Reverse Administrator/User Accounts?

(Running Vista Ultimate 64-bit, SP-1, IE-7, classic mode.)

I currently have an administrator account I'll call AAA.
I currently have a user account I'll call BBB.
(I also have a guest account, turned off, which can be
ignored for this post.)

On account AAA I have done extensive personalization
(changing icons, removing some from desktop, etc.) which I
want to retain. Account BBB is just as it was produced when
I created it, and has rarely been used.

Heretofore I have used account AAA all the time, and have
not used account BBB. I have since been advised not to
operate in an administrator's account (AAA) for security
reasons, and that it is better to operate in a user account
(such as my BBB).

So, I'd like to reverse my two accounts, with BBB becoming
the administrator account, and AAA becoming my regular user
account. Here is how I propose doing that, and I'd like
some feedback on any risks or problems foreseen with this
scenario:

Change account BBB to be an administrator account. Then
change account AAA to be a user account. Then change name
of account AAA (temporarily) to CCC. Then change name of
account BBB to AAA. Then change account CCC to BBB. When
that process is complete I'd have account AAA with all my
current personalizations, but as a user account; account BBB
would be the plain and simple account, but the administrator
account hardly ever used.

Anyone see any problems with that approach? If I do this
will my security be better, in terms of protection from
viruses?

Other relevant comments welcome.
--
----------
CWLee
Former slayer of dragons; practice now limited to sacred
cows. Believing we should hire for quality, not quotas, and
promote for performance, not preferences.

"CWLee" <> wrote:

>Heretofore I have used account AAA all the time, and have
>not used account BBB. I have since been advised not to
>operate in an administrator's account (AAA) for security
>reasons, and that it is better to operate in a user account
>(such as my BBB).

I've never heeded that advice... and even have UAC turned off.

I have so many backups of my entire system that I don't worry about
such matters... and my computing is SO much easier.

CWLee wrote:
>
> (Running Vista Ultimate 64-bit, SP-1, IE-7, classic mode.)
>
> I currently have an administrator account I'll call AAA.
> I currently have a user account I'll call BBB.
> (I also have a guest account, turned off, which can be ignored for this
> post.)
>
> On account AAA I have done extensive personalization (changing icons,
> removing some from desktop, etc.) which I want to retain. Account BBB
> is just as it was produced when I created it, and has rarely been used.
>
> Heretofore I have used account AAA all the time, and have not used
> account BBB. I have since been advised not to operate in an
> administrator's account (AAA) for security reasons, and that it is
> better to operate in a user account (such as my BBB).
>
> So, I'd like to reverse my two accounts, with BBB becoming the
> administrator account, and AAA becoming my regular user account. Here
> is how I propose doing that, and I'd like some feedback on any risks or
> problems foreseen with this scenario:
>
> Change account BBB to be an administrator account. Then change account
> AAA to be a user account.


Yes, that would work.


> Then change name of account AAA (temporarily)
> to CCC. Then change name of account BBB to AAA. Then change account
> CCC to BBB.


Here's where you lose me. Why go through all these contortions with
renaming accounts? There's no point, and remember that the user profile
folders will *NOT* be renamed when you do this, so you'll end up with
AAA's account settings, portion of the registry, and data files stored
where they originally were, in the user profile labeled BBB, and BBB's
files and settings stored in the user profile AAA. At some point down
the road, this is bound to lead to some confusion.


> When that process is complete I'd have account AAA with all
> my current personalizations, but as a user account; account BBB would be
> the plain and simple account, but the administrator account hardly ever
> used.
>
> Anyone see any problems with that approach?


Again, I'd forego the renaming of the accounts, but otherwise it's OK.


> If I do this will my
> security be better, in terms of protection from viruses?
>


You will be more secure, yes.

Routinely using a computer with administrative privileges is not
without some risk. You will be much more susceptible to some types of
malware, particularly adware and spyware. While using a computer with
limited privileges isn't the cure-all, silver bullet that some claim it
to be, any experienced IT professional will verify that doing so
definitely reduces that amount of damage and depth of penetration by the
malware. If you do happen to get infected/infested while running as an
administrator, the odds are much greater that any malware will be
extremely difficult, if not impossible, to remove with formating the
hard drive and starting anew. The intruding malware will have had the
same (administrative) privileges to all of the files on your hard drive
that you do.

A technically competent user who is aware of the risks and knows
how to take proper precautions can usually safely operate with
administrative privileges; I do so myself. But I certainly don't
recommend it for the average computer user.



--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

"Bruce Chambers" <3t> wrote:

"Here's where you lose me. Why go through all these
contortions with renaming accounts? There's no point, ... "

Thanks for your advice and information. It is good to get a
lengthy, thought-out, on target reply.

The end result I'd like is to log onto a (USER) account with
the name AAA that has the current personalizations that my
current AAA (ADMINISTRATOR) account has. I'm the only
person who uses this account, but I'm trying to get the
increased security you mention while at the same time
keeping the current personalizations I have on my
Administrator account. (I know I could just re-configure my
User account to match those personalizations, but that is a
LOT of effort, and some of it I don't even remember how I
did nearly 18 months ago. Things like getting ride of icons
for the Recycle Bin, and changing icons on programs that
want to keep their own logo-icons, etc.)

I appreciate your attention and insights, and if you have
other ways to achieve my goal I'd appreciate it. As a
practical matter to me, I don't fully understand the
implications of "the user profile folders will *NOT* be
renamed when you do this, so you'll end up with AAA's
account settings, portion of the registry, and data files
stored where they originally were, in the user profile
labeled BBB, and BBB's files and settings stored in the user
profile AAA. At some point down the road, this is bound to
lead to some confusion."

Again, thank you very much for your attention, and I look
forward to any further insights you can provide to help me
achieve my goal.

==================================

> CWLee wrote:
>>
>> (Running Vista Ultimate 64-bit, SP-1, IE-7, classic
>> mode.)
>>
>> I currently have an administrator account I'll call AAA.
>> I currently have a user account I'll call BBB.
>> (I also have a guest account, turned off, which can be
>> ignored for this post.)
>>
>> On account AAA I have done extensive personalization
>> (changing icons, removing some from desktop, etc.) which
>> I want to retain. Account BBB is just as it was produced
>> when I created it, and has rarely been used.
>>
>> Heretofore I have used account AAA all the time, and have
>> not used account BBB. I have since been advised not to
>> operate in an administrator's account (AAA) for security
>> reasons, and that it is better to operate in a user
>> account (such as my BBB).
>>
>> So, I'd like to reverse my two accounts, with BBB
>> becoming the administrator account, and AAA becoming my
>> regular user account. Here is how I propose doing that,
>> and I'd like some feedback on any risks or problems
>> foreseen with this scenario:
>>
>> Change account BBB to be an administrator account. Then
>> change account AAA to be a user account.
>
>
> Yes, that would work.
>
>
>> Then change name of account AAA (temporarily) to CCC.
>> Then change name of account BBB to AAA. Then change
>> account CCC to BBB.
>
>
> Here's where you lose me. Why go through all these
> contortions with renaming accounts? There's no point, and
> remember that the user profile folders will *NOT* be
> renamed when you do this, so you'll end up with AAA's
> account settings, portion of the registry, and data files
> stored where they originally were, in the user profile
> labeled BBB, and BBB's files and settings stored in the
> user profile AAA. At some point down the road, this is
> bound to lead to some confusion.
>
>
>> When that process is complete I'd have account AAA with
>> all my current personalizations, but as a user account;
>> account BBB would be the plain and simple account, but
>> the administrator account hardly ever used.
>>
>> Anyone see any problems with that approach?
>
>
> Again, I'd forego the renaming of the accounts, but
> otherwise it's OK.
>
>
>> If I do this will my security be better, in terms of
>> protection from viruses?
>>
>
>
> You will be more secure, yes.
>
> Routinely using a computer with administrative
> privileges is not without some risk. You will be much
> more susceptible to some types of malware, particularly
> adware and spyware. While using a computer with limited
> privileges isn't the cure-all, silver bullet that some
> claim it to be, any experienced IT professional will
> verify that doing so definitely reduces that amount of
> damage and depth of penetration by the malware. If you do
> happen to get infected/infested while running as an
> administrator, the odds are much greater that any malware
> will be extremely difficult, if not impossible, to remove
> with formating the hard drive and starting anew. The
> intruding malware will have had the same (administrative)
> privileges to all of the files on your hard drive that you
> do.
>
> A technically competent user who is aware of the risks
> and knows how to take proper precautions can usually
> safely operate with administrative privileges; I do so
> myself. But I certainly don't recommend it for the
> average computer user.
>
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> http://support.microsoft.com/default.aspx/kb/555375
>
> They that can give up essential liberty to obtain a little
> temporary safety deserve neither liberty nor safety.
> ~Benjamin Franklin
>
> Many people would rather die than think; in fact, most do.
> ~Bertrand Russell
>
> The philosopher has never killed any priests, whereas the
> priest has killed a great many philosophers.
> ~ Denis Diderot

CWLee wrote:
>
> "Bruce Chambers" <3t> wrote:
>
> "Here's where you lose me. Why go through all these contortions with
> renaming accounts? There's no point, ... "
>
> Thanks for your advice and information. It is good to get a lengthy,
> thought-out, on target reply.
>
> The end result I'd like is to log onto a (USER) account with the name
> AAA that has the current personalizations that my current AAA
> (ADMINISTRATOR) account has. I'm the only person who uses this account,
> but I'm trying to get the increased security you mention while at the
> same time keeping the current personalizations I have on my
> Administrator account. (I know I could just re-configure my User
> account to match those personalizations, but that is a LOT of effort,
> and some of it I don't even remember how I did nearly 18 months ago.
> Things like getting ride of icons for the Recycle Bin, and changing
> icons on programs that want to keep their own logo-icons, etc.)
>


Changing the AAA Account from an administrative account to a limited
account won't change any of those "personalizations."


> I appreciate your attention and insights, and if you have other ways to
> achieve my goal I'd appreciate it.


Simply change the permissions levels of the two accounts, as you'd
already planned. None of the customizations or "personalizations" of
either account will be affected.


> As a practical matter to me, I don't
> fully understand the implications of "the user profile folders will
> *NOT* be renamed when you do this, so you'll end up with AAA's account
> settings, portion of the registry, and data files stored where they
> originally were, in the user profile labeled BBB, and BBB's files and
> settings stored in the user profile AAA. At some point down the road,
> this is bound to lead to some confusion."
>

The user profile folders (C:\Users\UserName) are protected system files
and, once created, *cannot* be renamed, even if the associated user
logon account has been renamed.

This means that if you rename account AAA to BBB, its data files,
desktop icons, Internet Explorer favorites, etc., will all still be
located under the C:\Users\AAA folder hierarchy. (And BBB's files,
favorites, etc., will be in the C:\Users\BBB folder hierarchy even
though the account has been renamed to AAA. This would make it awfully
easy to mistakenly modify, move, copy or delete the wrong file or folder
when working with Windows Explorer.


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot

Thanks,

"Bruce Chambers" <3t> wrote:

"The user profile folders (C:\Users\UserName) are protected
system files and, once created, *cannot* be renamed, even if
the associated user logon account has been renamed. This
means that ... "

OK, I'm beginning to understand - I think. When an account
is first created, whether as an administrator or user
account, it is given a "birth name" which remains forever in
the system bowels/archives, even if the "working name" is
changed several times, and whatever the administrator/user
assignment happens to be at any particular time. Any
attempts later to modify files or programs associated with
an account cannot be reliably found using the "working
name" - one would have to know and use the "birth name."

Am I close?

Again, many thanks.

===========================

> CWLee wrote:
>>
>> "Bruce Chambers" <3t> wrote:
>>
>> "Here's where you lose me. Why go through all these
>> contortions with renaming accounts? There's no point,
>> ... "
>>
>> Thanks for your advice and information. It is good to
>> get a lengthy, thought-out, on target reply.
>>
>> The end result I'd like is to log onto a (USER) account
>> with the name AAA that has the current personalizations
>> that my current AAA (ADMINISTRATOR) account has. I'm
>> the only person who uses this account,
>> but I'm trying to get the increased security you mention
>> while at the same time keeping the current
>> personalizations I have on my Administrator account. (I
>> know I could just re-configure my User account to match
>> those personalizations, but that is a LOT of effort, and
>> some of it I don't even remember how I did nearly 18
>> months ago. Things like getting ride of icons for the
>> Recycle Bin, and changing icons on programs that want to
>> keep their own logo-icons, etc.)
>>
>
>
> Changing the AAA Account from an administrative account to
> a limited account won't change any of those
> "personalizations."
>
>
>> I appreciate your attention and insights, and if you have
>> other ways to achieve my goal I'd appreciate it.
>
>
> Simply change the permissions levels of the two accounts,
> as you'd already planned. None of the customizations or
> "personalizations" of either account will be affected.
>
>
>> As a practical matter to me, I don't fully understand the
>> implications of "the user profile folders will *NOT* be
>> renamed when you do this, so you'll end up with AAA's
>> account settings, portion of the registry, and data files
>> stored where they originally were, in the user profile
>> labeled BBB, and BBB's files and settings stored in the
>> user profile AAA. At some point down the road, this is
>> bound to lead to some confusion."
>>
>
> The user profile folders (C:\Users\UserName) are protected
> system files and, once created, *cannot* be renamed, even
> if the associated user logon account has been renamed.
>
> This means that if you rename account AAA to BBB, its data
> files, desktop icons, Internet Explorer favorites, etc.,
> will all still be located under the C:\Users\AAA folder
> hierarchy. (And BBB's files, favorites, etc., will be in
> the C:\Users\BBB folder hierarchy even though the account
> has been renamed to AAA. This would make it awfully easy
> to mistakenly modify, move, copy or delete the wrong file
> or folder when working with Windows Explorer.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> http://support.microsoft.com/default.aspx/kb/555375
>
> They that can give up essential liberty to obtain a little
> temporary safety deserve neither liberty nor safety.
> ~Benjamin Franklin
>
> Many people would rather die than think; in fact, most do.
> ~Bertrand Russell
>
> The philosopher has never killed any priests, whereas the
> priest has killed a great many philosophers.
> ~ Denis Diderot