Come on, all the cool nerds are doing it. It's easy:

1. Right click My Computer, select Manage
2. Navigate: System tools, Local Usrs & Groups, Users
3. Double click your username
4. Click Member of and delete Administrators and/or Power Users
5. If it isn't already there add the group "Users"

Kinda gives you a warm fuzzy feeling. Might as well reboot now, just to make sure your status is updated.

Today's Problems
Oh fark, I forgot the password to the only remaining root account! Google for 'lost XP administrator password'. Lots of bootable linux floppies exist which can reset the password. Lesson learned: (1) users make mistakes. (2) There is no security without physical security.

The memberof tab cannot be viewed if the server service is not running. wtf? Starting that or any service requires root access.

The network monitoring tool for my Sagem USB adsl modem requires root access.

Moving my USB modem to a different USB port causes the hardware wizard to run. That's silly. Hardware wizard requires root, as it should.

Most of the C: drive and parts of the registry can't be written to by User group, which is good. So instaling a new app requires root. For some apps, that means the shortcuts don't appear in my start menu or desktop.

Yes, there are some problems already but nothing too serious. And there are some easy workarounds.

Tips
"su root": When you do need root XP can give it to you. Simply right-click the application and choose Run As. Type your admin passwd and you are golden. Important Note: When app A launches app B, app B will run in the security context of app A. So, be carefull what you do after using run as.

"sticky bit": Certain applications always require root, so WinXP allows you to always use Run As. Create a shortcut to the app, and select properties. Click Advanced and then 'Run with different credentials'. This is a big timesaver. Note: some existing shortcuts (like admin tools) require root access to be modified. See Root FS below.

Debugging Users: I put myself in this group so I can use Visual Studio. I need to research the implications of this. Maybe I will use run as for visual studio.

Root FS: There can be only one Windows Explorer. So run as doesn't work to view the filesystem. But you can use the IE trick:

1. Make a shortcut to Internet Explorer and set the sticky bit.
2. Rename the file to Root Explorer and set a good icon (I like the folder with the red star on it)
3. Lanch the shortcut as root
4. Set the homepage to "file:///c:\"
5. Use IE toolbar wallpaper to make it obvious which IE is running as root.

Using IE in this way easily gives you root access to the filesystem, control panel, and another way launch any application as root. The wallpaper helps prevent mistakes.

It is well known that regularly running as root (Administrator) is a bad idea(tm). Even experienced users can make mistakes. The root account bypasses almost all security, thus the computer can not defend itself from PEBKAC. Despite this common knowledge, Windows still puts user accounts in the admin group by default.

Microsoft plans to fix this problem in future releases and make it easier for ISVs to follow the Rule of Least Privilege. But why wait?

My happy days of using DEC Unix are long gone and currently use Win XP Pro at work and at home. I've been lazy and ran as root ever since switching to NT4. That sloth stops now! I am kicking myself out of the admin group and plan to blog any problems or tips I find. I hope you will do the same. Feel free to reply with thoughts of your own.