default user access rights vista

I've had four people using Vista beta test my software and all three have reported problems related to not being able to write to the application folder. All right, I can fix that if I have to and send everything to AppData. The update utility for my software doesn't work since it can't write the new executable to the installation folder. All right, I can use a manifest to request admin rights for the app though it's unfortunate that the user has to answer the "Do you really want to let this program have admin rights?" question that will bid posed every time the updater runs. But my app also has a critical time synch function that won't work due to the user's rights being restricted. Getting around this is proving a serious hassle. So my questions:
1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?
2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).
Is Microsoft taking feedback from independent developers on this and if so where and how?
Thanks!

1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?

I believe so. Not sure if UAP (user account protection) will be on by default in all versions, but it may well be.

2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).

Not necessarily. Applications should run just as they do on XP, except as an extra security question to make sure they know that running an unsigned application is dangerous yada yada. Check out this :o) http://www.vistabase.co.uk/welcome.php?subcats/security/whatisuap

Is Microsoft taking feedback from independent developers on this and if so where and how?

Yeh, http://go.microsoft.com/fwlink/?LinkId=43655 links to the Microsoft Beta Client enabling you to anonymously file reports. If your Passport account is not registered by Connect as on the beta program, it won't let you file it, so make sure you tick the "Send this report anonymously" when you do :o)
-- Zack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!
--- Original message follows --- "Dan" wrote in message

I've had four people using Vista beta test my software and all three have reported problems related to not being able to write to the application folder. All right, I can fix that if I have to and send everything to AppData. The update utility for my software doesn't work since it can't write the new executable to the installation folder. All right, I can use a manifest to request admin rights for the app though it's unfortunate that the user has to answer the "Do you really want to let this program have admin rights?" question that will bid posed every time the updater runs. But my app also has a critical time synch function that won't work due to the user's rights being restricted. Getting around this is proving a serious hassle. So my questions:
1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?
2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).
Is Microsoft taking feedback from independent developers on this and if so where and how?
Thanks!

"Zack Whittaker (R2 Mentor)" wrote in message

1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?
I believe so. Not sure if UAP (user account protection) will be on by default in all versions, but it may well be.

By "I believe so" which do you mean? That the typical Vista machine sold to home users will have these limitations or that they will have the same access rights as today's XP Home systems come configured with?

2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).
Not necessarily. Applications should run just as they do on XP, except as an extra security question to make sure they know that running an unsigned application is dangerous yada yada. Check out this :o) http://www.vistabase.co.uk/welcome.php?subcats/security/whatisuap

That extra security question is a major problem. My app can be configured by the user to start when Windows starts and is designed to be able to run unattended. Requiring an an interactive response from the user breaks this.
I read the article in the above link an there is no "Local Security Policy" entry in the Control Panel nor can secpol.msc be found. I'm looking an an XP Home SP2 system with all the latest patches.

Is Microsoft taking feedback from independent developers on this and if so where and how?
Yeh, http://go.microsoft.com/fwlink/?LinkId=43655 links to the Microsoft Beta Client enabling you to anonymously file reports. If your Passport account is not registered by Connect as on the beta program, it won't let you file it, so make sure you tick the "Send this report anonymously" when you do :o)

Clicking the above link brings up a prompt to download and install Microsoft Beta Client.msi. What is it and what will installing it on an XP Home system do?

The Microsoft BETA Client is used to report issues with Microsoft pre-release software, you can install it on either Vista or XP Home and report your issues anonymously as Zack recommended. Of course your reports will not be taken into consideration since they are already swamped with reports from the technical beta program. -- -- Andre Windows Connect | http://www.windowsconnected.com Extended64 | http://www.extended64.com Blog | http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta
"Dan" wrote in message

"Zack Whittaker (R2 Mentor)" wrote in message
1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?
I believe so. Not sure if UAP (user account protection) will be on by default in all versions, but it may well be.
By "I believe so" which do you mean? That the typical Vista machine sold to home users will have these limitations or that they will have the same access rights as today's XP Home systems come configured with?
2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).
Not necessarily. Applications should run just as they do on XP, except as an extra security question to make sure they know that running an unsigned application is dangerous yada yada. Check out this :o) http://www.vistabase.co.uk/welcome.php?subcats/security/whatisuap
That extra security question is a major problem. My app can be configured by the user to start when Windows starts and is designed to be able to run unattended. Requiring an an interactive response from the user breaks this.
I read the article in the above link an there is no "Local Security Policy" entry in the Control Panel nor can secpol.msc be found. I'm looking an an XP Home SP2 system with all the latest patches.
Is Microsoft taking feedback from independent developers on this and if so where and how?
Yeh, http://go.microsoft.com/fwlink/?LinkId=43655 links to the Microsoft Beta Client enabling you to anonymously file reports. If your Passport account is not registered by Connect as on the beta program, it won't let you file it, so make sure you tick the "Send this report anonymously" when you do :o)
Clicking the above link brings up a prompt to download and install Microsoft Beta Client.msi. What is it and what will installing it on an XP Home system do?

By "I believe so" which do you mean? That the typical Vista machine sold to home users will have these limitations or that they will have the same access rights as today's XP Home systems come configured with?

Sometimes it's not easy to give 100% accurate answers when there is still a lot of speculation going round, as well as them not letting information public. I say "I believe so" as in "more than 50% chance of it being correct". That's usually enough to please the crowd :o)

I read the article in the above link an there is no "Local Security Policy" entry in the Control Panel nor can secpol.msc be found. I'm looking an an XP Home SP2 system with all the latest patches.

Control Panel > Administrative Tools. It's in there, and on an Home SP2 machine... no it's not there. Only on XP Pro.
-- Zack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!
--- Original message follows --- "Dan" wrote in message

"Zack Whittaker (R2 Mentor)" wrote in message
1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?
I believe so. Not sure if UAP (user account protection) will be on by default in all versions, but it may well be.
By "I believe so" which do you mean? That the typical Vista machine sold to home users will have these limitations or that they will have the same access rights as today's XP Home systems come configured with?
2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).
Not necessarily. Applications should run just as they do on XP, except as an extra security question to make sure they know that running an unsigned application is dangerous yada yada. Check out this :o) http://www.vistabase.co.uk/welcome.php?subcats/security/whatisuap
That extra security question is a major problem. My app can be configured by the user to start when Windows starts and is designed to be able to run unattended. Requiring an an interactive response from the user breaks this.
I read the article in the above link an there is no "Local Security Policy" entry in the Control Panel nor can secpol.msc be found. I'm looking an an XP Home SP2 system with all the latest patches.
Is Microsoft taking feedback from independent developers on this and if so where and how?
Yeh, http://go.microsoft.com/fwlink/?LinkId=43655 links to the Microsoft Beta Client enabling you to anonymously file reports. If your Passport account is not registered by Connect as on the beta program, it won't let you file it, so make sure you tick the "Send this report anonymously" when you do :o)
Clicking the above link brings up a prompt to download and install Microsoft Beta Client.msi. What is it and what will installing it on an XP Home system do?

"Zack Whittaker (R2 Mentor)" wrote in message

By "I believe so" which do you mean? That the typical Vista machine sold to home users will have these limitations or that they will have the same access rights as today's XP Home systems come configured with?
Sometimes it's not easy to give 100% accurate answers when there is still a lot of speculation going round, as well as them not letting information public. I say "I believe so" as in "more than 50% chance of it being correct". That's usually enough to please the crowd :o)

Again, 50% chance of WHICH being correct? That the typical Vista machine sold to home users will have these limitations or that they will have the same access rights as today's XP Home systems come configured with? Which answer are you giving?

Lovely, ain't it?
I've run the February CTP for an afternoon, and haven't installed *anything* other than the OS itself. It's quite frustrating having to respond to this "do you wish to allow [...] to run?" message every 45 seconds just navigating around--again, I didn't have any third-party software installed yet. If the OS won't trust itself, I can only imagine what the Vista experience is gonna be like once you load up a few rogue apps.
Constantly asking clueless users for permission to allow things to run isn't the way to implement security. They'll just get frustrated and blindly click Yes on everything. I haven't really done any testing in that area, but if you can disable these warnings by running under some admin account, most people will do just that, leaving their systems wide open, and thus most people's PCs are gonna end up as insecure as they are today, if not more.


Heck, I'm tired of people calling me *today* every time their anti-virus tells them it intercepted something and they don't know what to do about it (the correct response: your anti-virus intercepted it, so there's nothing for you to do except to stop visiting those porn sites). This will only further confuse and scare your grandma away from using PCs.

Again, 50% chance of WHICH being correct?

LOL, heads or tails, what does it matter when the odds are the same for either outcome?

Dan wrote:

I've had four people using Vista beta test my software and all three have reported problems related to not being able to write to the application folder. All right, I can fix that if I have to and send everything to AppData. The update utility for my software doesn't work since it can't write the new executable to the installation folder. All right, I can use a manifest to request admin rights for the app though it's unfortunate that the user has to answer the "Do you really want to let this program have admin rights?" question that will bid posed every time the updater runs. But my app also has a critical time synch function that won't work due to the user's rights being restricted. Getting around this is proving a serious hassle. So my questions:
1) It appears that the default user account is a restricted account limiting the above types of operations. Will every PC that is sold to home users be configured like this in the box or will the default user accounts have the same access rights as what customers get when they buy a PC with XP Home today?

Vista implements the same basic security model as XP. Accounts belong to one of a set of groups, and are granted a number of privileges. Different groups have differing sets of default privileges.
The biggest difference in Vista is UAP, which effectively strips users of any administrative privileges under normal circumstances.
If your application is built to work properly with XP security and not rely on assumed administrative privileges, it should work ok on Vista.
However, as is clear from previous conversations, you do currently rely on users running with administrative privileges. And therefore your application will break in Vista (at least in an OOB configuration).
You are not alone in this, of course. There are lots of software vendors who have still not yet fully adjusted to the NT security model. And there are a whole bunch of network administrators like me cursing you all (and trying to persuade you to "get with the program").
How often does your application need to self-update? There are very few applications that _should_ need to do so on any kind of frequent basis (anti-malware applications are the major ones), and most should expect that an administrator would be the one performing updates. Is it really so much hassle that updates must be approved? That aside, if your application installs a service of any kind, that can have the necessary privileges to update itself, and Windows Installer has capabilities to support self-updates too (IIRC, it's called "elevated privileges").
If you can make your application work on XP with a regular User account (ie no administrative privileges), the likelihood of Vista breaking it will drop dramatically.

2) If it appears that the answer to question 1 is Microsoft plans to make the default user account limited in the manner described above is this carved in stone? It will break a LOT of existing applications and make it very difficult for them to be updated to keep the same features while running on Vista (the time synch feature being my biggest concern).

Ability to change the system clock is (AIUI) one of the privileges that will be added to the default privileges of a regular user account. Though I'm struggling to understand why any developer would be building time synchronisation features into an application when the OS has the ability to do so natively. I would not regard the system time to be any business of an application. Having said that, there's nothing preventing you from adding that privilege to the Users group during installation.
-- Steve Foster [SBS MVP] --------------------------------------- MVPs do not work for Microsoft. Please reply only to the newsgroups.