Microsoft’s logon model problem

After using Windows in one version or another for many years, I got myself an Apple iBook just three months ago. I use that iBook for everything I can use it, that is, everything except developing applications, since my customers still are stuck with Windows. What has struck me with the iBook is that working as a non-admin on these machines is absolutely no problem, while it’s an incredible pain in the derriere if you try to do that under Windows.

If you work under a non-admin account on Windows 2000 or XP, you very often get stuck due to lack of rights. Or, even worse, stuff happens to your apps that shouldn’t happen, simply because the people that developed those apps didn’t think to test under non-admin accounts. For example, the otherwise (almost) excellent accounting program I use can’t do backups if you don’t have admin rights. That in itself could be regarded as a feature, was it not for that the program pops up an unintelligible dialog box about folder permissions instead of telling you to go get an administrator. In other words, it is not a feature, it’s a bug.

The same accounting program has another bug that is much worse. If you try to remove a company from the program and you’re not a local administrator, it corrupts the database. It starts out by removing some entries about the company, then tries to remove the database for that company and fails, leaving the database in an inconsistent state. Now, this is ridiculous. Obviously, the developers worked as local admins on their machines and never even tested under non-admin accounts, since hardly anyone runs that way, anyway.

Why is that? Why don’t regular users in general run under non-admin accounts on Windows? Why don’t developers? Why don’t I? After asking myself that question, I removed my own account from the group of administrators on my XP and got going. And got errors from right, left and center. Smoke coming out of my ears. Headaches. Rage attacks. Just before I actually killed someone, I added myself back into the local admin group and took a deep breath.

The problems you run into are all caused by the logon model. If you log on as a non-admin and you don’t have sufficient priviliges to perform the operations a certain application needs to perform, you have to back out again and log on under another account, or at least start that application under another account (using RunAs). Now, most applications that let you get into this situation aren’t able to “back out” with anything that can be described as “grace”. They usually crash, taking a lot of cherished data with them. They’re definitely not being nice about it.

So, what does the iBook have to do with all this? Well, this never happened to me on the iBook. Why? Because Mac OSX developers are so much smarter? Yes, probably, but that’s not the whole truth. The truth is that if an application exceeds the rights it has under OSX, the system pops up a dialog that allows the user to log on using an administrator account and then proceed. Now, that is a concept Microsoft really should contemplate.

For some reason, nothing seems to be done by Microsoft to implement something similar under Windows, and it can’t be because they haven’t noticed that Apple has this feature. (And, by the way, so do most Unix systems in one way or the other.) No, they keep trying to train people to use RunAs and other tools to launch programs under diverse logon account instead of allowing you to add credentials to a running process, if needed. Why? I don’t know.

There are a number of tools to make it easier to run as non-admin, but none of these tools actually make it useable for the two groups that need it most: the totally clueless and the developer. The totally clueless can’t handle these tools and the developer needs more. There’s a middle group of power users that may benefit (I don’t know, I haven’t met any of them).

The result of all this is that the great majority of Windows users keep running their systems as administrators and there’s no reasonable way to expect them to do otherwise. This results in a huge army of very vulnerable systems. Anything a user drags into the system from the internet can install itself with impunity, resulting in the great botnets we see today.

To me, there is nothing more urgent than that Microsoft fixes this logon session model. It’s not enough to make it easier to use RunAs or other special logon tricks. They really must find a way of emulating what Mac OSX can do and let the user add privileges to a running app if it needs it. Only then can we expect users to let go of default admin accounts and can we expect developers to make a decent job of writing applications that play nice under non-admin accounts.

So, Microsoft, what now?