Windows Admin Rights for Software Engineer
-
In order to get VS2003 to run under Win7 and above, I have the following properties set on its shortcut: 1. Run this program in compatibility mode for Windows Vista (service pack 1) 2. Disable visual themes 3. Disable desktop composition 4. Run this program as administrator IIRC, items #1 and #4 are required for VS2003 to find registry settings and its own files properly. Believe it or not, items #2 and #3 correct a fault in the "find in files" operation that locks up without these checked. Even with these set, there's a bug in the debugger (oh the irony) that fails to close a handle to the solution's .PDB file. After you've run your app under the debugger once, you have to exit VS2003 and restart in order to recompile your solution.
Software Zen:
delete this;huh. I don't have any of those set and it works for me. Is it just the C++ mode that's screwed up; the project I run in it is 99% .net/winforms. (There's a little C++ for a 3rd party UI component, but I never touch any of it.)
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
huh. I don't have any of those set and it works for me. Is it just the C++ mode that's screwed up; the project I run in it is 99% .net/winforms. (There's a little C++ for a 3rd party UI component, but I never touch any of it.)
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
Yeah, these are all C++/MFC projects and settings. That's probably why there are differences. I don't think the C++ compiler and linker are too affected by admin rights, although I can see where COM stuff might have issues with type library registration and accesses that required admin rights. I do know that native-mode debugging uses CPU debugging features (breakpoint/watchpoint registers and so on) that may not be used by .NET. We have a substantial body of C++ utility code that got its start as long ago as 2000 (written using VC6), and then has been ported through VS2003, VS2008, and now VS2015. The biggest changes between each step have been correcting for new compiler diagnostics and replacing deprecated library function calls.
Software Zen:
delete this; -
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
Suzanne, It will be different for different companies. I have been on both sides. My philosophy is that we pay too much for the developers time to waste it. At one company, they would make you sign a letter saying if a threat came through your computer, then you absorb the financial responsibility. I was there when that employee had to pay to have their computer cleaned. Luckily nothing was stolen or spread across the network. Finally, I would consider setting up a VM you develop on, and letting it have admin rights, but limiting its network ability. Especially when working on drivers, etc. BTW, this is what we do now. All development is done inside of VMs we control the inside of. The companies control what the VM can do. It makes it easier to use outside consultants as well. Very little setup time.
-
Yeah, these are all C++/MFC projects and settings. That's probably why there are differences. I don't think the C++ compiler and linker are too affected by admin rights, although I can see where COM stuff might have issues with type library registration and accesses that required admin rights. I do know that native-mode debugging uses CPU debugging features (breakpoint/watchpoint registers and so on) that may not be used by .NET. We have a substantial body of C++ utility code that got its start as long ago as 2000 (written using VC6), and then has been ported through VS2003, VS2008, and now VS2015. The biggest changes between each step have been correcting for new compiler diagnostics and replacing deprecated library function calls.
Software Zen:
delete this;Gary Wheeler wrote:
I don't think the C++ compiler and linker are too affected by admin rights, although I can see where COM stuff might have issues with type library registration and accesses that required admin rights. I do know that native-mode debugging uses CPU debugging features (breakpoint/watchpoint registers and so on) that may not be used by .NET.
I think that's probably it. I know from a hostile user standpoint, full native debug rights are equivalent to full local admin rights because you're able to attach a debugger to OS processes and manipulate them to escalate your accounts rights. (OTOH in the real world there's a still a real difference in that only having native debugger rights requires subterfuge and advanced knowledge to affect system level settings instead of accidental oops anyone could do.) Managed debug rights just give you the ability to talk to the .net debugger but don't help with hacking the system.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason? Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful? --Zachris Topelius Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies. -- Sarah Hoyt
-
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
-
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
I primarily write Windows Services, so admin rights are a necessity. That said, I am rarely in the office, and usually work from home (I go into the office perhaps 5-7 days a year), so I have my own development machines, my own testing servers, Hyper-V servers for virtual clients, etc... My home-office dev machines are MUCH more capable and better maintained than our office desktops. :) Working as a developer, I can't imagine not having local admin permissions.
-
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
I've been fighting this battle for many years, in many jobs. I am tired of it. I have gone through the machinations of "Proving" I need it, but really, it's just ridiculous. This is a timely topic for me, as my work has once again, decided to launch yet another Developers dont need admin" campaign. I am so tired of the battle, that I am willing to just sit and let the project timeline go bust, rather than make any huge effort to make them "come over and see". The Problem is usually rooted to a Developer, website, Architect, or Network Admin... who sells them the "bill of goods", which immediately casts suspcision "So they have been fooling us all this time?". Once that hook is set, the game is done, and it breaks the whole development group down. . Do I need admin "All the time"? no, don't be silly.. but when I do need it, I need it. You want to insert (x) hours for me to get it, thats gonna add up to significant time. Also - we have 120GB SSD's, that they load 100 GB of stuff on, leaving us barely enough space for VS. Then they issue us external drives to compensate, but we also have a "NO USB Drives allowed monitor", so we have to "request" permission to "Mount the drive". Where there's smoke, there's a Blue Screen of death.
-
I'm actually using my work laptop as personal laptop as well. Full rights, full access :D I'm glad my company has that kind of trust in its developers :)
Visit my blog at Sander's bits - Writing the code you need. Or read my articles at my CodeProject profile.
Simplicity is prerequisite for reliability. — Edsger W. Dijkstra
Regards, Sander
Sander Rossel wrote:
I'm actually using my work laptop as personal laptop
Danger, Will Robinson! *flails arms*
-
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
Wow, that sounds like a great way to secure the box, but I do agree with you that software developers generally need more free access to their box to get their jobs done efficiently. Since you can't change IT, to make the pain on you less, you can probably use the scheduled tasks feature to make a way to launch the device manager as that privileged user without having to go through the UAC annoyance (nor the trouble of entering the account's password). See here[^] (it also works on Win8). You can pin that task to your start menu so its convenient. That's what I've done for the occasional times I need to run VS as admin. Think of it as a poor man's low security sudo for Window.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
stgagnon wrote:
Imagine how convenient that is when debugging a driver or a driver-related problem?
You work on driver related issues most of the time? If yes then this would be a problem and it should be addressed at the management level.
stgagnon wrote:
I can't believe that this is the only way to solve the "security threat"
It isn't. A competent proactive IT department can sequester different departments and individuals to provide more secure zones. And at least for what I work on, neither me nor any other developer 'works' on the production network. Annoying for the individual developers when something infects the developer network but it has absolutely no impact on the production systems.
-
How many of you software engineers out there are not allowed to have local admin rights on your Windows development system? Our IT guy here has it so nobody has local admin rights. If we need admin rights, we have a separate user account that does not have access to the internet or the company network. This is annoying beyond belief. Anytime I want to peek at the device manager I get that annoying windows dialog that says I can't make changes but I can look. [ Can I get that to go away? ] And of course if I want to make changes, I have to log in with admin account via the UAC window. Imagine how convenient that is when debugging a driver or a driver-related problem? That is not the only problem... If I am working on an installer on another day.. I have to go through that each time I run/test/debug the installer. This has been the policy around here for a few years. I have managed to avoid it because my last PC was installed/set up before the policy. Now that PC is about dead and they gave me a new one today and now it feels like they are making me work with my hands tied together. To them, I think they can't understand why the big deal. To me.. it is a flow disrupter. I feel like I am just going to have to stop trying so hard to be fast. But it is more than speed. It is concentration. I can see them rolling their eyes.. but this is real! The reason cited for this is that all kinds of nasties can come in through email or websites. We've got web blockers for the web and spam blockers for the email and on-access virus scanning... So I ask you: How does it go where you work? Do you have admin rights on your PC? I can't believe that this is the only way to solve the "security threat". What policies/etc are in place where you work? -Suzanne
My development computer has Windows Server on it, so that I can fully test things before moving to the production server. I do web development using IIS, and that requires Visual Studio be in Administrator mode when I open it. The computer is an extra computer that I asked for, and I installed Windows Server on it myself, using a copy that I downloaded from my MSDN account. I do not use it for email, although I do use it to browse development sites for code samples. At first, it wasn't even connected to the office domain. Actually, we don't have a separate admin for our production web server. My boss and I are the admins as well as the developers. It is one of the pleasures of working in a small office.
