So you’ve finally decided to do it – you’re going to break the addiction, join AA (Administrators Anonymous), and stop developing as a local administrator. I applaud you. I’ve been successfully developing software as a non-administrator for a number of months and I feel great. Here’s a few tips and tricks to be a successful Visual Studio developer without requiring admin privileges on your local box. First, I’m not going to re-hash some great articles that are must-reads. So go read Keith Brown’s “How to develop code as a non-admin” and Lars Bergstrom’s “Developing Software in Visual Studio .NET with Non-Administrative Privileges”.
Now for the step-by-step guide of setting yourself up to develop as a non-admin:
- Make sure you know your COMPUTERNAME\Administrator password. If you don’t, change it to something you do know.
- Add yourself to Users (not PowerUsers since PowerUsers have most of the rights of an admin), Debugger Users, VS Developers, Network Configuration Operators (optional), and Remote Desktop Users (optional).
- Set the local security policy to assign ownership to Administrators rather than user if user is a member of the Administrators group. Launch Administrative Tools… Local Security Policy… In the Local Security Settings MMC, browse to Security Settings… Local Policies… Security Options… System objects: Default owner for objects created by members of the Administrators group. Set this to “Administrators group”.
- Grant modify rights to your user to C:\Documents and Settings\All Users\Application Data\microsoft\Crypto\RSA\MachineKeys. If you do not do this, you will not be able to compile signed assemblies in Visual Studio .NET. (i.e. If you are signing your assemblies via assembly:AssemblyKeyFile and/or assembly:AssemblyKeyName in AssemblyInfo.cs or AssemblyInfo.vb, your compile will fail without the proper ACL on the MachineKeys subdirectory.)
- Install PrivBar.dll from here.
- Install MakeMeAdmin.cmd and MakeMePU.cmd from here. Also read Aaron’s follow-up.
- Remove yourself from the COMPUTERNAME\Administrators group.
- Log off and log back in again. You’re now running (and developing) as a non-administrator. Congrats!
Here’s how to accomplish a number of common tasks as a non-admin:
- To run a single program from Windows Explorer as the COMPUTERNAME\Administrator, use Shift-Right-click “Run as…”
- To run a single program from the command line as the COMPUTERNAME\Administrator, use runas.exe.
- To use the administrative MMC consoles, launch from Administrative Tools using Shift-Right-click “Run as…”
- To set ACLs, change link properties, and other file system properties, run MakeMeAdmin.cmd, launch “c:\Program Files\Internet Explorer\iexplore.exe”, and type “c:\” into the address bar. Internet Explorer will work almost identically to Windows Explorer for modifying local file system properties. This only hiccup that I’ve discovered is that folders don’t automatically refresh themselves if you add/delete/modify files and folders.
- If you need to debug a program that opens ports or performs other adminstrator-only operations, run MakeMeAdmin.cmd and launch “c:\program files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe”. Be careful as Visual Studio and any programs that it launches is now running as a local admin.