Results 1 to 10 of 10
  1. #1
    New Lounger
    Join Date
    Jun 2015
    Location
    France
    Posts
    11
    Thanks
    9
    Thanked 0 Times in 0 Posts

    What folder for data common to all users ?

    Having just reinstalled, I thought it a good idea to craft two user accounts for myself, one with administrator privileges, the other without. This being to follow the common safety advice to use a non-administrator account most of the time, and an administrator account only when installing software or making changes to the system.

    However, I'm now faced with the problem that I need the same access to my data from both accounts. For instance, I need to restore my database of passwords for Kee Pass. Or my .pst files for Outlook. Where should that go ? ProgramData ? Users\All Users ? Users\Public ? Is there a way to make Users\Me as an administrator\AppData\Roaming accessible to Users\Me as a standard user ?

    Coming to think of it, I would also need access from both accounts to what usually goes into the My Documents folder : Word documents, spreadsheets, etc. Does Windows offer a solution ? Is this idea of two user accounts for the same person even workable ?

    And by the way, is it still advisable to only browse the Internet from a non-administrator account most of the time, or is that suggestion obsolete ?

    Mine is a non-networked PC used by a single person, and for what it's worth (although I doubt it's relevant), I have transferred my ProgramData folder and my Users folder from my C: system drive to my D: data drive, through an answer file by Sysprep.

    Thanks.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,203
    Thanks
    49
    Thanked 987 Times in 917 Posts
    You could put everything in the standard user My Documents and then add that location to the admin user's library.

    Running everything as a non-admin user is safest.

    cheers, Paul

  3. The Following User Says Thank You to Paul T For This Useful Post:

    Clairvaux (2015-10-17)

  4. #3
    New Lounger
    Join Date
    Jun 2015
    Location
    France
    Posts
    11
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Library-phobe here

    I hadn't thought of that.

    However, I'm somewhat library-adverse . I can't understand their logic, and every time I've tried to study them, it seemed to me they were full of limitations and quirks.

    Any chance of a library-free solution ?

  5. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,203
    Thanks
    49
    Thanked 987 Times in 917 Posts
    Library is just a holder of links to your file locations. Bit like having favourites in your browser.

    cheers, Paul

  6. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Australia
    Posts
    19
    Thanks
    1
    Thanked 2 Times in 2 Posts
    You need to think about when you would use the admin account. Typically it would be for things like installing software or making other system changes. Why would you need access to your old emails (for example) when doing that?
    The whole point of a separate account is that some nasty that you might have been sent in an email or that exists in your download folder cannot be triggered by the administrator.

    Having said that, I do not even use the "my documents" etc. All my photos, music, word docs, keypass db files and so on are in folders on a separate hdd that anyone in the house can access, although we have separate logins.
    Most programs have ways to define default working folders, or remember the previous ones you used.

    Most stuff kept under Roaming does not need to be shared, and it is often better from a security standpoint to not do so. The last thing you would want to share, for example, is browser configuration and plugins. Also, when you are troubleshooting program issues it is usually better not to share the same config files.

    I have defined libraries on my Win 7 systems to include folders on my other drives, but rarely use them. I normally just browse to the drive directly.
    Last edited by Cameron; 2015-10-17 at 09:36. Reason: write english

  7. The Following User Says Thank You to Cameron For This Useful Post:

    Clairvaux (2015-10-17)

  8. #6
    New Lounger
    Join Date
    Jun 2015
    Location
    France
    Posts
    11
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Paul T,

    Library is just a holder of links to your file locations.

    Up to now, I used Windows Explorers' Favorites for that, which I found fast and easy. What's the difference with using Libraries as a collection of links to folders ? I read somewhere Librairies are limited to 60 folders (I think), which, if true, looks very limiting to me.
    Last edited by Clairvaux; 2015-10-17 at 15:22.

  9. #7
    WS Lounge VIP access-mdb's Avatar
    Join Date
    Dec 2009
    Location
    Oxfordshire, UK
    Posts
    1,729
    Thanks
    148
    Thanked 156 Times in 149 Posts
    My documents library has 494 folders and my pictures one has 521. I don't think that favourites would handle that many...

  10. The Following User Says Thank You to access-mdb For This Useful Post:

    Clairvaux (2015-10-17)

  11. #8
    New Lounger
    Join Date
    Jun 2015
    Location
    France
    Posts
    11
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Cameron,

    Your post got me thinking.

    I do not even use the "my documents" etc.
    Brilliant. Why not dispense altogether with Microsoft's obligatory User Profiles ? Just stick your own Documents folder on the root of your D: data drive (or equivalent), throw everything into that, and access it in a similar manner from your Me as an administrator or Me as a standard user account. Any drawbacks to that approach ?

    Most programs have ways to define default working folders, or remember the previous ones you used.
    Indeed, and I always take advantage of that. However, there's no way all programs will offer a custom location for all their data.

    I always install software in my own, custom Installed Software folder on the root of drive C:, whenever offered the possibility. But most (all ?) Microsoft software, and a certain amount of non-Microsoft software, will force their way into Program Files or Program Files (x86) without asking. At least I have most of my applications filed in an explicit and tidy manner, the way I want it, and then I have to live with a heap of garbage next door.

    You need to think about when you would use the admin account. Typically it would be for things like installing software or making other system changes. Why would you need access to your old emails (for example) when doing that ?
    I'll tell you why. Right now, I'm reinstalling. It's a tedious process spread over several days. I need to ask for assistance on Windows Secrets Lounge. My login details to the forum are stored in Kee Pass. So I need to access it from my administrator account.

    I just tried the opposite approach to post this reply. Up to now, I kept my old habit of using by default my administrator account. Now I'm writing this from my standard account. I summoned Kee Pass. I had to point it manually to its main database. And the customization that I had done to Kee Pass, when accessing it from my administrator account, was lost.

    Another example : before nuking my disks for reinstall, I prepared an Excel spreadsheet with all driver details. I need to access this precisely when reinstalling under my administrator account.

    The last thing you would want to share, for example, is browser configuration and plugins.
    Why ? Actually, this is one of the first things I would like to share. A browser is one of the first things you need in any situation. When I open a browser, immediately after reinstall, I am assaulted by huge advertisements I never see usually because I have ad blockers in place (ads being a safety risk on top of being a nuisance), I don't surf safely because my script-blocker is gone, my browser is out-of-date therefore open to exploits, and generally all the commands and menus I'm accustomed to have vanished.

    This, I think, is the main problem of maintaining separate user and administrator accounts : you lose all the small adjustments that you make day after day, and which make your machine familiar, responsive and efficient (not to mention safe), precisely at the moment you need the best power tool available to do something critical to your system.

    I tried to alleviate it by customizing my PC in Audit Mode, then applying an Answer File via Sysprep, but first the amount of customization you can retain this way is limited, second I gave up before the end because the rest of the install phase was so long.

    Is there a way to make both user accounts similar, and have them stay that way ? If there is one, I did not find it.

    For instance, it seems to me you can't share a single Start Menu. This is my main dashboard, and I spend considerable time refining it over time. If I suddenly lose it when switching to Administrator account, precisely when I need to to something with many programs filed in the Start Menu, this is a major deterrent.

    I can accept to go through the hoops of switch user / wait for logon screen / type password / do your stuff / switch back / wait again / type password again / back to normal, but if that means working in an environment where nothing is familiar and no command is where it used to be, I'm not so sure.

  12. #9
    New Lounger
    Join Date
    Dec 2009
    Location
    Australia
    Posts
    19
    Thanks
    1
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Clairvaux View Post
    Brilliant. Why not dispense altogether with Microsoft's obligatory User Profiles ?
    You cannot avoid them altogether - for example that is where each user's registry file is stored. You'd be a brave person to try to have two accounts using the one registry file.


    Just stick your own Documents folder on the root of your D: data drive (or equivalent), throw everything into that, and access it in a similar manner from your Me as an administrator or Me as a standard user account. Any drawbacks to that approach ?
    The only drawback is unavoidable - malware you get as a non-privileged user has access to all those files. But those would otherwise be the same files under that user's "My Documents" so the risk is no different.
    I'm not sure if you know, but with the special folders - "My Documents", "My Music", etc you can right click -> properties and there is a "location" tab that allows you to officially relocate them to another drive and still retain their special meaning. Whether you can relocate this for two users to the same folder I have never tried.

    I always install software in my own, custom Installed Software folder on the root of drive C:, whenever offered the possibility. But most (all ?) Microsoft software, and a certain amount of non-Microsoft software, will force their way into Program Files or Program Files (x86) without asking. At least I have most of my applications filed in an explicit and tidy manner, the way I want it, and then I have to live with a heap of garbage next door.
    I read once that on 64-bit systems there are certain automatic assumptions about 32 vs 64 bit dlls (or was it registry entries?) that are tied to whichever installation location is used. As a result, I've never been game to use nonstandard locations for program files, except for self-contained programs that run without needing installation.

    My login details to the forum are stored in Kee Pass. So I need to access it from my administrator account.
    That one's easy. The encrypted database is in a file you can easily place wherever you like. The configuration seems to be in a single xml file that you can copy from one user's roaming profile to the other, after you have set it up how you like.

    Why ? Actually, this is one of the first things I would like to share. A browser is one of the first things you need in any situation. When I open a browser, immediately after reinstall, I am assaulted by huge advertisements I never see usually because I have ad blockers in place (ads being a safety risk on top of being a nuisance), I don't surf safely because my script-blocker is gone, my browser is out-of-date therefore open to exploits, and generally all the commands and menus I'm accustomed to have vanished.
    The browser itself should not have multiple installations, so one update should work for all users. However plugins are sometimes a different matter. But that is the point. If I am in a critical environment, I will deliberately not use the browser I am familiar with. I have one with no flash at all, no java, and so on.

    This, I think, is the main problem of maintaining separate user and administrator accounts : you lose all the small adjustments that you make day after day, and which make your machine familiar, responsive and efficient (not to mention safe), precisely at the moment you need the best power tool available to do something critical to your system.

    Is there a way to make both user accounts similar, and have them stay that way ? If there is one, I did not find it.

    For instance, it seems to me you can't share a single Start Menu. This is my main dashboard, and I spend considerable time refining it over time. If I suddenly lose it when switching to Administrator account, precisely when I need to to something with many programs filed in the Start Menu, this is a major deterrent.

    I can accept to go through the hoops of switch user / wait for logon screen / type password / do your stuff / switch back / wait again / type password again / back to normal, but if that means working in an environment where nothing is familiar and no command is where it used to be, I'm not so sure.
    If your aim here is maximum security then, for the most part, the two users do not run the same software. The power tools should not even be on the menu of the ordinary user. The administrator should not be running software with all your favourite bells and whistles attached. The admin user does not need all the fine tuning - you just need to get in, do the task and get out again.

    Having given you all this free advice, I need to confess that I do not run separate accounts. I do everything on an account as a member of admin group. I just hope I keep up to date with understanding all the possible ways I can get attacked, and trust that, because I am a harder target than most, I will avoid all the more trivial attacks.
    Probably the most worrying prospect for me would be the encryption-extortion malware. But in this case being a low privilege user won't stop that causing havoc.

    Having split user privileges is no panacea - you will need to be just as vigilant and updated either way. It is simply an extra layer of security, which in some circumstances will be useful and in others make no difference. If you go to the trouble of having split users, but then share as much as possible, you may substantially decrease the fraction of occasions when it performs any useful function.
    I have no idea of the numbers, but let's say having split users saves you from 50% of malware infections, then sharing as much as possible might instead save you from only 25%.

  13. #10
    New Lounger
    Join Date
    Jun 2015
    Location
    France
    Posts
    11
    Thanks
    9
    Thanked 0 Times in 0 Posts
    I'm not sure if you know, but with the special folders - "My Documents", "My Music", etc you can right click -> properties and there is a "location" tab that allows you to officially relocate them to another drive and still retain their special meaning. Whether you can relocate this for two users to the same folder I have never tried.
    Yes, I'm aware of that. I went one step further, and relocated the whole Users and ProgramData folders to my D: drive through Audit Mode and Sysprep. So all my AppData folders are on D:, and of course all my My folders.

    I read once that on 64-bit systems there are certain automatic assumptions about 32 vs 64 bit dlls (or was it registry entries?) that are tied to whichever installation location is used. As a result, I've never been game to use nonstandard locations for program files, except for self-contained programs that run without needing installation.
    I've never had any trouble doing this. I mean : obvious trouble. Things not working right away. I tend to assume that, if the installer offers you to change the default location, it's safe to do. I just hope that some of the creeping anomalies that drove me to reinstall don't stem from this.

    The configuration seems to be in a single xml file that you can copy from one user's roaming profile to the other, after you have set it up how you like.
    The trouble is : there is no immutable configuration that I set once and for all. I'm constantly adjusting them.

    If I am in a critical environment, I will deliberately not use the browser I am familiar with. I have one with no flash at all, no java, and so on.
    I understand the approach. Mine is the opposite : my regular browser has scripting de-activated by default, and the kill flash button is one click away. Which is probably a moot point anyway : while I can read information websites for a long time without needing Java or even Flash, Microsoft won't let me fully browse its support site or download software with a neutered browser. So I have to assume Microsoft is a safe site (a reasonable assumption, I think), and take off protection.

    The power tools should not even be on the menu of the ordinary user. The administrator should not be running software with all your favourite bells and whistles attached. The admin user does not need all the fine tuning - you just need to get in, do the task and get out again.
    The ordinary user is... me. Why should I deprive myself of power tools, in a mode which is presumed to be safer than the administrator mode ?

    As for bells and whistles in administrator mode, let's take the car metaphor. I have a perfectly fine-tuned car, which I know and like. I know how it reacts and I can master it. I usually ride with my family for week-ends. One day, I need to drive it fast, for some emergency. Will I a) throttle the power, b) tear off half the dashboard and instruments, c) put the clutch on the right side instead of the left, because the manufacturer told me it's safer ?

    No. I will drive fast, knowing it's more dangerous, but being more alert, taking confidence in the fact that I have educated myself to know the car all those years, and taught it to behave as I need, when I need it.

    And another metaphor. I'm a cop. I get called to the scene of a crime in progress. Before leaving the precincts, I take care to store my gun in the locker... because... there's a bad guy over there... and he could just grab it from me and shoot me. Hum, no.

    Besides...

    Having given you all this free advice, I need to confess that I do not run separate accounts. I do everything on an account as a member of admin group. I just hope I keep up to date with understanding all the possible ways I can get attacked, and trust that, because I am a harder target than most, I will avoid all the more trivial attacks.
    That's been my approach, too. You tend to confirm that this administrator/standard account advice is essentially an IT department point of view. Or the point of view of Microsoft speaking to the mass market.

    Unfortunately, Windows does not seem to be designed for dual user accounts for the same person.

    If you go to the trouble of having split users, but then share as much as possible, you may substantially decrease the fraction of occasions when it performs any useful function.
    Food for thought.

    Thank you for sharing your experience and for a very interesting discussion.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •