…

    *chuckle*

  5. UAC says:

    Just so there is no misunderstanding, this is not a joke. This will be the behavior of Windows Vista.

    – Alex

  6. c says:

    THANK YOU! About time.

  7. orcmid says:

    I agree completely.  I think it is great for helping us start to have everyone contribute and apply safe-computing practices.

    But then, looking at petal’s chuckle, I say wow, what if installs could be done LUA too … well, click-once well-done will do it, and xcopy installs will do it, … so we’re not that far off as long as it is a simple case and is not installing a service.

    And it would be cool if installs could be done from LUA with spawned administrator processes under the ID of the account to install under.  Sort of Run As but with the identity of the user of the Run As (though validated with an administrator ID and password).  That would save a ton of time that I now spend elevating my account from LUA to Admin, doing the install, then restoring my LUA account to LUA.

    Nice work!

  8. some guy somewhere says:

    To further clarify, The account(s) created during setup be non-admin too?

  9. Jeff Parker says:

    I think this is a great thing however like "some guy somewhere" what about the accounts created at setup. I see a ton of people sitting there that log in as "Owner" and thats it thats all they log in as heck most of them do not even know they can change thier name, the whole family logs in as "Owner" because they do not know they can add other accounts. Most users know nothing about security, it is up to Microsoft to push it down. This also does no good as the actual. Administrator account sits there with a blank password waiting for any hacker to come along and authenticate. Guest needs disabled by default, no one really uses guest anymore other than bad people. While there may be some uses I never see for it so leave it there but diabled.

  10. MSDN Archive says:

    Jeff, since Windows XP, any account with a blank password cannot be authenticated over the network.

    In some very real ways, this means that Administrator with a blank password can be more secure than Administrator with a weak password.  Hackers could only attack the account from the local machine.

  11. Concerned parent says:

    Just in case someone doesn’t take this seriously, I think the point needs to be emphasised.

    Even when installing Vista for the first time, the extra user(s) should not need to remain in "admin approved" mode. The exra user(s) should be pushed (better still forced) into a standard account to start in with.

    Extra users SHOULD be encouraged as many people ARE IGNORANT and do not bother with additional accounts and would all be runnning as the Owner… Admin Approved.

  12. Alex says:

    To clarify for those who asked: The first account made during setup will be an administrator account in approval mode. The additional accounts will be standard user accounts.

    – Alex

  13. Natanael L says:

    The first account created during setup will be an admin account, and the rest will be standard users.

    Windows XP behaves exactly the same.

  14. Alex says:

    Natanael, it depends on how the account is created on Windows XP. For example, on my Media Center PC at home, all new accounts are administrators by default when I create them using the control panel create account wizard.

    – Alex

  15. Mantvydas says:

    Good move, but it has to be followed and supported cleverly and heavily.

    Oh… I imagine the support call waves as soon as any, say, gamer installs his ol’ game on a freshly baked Windows Vista… And the game companies won’t understand what’s going on!

    The problem with all the security issues nowadays, that applications fail to properly report why the error happened.

    Just take a look at a poor simple notepad, if it doesn’t have permissions on the file, and you try to save it: Cannot create the … file. Make sure the path and filename is correct!

    Notepad and others simply don’t understand that they don’t have rights here! Do you think a user will? Do you think a game company will, when a user will tell him: "My game just won’t run. It says: check the path!"

  16. Sam Gentile says:

    The last N&N was Feb 20, a month and 1/2 ago. I’m too busy being productive adding business value to our product to blog much considering I am still close to a intra-state move and dealing with the sale of one house and purchase of another. Meanwhile,

  17. It seems to me that the setup program should ask the user to supply a name and password for the local administrator account and suggest that they only use this account for admin tasks.  Then also ask for a username and password to setup a standard user account for their normal login.  If that is annoying then they can log in under the local administrator account and put themself in the admin group.

  18. PSchuetz says:

    "To clarify for those who asked: The first account made during setup will be an administrator account in approval mode. The additional accounts will be standard user accounts.

    – Alex "

    Hey Alex,

    that’s very bad!

    Why you don’t create during Vista setup installation two accounts!

    One Admin and one standard user.

    Then after setup completes and first logon there will be an notice that explains the behavior and change.

    Then if you (want) do your second login, you’re automatically logging in as the second standard user account or forced to do so with your password..! (No other login option/account are shown/available..! [only standard users..])

    Only this solution will improve the overall security and will developers "force" to develop and code their apps, games, etc. for standard user accounts..

    This will help the overall problem a lot!

    I hope you and your team considering this..

    Every one wants this as the standard behavior for the Windows NT 6.0 OS setup 😉

    thx in advance.

    best regards,

    PSchuetz

  19. J Allen says:

    PSchuetz, thanks for the feedback. Because both administrators and standard users run with a standard user access token by default in Windows Vista, developers do have to ensure that their applications work (and work well) for the standard user.

    The built-in Administrator account is disabled by default on new installations. On upgrades, if the built-in Administrator is the only active local administrator account, it is kept enabled and placed into Admin Approval Mode. If there is another active local administrator account on upgrade, the built-in Administrator account is disabled.

    User Experience (UX) Defaults:

    -Admin Approval Mode default UX: Prompt for consent.

    -Standard user default UX: Prompt for credentials.

    -Jenn